Cisco SD-WAN (Viptela) Migration, QoS and Advanced Policies Hands-on Lab

Transcription

1

2 Cisco SD-WAN (Viptela) Migration, QoS and Advanced Policies Hands-on Lab Ali Shaikh Technical Leader Faraz Shamim Sr. Technical Leader Mossaddaq Turabi Distinguished ENgineer

3 Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot#

4 Agenda Introduction Migration Strategies Templates + Zero Touch Provisioning Policy Overview Hub & Spoke Topology + Preferential DataCenters Service Chaining Cloud Express for SaaS Application Aware Routing

5 Introduction

6 Introduction Cisco SD-WAN is the next generation software defined architecture for the WAN. It is a controller based architecture leveraging centralized policies. This lab assumes an understanding of the Cisco SD-WAN components and how they construct overlay communication between them: vmanage The overlay management appliance vsmart The overlay policy and routing enforcement appliance vbond The overlay orchestrator appliances vedge The network routing edge appliance The goal of this lab is to learn to manipulate the overlay beyond a basic setup to achieve different topologies and network functions. 6

7 Cisco SD-WAN Architecture vorchestrator Service Orchestration vmanage vanalytics APIs 3 rd Party Automation Management Plane vbond vsmart Controllers Control Plane MPLS INET 4G vedge Routers Data Plane Cloud Data Center Campus Branch SOHO 7

8 Cisco SD-WAN Elements and Functions vbond orchestrator First point of authentication (white-list model) Orchestrates control and management plane Facilitates NAT traversal vmanage is the NMS system (a single pane of glass), for the entire SD-WAN fabric vsmart controllers: Distribute reachability and security information between the vedge routers Distribute data and app-route policies to vedges Enforce control policies vedge routers WAN Edge Routers Establishes OMP session with vsmart for overlay routing Supports legacy protocols for LAN BGP, OSPF, VRRP Establishes a secured data plane between sites Available as HW appliance or as a softaware-only virtual machine (VM) 8

9 Secure Segmentation - VPNs IF VPN10 IF MPLS Service (VPNn) Transport (VPN0) IF VPN20 IF INET Management (VPN512) VPNs are isolated from each other, each VPN has its own forwarding table IF vedge router allocates label to each of it s service VPNs and advertises it as route attribute in OMP updates - Labels are used to identify VPN in the incoming packets 9

10 Fabric Operation Reachability, Security/TLOCs and Policies OMP vsmart DTLS/TLS Tunnel IPSec Tunnel BFD OMP Update OMP Update Policies OMP Update OMP Update BGP, OSPF, Connected, Static vedge1 VPN1 A VPN2 B T1 TLOCs Transport1 Transport2 TLOCs VPN1 C vedge2 T3 T4 T1 T2 T4 T2 T3 VPN2 D BGP, OSPF, Connected, Static Subnets Subnets

11 Configurations and Zero Touch Provisioning (ZTP)

12 Configuration and Policy Framework vmanage NETCONF/YANG Device Configuration Device Configuration Centralized Control Policy (Fabric Routing) Centralized Data Policy (Fabric Data Plane) Centralized Policies Localized Policies Local Control Policy (OSPF/BGP) Local Data Policy (QoS/Mirror/ACL) Centralized App-Aware Policy (Application SLA) OMP vsmart Centralized Data Policy (Fabric Data Plane) Centralized App-Aware Policy (Application SLA) vedge 12

13 Zero Touch Provisioning - Overview The Zero Touch Provisioning service relies on: A license file provided by Cisco for the overlay. Explicitly marking a device as valid or staging. A configuration template for the device. A device configuration template consists of Basic Information Device identifiers (Hostname,, Site-ID) Transport & Management VPN The VPNs for circuits and out-of-band management Service VPN The LAN side at the branch or datacenter Additional Templates Miscellaneous items such as Banners Each section is made of independent modules called Features. A full device template is made up of combining all the Features into the relevant Device Sections to create a Device Template. 13

14 GUI based Templates / Feature Templates 14

15 QoS/SNMP/Banner Templates 15

16 QoS Configurations policy app-visibility flow-visibility class-map class VOICE queue 0 class VIDEO queue 1 class BIZ-DATA queue 2 class BEST-EFFORT queue 3 qos-scheduler besteffort_scheduler class BEST-EFFORT bandwidth-percent 5 buffer-percent 5 drops red-drop qos-scheduler bizdata_scheduler class BIZ-DATA bandwidth-percent 50 buffer-percent 50 drops red-drop qos-scheduler video_scheduler class VIDEO bandwidth-percent 30 buffer-percent 30 qos-scheduler voice_scheduler class VOICE bandwidth-percent 15 buffer-percent 15 scheduling llq qos-map WAN-QOS qos-scheduler besteffort_scheduler qos-scheduler bizdata_scheduler qos-scheduler video_scheduler qos-scheduler voice_scheduler access-list GuestWiFi sequence 10 action accept class BEST-EFFORT default-action accept 16

