Cisco connect winnipeg 2018 understanding cisco's next generation sdwan solution with viptela

1. Cisco Confidential© 2016 Cisco and/or its affiliates. All rights reserved. 1 Systems Engineer Cisco Canada May, 2018 Cisco Connect Winnipeg 2018 Understanding Cisco’ Next Generation SD-WAN Solution with Viptela Pirasath Kirupakaran MSc(Com.Sc.), CCIE 47062

2. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 The Branch and WAN Are Being Disrupted! of revenue is generated in the branch 90% MORE THREATS 30% Of advanced threats will target branch offices by 2016 (up from 5%) MORE USERS 80% Of employee and customers are served in branch offices MORE DEVICES 73% Growth in mobile devices from 2014-2018 MORE APPS 20-50% Increase in enterprise bandwidth per year through 2018 IoT devices connected to internet by 2020 30B Annual increase in enterprise bandwidth and video adoption50% Up to Mobile-connected devices by 201910B Of Organizations primarily use public cloud by 201980% • The traditional WAN / branch market is undergoing a massive disruption • Customers are consuming more cloud services • Customers are asking for SD-WAN solutions with virtualized services

3. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3 Existing Data Center Remote Site MSP-RT MPLS NewWAN Internet ISP-RT New The WAN Market Disruption Services Delivery • Access Cloud Services • Deploy application aware topologies • Optimize routing, security, QoS, multicast, services insertion and survivability Transport Independence • Leverage overlay through existing equipment at data center for transport agnostic redesign • Replace remote site equipment or leverage overlay Application Policies • Select test application as candidate for intelligent traffic engineering • Test blackout and brownout failover scenarios Existing Multicloud (AWS, Azure, etc.)

4. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 EXPENSIVE Hardware-centric Fixed capacity DIFFICULT TO SUPPORT Discrete device-by-device configurations Complex management silos Require slow truck rolls for changes INFLEXIBLE Tightly controlled, client server model Historical vs predictive management CONNECTIVITY-CENTRIC Fragmented, incomplete user experience Not application-centric POORLY INTEGRATED Conflicting policies and configurations Inflexible and static Risk from accidental interactions and vulnerabilities Traditional and Legacy Architectures Cannot Scale to Address Changing Needs

5. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 Bandwidth Oversubscription Path Brownout Static Topologies All Links Failure Corporate Data Center Small Office Home Office Cloud Data Center Single Link Failure Cloud Applications Latency Path MTU Changes CPE Device Failure 4G/LTE Internet MPLS BranchCampus Business Continuity Critical Application SLAs

6. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 APPLICATION POLICIES SERVICES DELIVERY PLATFORM TRANSPORT INDEPENDENT FABRIC Broadband CellularMPLS QoSSecurity Segmentation Svc Insertion SurvivabilityRouting Multicast Per-Segment Topologies Cloud Path (IaaS) Application SLA Secure Perimeter Traffic Engineering Transport Hub Cloud Accel (SaaS) Analytics Monitoring Operations Business Driven WAN Infrastructure

7. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7 Cloud-first management with flexible deployment options Accelerate key SD-WAN use cases; Cloud-edge and Segmentation Sophisticated, but still simple to deploy and operate Complements Cisco’s Enterprise Networks architecture strategy Why Did Cisco Buy Viptela? Cisco Digital Network Architecture

8. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 Better Together Leading Routing & SD-WAN Platforms Goal: Building next generation SD-WAN solutions Together, helping businesses and IT to innovate faster, securing and delivering better customer outcomes, while reducing costs and lowering risk Cloud-managed & Feature-rich SD-WAN

9. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 • Secure Connectivity • Flexible (Cloud First) Connectivity • Application Quality of Experience • Agile Operations Reinventing the WAN - 4 Technical Pillars Security Applications Services Connectivity Operations Flexible Connectivity Agile Operations Application Services

10. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10 Centralized Device Auth-DB Centralized Key Mgmt Scalable Data-Plane Encryption Embedded Security Secure On-Boarding Reinventing the WAN Security Security Applications Services Connectivity OperationsConnectivity Operations Application Services Deep Packet Inspection App Fingerprinting DPI Engine

11. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11 MPLS LTE INTERNET Hybrid WAN Segmentation/VPNs Dynamic Per-VPN Topologies Google AWS Data Center Provider/Transport Agnostic Security Applications Services Connectivity OperationsConnectivity Operations Application Services Reinventing the WAN Connectivity

12. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12 Application Visibility and Control Central Orchestration Application-Aware Routing Transport SLA Monitoring MPLS LTE INTERNET Cloud Services Integration SEN Overlay Application Layer Analytics App Fingerprinting DPI Engine Security Applications Services Connectivity OperationsConnectivity Operations Application Services Reinventing the WAN Application Services

13. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13 Centralized Operations Distributed Execution Zero Touch ProvisioningTemplate-based Configurations Programmatic APIs Open Object Model NetConf Ad-Hoc Adds/Moves/Changes Centralized Policy Orchestration Security Applications Services Connectivity OperationsConnectivity Operations Application Services Reinventing the WAN Operations

15. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15 vEdge Router Cloud Data Center Campus Branch Small Office Home Office vSmart Controller vManage The Viptela branch office router Policy and Service Control Plane Cloud or on premises network management Viptela Solution – Key Components vBond On-Boarding and Orchestration

16. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16 vBond: ZTP and Orchestration Plane APIs vSmart Controllers vAnalytics 3rd Party Automation vManage Data Center Campus Branch SOHOCloud vBond vEdge Routers 4GMPLS INET • Used for device on-boarding (ZTD/ZTD) • Orchestrates connectivity between management, control and data plane • First point of authentication • All other components need to know the vBond IP or DNS information • Authorizes all control connections (white-list model) • Distributes list of vSmarts to all vEdges Orchestration Plane Cisco vBond

17. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17 vEdge: The Data Plane Data Plane Physical/Virtual Cisco vEdge • WAN edge routers • Provides secure data plane with remote vEdge routers • Establishes secure control plane with vSmart controllers (OMP) and Implements data plane and application aware routing policies • Exports performance statistics • Leverages traditional routing protocols like OSPF, BGP and VRRP • Physical or Virtual form factor (100Mb, 1Gb, 10Gb) APIs vSmart Controllers vAnalytics 3rd Party Automation vManage Data Center Campus Branch SOHOCloud vBond vEdge Routers 4GMPLS INET

18. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18 vSmart: The Control Plane Control Plane Cisco vSmart • Centralized brain of the solution • Establishes OMP peering with all vEdges • Implements control plane policies, such as service chaining, traffic engineering and per VPN topology • Distributes connectivity information between vEdge • Orchestrates secure data plane connectivity between vEdges vSmart Controllers vAnalytics 3rd Party Automation vManage Data Center Campus Branch SOHOCloud vBond vEdge Routers 4GMPLS INET APIs

19. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19 Overlay Management Protocol (OMP) Unified Control Plane • Runs between vEdge routers and vSmart controllers and between the vSmart controllers - Inside TLS/DTLS connections • Advertises control plane context vSmart vSmart vSmart vEdge vEdge VS Note: vEdge routers need no control connections amongst them vSmart acts like a Key Server

20. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20 OMP Update: § Reachability – IP Subnets, TLOCs § Security – Encryption Keys § Policy – Data/App-route Policies BGP, OSPF, Connected, Static BFD IPSec Tunnel OMP DTLS/TLS Tunnel Transport1 Transport2VPN1 A VPN2 B VPN1 C VPN2 D BGP, OSPF, Connected, Static vSmart OMP Update OMP Update vEdge vEdge Subnets Subnets TLOCs TLOCs Policies Fabric Operation Fabric Walk-Through OMP Update OMP Update Deploy Encryption Keys

21. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21 Ingress vEdge VPN 3 VPN 1 VPN 2 SD-WAN IPSec Tunnel 20 IP 8 UDP 36 ESP 4 VPN … Data Egress vEdge Interface VLAN • Segment connectivity across fabric w/o reliance on underlay transport • vEdge routers maintain per-VPN routing table • Labels are used to identify VPN for destination route lookup • Interfaces and sub-interfaces (802.1Q tags) are mapped into VPNs VPN1 VPN2 Interface VLAN VPN1 VPN2 Secure Segmentation End-to-End Segmentation

22. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22 vManage: The Management Plane Management Plane Cisco vManage • Single pane of glass for Day0, Day1 and Day2 operations • Real time alerting • Centralized provisioning • Configuration standardization • Supports • REST API • CLI • NETCONF / YANG • SNMP • Syslog vSmart Controllers vAnalytics 3rd Party Automation vManage Data Center Campus Branch SOHOCloud vBond vEdge Routers 4GMPLS INET APIs

25. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25 TPM Chip Root Chain Embedded Device Identity Controller Trust Zero-Touch Provisioning of the vEdge Router Identity and Trust Identity Cert vEdge Dynamic Device Identity Root Chain Controller Trust Identity Cert vEdge Cloud

26. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26 Zero Trust Model Certificate-Based Trust • Bi-directional certificate-based trust between all elements - Public or Enterprise PKI • White-list of valid vEdges and controllers - Certificate serial number as unique identification Signed vEdge List Administrator Defined Controllers vEdge vBond vManage vSmart

27. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27 Zero Touch Provisioning vEdge Walk-through Control and Policy Elements Full Registration and Configuration vEdge 5 * Factory default configured Assumption: § DHCP on Transport Side (WAN) § DNS to resolve ZTP server name* 3 4 Zero Touch Provisioning Server 1 2

28. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28 Template-Based Configurations Centralized Device Configuration Enforcement • Templates are attached to provisioned vEdge routers • Variables are used for rapid bulk configuration rollout with unique per- device settings • Local configuration changes are not allowed - Prevents configuration drift

29. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29 Application-Centric Network Capabilities Per-Session Loadsharing Active/Active Per-Session Weighted Active/Active Application Pinning Active/Standby Application Aware Routing SLA Compliant SLASLA Core Hierarchical Multihop Fabric Single-hop Fabric

30. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30 • Embedded Deep Packet Inspection engine • Application and flow level visibility for the fabric and individual vEdge routers • Centralized statistics and performance • Export flow level data (IPFIX) to external collector Application and Performance Visibility Deep Packet Inspection

31. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31 Deep Packet Inspection Engine Primary Use Cases: - Application Visibility - Application Firewall - Traffic Prioritization - Transport Selection - Analytics vEdge Router App 1 App 2 App 3,000 Cloud Data Center Data Center Campus Branch Small Office Home Office MPLS INET 3G/4G Embedded Application Recognition Deep Packet Inspection

32. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32 § Enforce SLA compliant path for applications of interest § Other applications will follow fabric routing across all paths Control Plane Path1: 10ms, 0% loss, 5ms latency Path2: 200ms, 3% loss, 10ms latency Path3: 140ms, 1% loss, 10ms latency vManage App Aware Routing Policy App A path must have: latency < 150ms loss < 2% jitter < 10ms vEdge1 vEdge2 Internet MPLS 4G LTE vSmart Controllers App A IPSec Tunnel Critical Applications SLA Application Aware Routing Path 2

34. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34 Cisco vEdge Routers Portfolio Positioning Branch/SOHO/SMB (100Mb) Branch/Campus (1Gb) Campus/Data Center (10Gb) NFV, vCPE (N x cores) IaaS & Cloud Interconnect (N x cores) Campus/Data Center (20Gb+) vEdge 100 family vEdge 1000 vEdge 2000 vEdge 5000 vEdge Cloud on Greybox or Whitebox vEdge Cloud

35. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35 Data Center Campus Branch Home Office 4G/LTE MPLS Internet Control Plane (Containers or VMs) (vSmart) Management Plane (Multi-tenant or Dedicated) (vManage) Orchestration Plane (vBond) 2000 vEdges per vBond Redundancy Add 1-2 vBonds Horizontal Scale out Model Horizontal Scale Out Model 2700 vEdges per vManage Horizontal Scale out Model in cluster mode (same DC) 2700 vEdges per vSmart Redundancy Add 1-2 vSmarts Horizontal Scale out Model Scalability Considerations Orchestration/Control/Management Plane

36. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36 Perpetual cost of Cisco SD-WAN CPE hardware Subscription cost of Cisco SD-WAN software (Includes SD- WAN controller + CPE software) Operational cost of Cisco SD- WAN solution 1.Subscription license (1YR, 3YR and 5YR) for Cisco SD-WAN software charged per CPE. This cost is dependent on two factors: • Service bandwidth • Features 2.Perpetual cost of Cisco SD-WAN CPE element. SD-WAN Pricing Model Subscription and Perpetual Elements

37. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37 DNA-Essentials DNA-Advantage Hub Spoke Spoke Spoke MPLS Internet Local breakout Hub Spoke Spoke Spoke MPLS Internet Spoke Spoke Local breakout Dynamic Routing Dynamic Routing Hub Spoke Spoke Spoke MPLS Internet Spoke Spoke Dynamic Routing Dynamic Routing SaaS onRamp SD WAN controllers AnalyticsSD WAN controllers SD WAN controllers AAR AAR AAR E2E Segmentation E2E Segmentation • Routing: Static • Topology: Hub-n-spoke only • Internet/Cloud: NAT, Split tunnel • Policy: Local ACL only, Data policy • QoS • SLA: Application aware routing (5 tuple only) • Visibility : DPI for visibility only • Routing: Dynamic routing (OSPF/BGP) • Topology: Mesh topology • Internet/Cloud: Cloud onRamp for IaaS • Policy: Control policy • Segmentation: 5 VPNs (1+4) • SLA: Application aware routing (DPI) • Multicast • Segmentation: Unlimited • Internet/Cloud: Cloud onRamp for SaaS • Analytics: vAnalytics platform Cisco ONE Adv. License Tier Features License Tiers

39. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential vManage Cisco SD-WAN Day 1 Deployment Scenarios ISR TI / E! / DSL DeploymentScenarios vEdge ISR Providing Services vManage vEdge Ethernet ISR WaaS UC Thin Branch vManage vEdge Ethernet

40. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Roadmap Phase 2 Platform Integration Phase 1 No Integration Phase 3 Management Integration Platform: • As-is Management: • vManage Platform: • vEdge capabilities integrated into all IOS-XE platforms (ISR, CSR, ENCS, ASR1K) Management: • vManage for SD-WAN capabilities on IOS-XE Management: • Cloud hosted DNA Center integrates vManage capabilities • Full DNA Center capabilities (Assurance, Integrated workflows for SD-Access and SD-WAN) Support current Viptela customers Viptela SD-WAN on strategic ISR platforms Deliver end-to-end experience with full DNA integration DeploymentScenariosBenefitsDetails vEdge ISR4K + vEdge SW DNA Center + SD-WAN ISR4K + vEdge SW vManage vEdge vManage vEdge

41. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41 Positioning Cisco’s SD-WAN Solutions 1. Do you have a requirement to support end- to-end secure segmentation over the WAN? 2. What is the size of your branch network? 3. Do you intend to deploy dynamic per VPN topologies? 4. Do you intend to deploy a network with intelligent path selection for IaaS or SaaS? 1. Do you have existing Meraki infrastructure? 2. Do you have a requirement to manage a full branch network (switches, APs, etc.) through a single management interface? 3. Does your staff desire simple management and automation for deploying branch security?

42. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential • Cisco is the market and technology leader in SD-WAN, combining the flexibility of Viptela, Meraki, and ISR IOS-XE • Cisco’s SD-WAN solution (Viptela) is both a cloud and on-prem (hardware) based solution, offering unmatched capabilities • Cisco will merge the Viptela and IOS-XE capabilities into a common ISR 4K-based platform and DNA Center, but the complimentary Viptela core products are here to stay in foreseeable future Key Takeaways

43. Thank you.

Cisco connect winnipeg 2018 understanding cisco's next generation sdwan solution with viptela

Cisco connect winnipeg 2018 understanding cisco's next generation sdwan solution with viptela

Recomendados

Más contenido relacionado

Was ist angesagt?

Was ist angesagt?(20)

Similar a Cisco connect winnipeg 2018 understanding cisco's next generation sdwan solution with viptela

Similar a Cisco connect winnipeg 2018 understanding cisco's next generation sdwan solution with viptela (20)

Más de Cisco Canada

Más de Cisco Canada(20)

Último

Último(20)

Cisco connect winnipeg 2018 understanding cisco's next generation sdwan solution with viptela