17 CLI based Device Configuration Template Take the CLI based configuration of the device Create a Device template Highlight the text and create a device specific variable Policy definition is part of the device template Used for Branch 1 devices 17

18 CLI based Device Configuration Template 18

19 Zero Touch Provisioning - Workflow Zero Touch Provisioning Server Control and Policy Elements Assumption: DHCP on Transport Side (WAN) DNS to resolve ztp.viptela.com 1 2 vedge Full Registration and Configuration 19

20 Migration Step 1 DC Deployment

21 Baseline Topology and Configuration DC1 San Jose Wkst-1 Host FW Host FW DC2 Chicago / /24 BGP AS DC1-MPLS-CE OSPF OSPF DC2-MPLS-CE BGP AS MPLS Transport AS 100 BGP AS BR1-MPLS-CE / BR2-MPLS-CE / BGP AS OSPF Los Angeles Branch Type 1.10 Test Host Dallas Branch Type /24.10 Test Host 21

22 Cisco SD-WAN Site Brownfield Deployment Gateway/DC Site Deployment DC/Gateway Site BGP/OSPF Identify Gateway/DC Sites providing connectivity between SD-WAN and legacy sites Legacy sites talk to each other directly SD-WAN sites talk to each other directly Internet OMP SD-WAN Overlay MPLS Legacy router/connectivity is dropped in the DC/Gateway sites once migration is complete Legacy/MPLS Sites SD-WAN Sites 22

23 Step 1 : Deploy vedges in the DC New capabilities and enhancements Bandwidth Augmentation and Hybrid Transport (MPLS + Internet) VPN Segmentation (Corporate-10, PCI/IOT-20, Guest WiFi-40) 23

24 Deploy DC vedges along with existing MPLS CPEs DC1 Site ID 100 San Jose Wkst-1 Host FW Host FW DC2 Site ID 200 Chicago / OSPF DC1 DC1 VEDGE OSPF.212 DC2 DC2 VEDGE / Controllers MPLS Transport AS 100 Internet Transport AS 200 ZTP /24 Los Angeles BR1 Site ID Test Host Dallas BR2 Site ID / / Test Host OSPF

25 Zero Touch Provisioning Step 2 Deploy vedge in BR2 using ZTP

26 Zero Touch Provisioning Lab Notes In this lab, a number of device templates have been created. In this lab, the features that will be used for all the sites have also been created. We will manipulate the values and fields already set in the features in this lab to modify the environment. We will use the device templates to push configuration to devices at the data center and at the branch. Once the configuration has been setup for the devices, we will observe the Zero Touch Provisioning process by which devices that have not become part of the network are brought in to the environment. 26

27 Replace Existing MPLS CE with vegde in Branch 2 DC1 Site ID 100 San Jose Wkst-1 Host FW Host FW DC2 Site ID 200 Chicago / OSPF DC1 DC1 VEDGE OSPF.212 DC2 DC2 VEDGE / Controllers MPLS Transport AS 100 Internet Transport AS 200 ZTP /24 Los Angeles BR1 Site ID Test Host Dallas BR2 Site ID / /24 BR2 Test Host OSPF

28 Traffic flow between Migrated and non-migrated Sites DC1 Site ID 100 San Jose Wkst-1 Host FW Host FW DC2 Site ID 200 Chicago / OSPF DC1 DC1 VEDGE OSPF.212 DC2 DC2 VEDGE / Controllers MPLS Transport AS 100 Internet Transport AS 200 ZTP /24 Los Angeles BR1 Site ID Test Host Dallas BR2 Site ID / /24 BR2 Test Host OSPF

29 Migration Step 3 Deploy vedges in BR1 with TLOC Extension

30 TLOC Extension and Configuration vpn 0 interface ge0/0 description MPLS tunnel ip address /30 tunnel-interface encapsulation ipsec color mpls restrict max-control-connections 1 [service list] interface ge0/2 description INET tunnel ip address /24 tunnel-interface encapsulation ipsec preference 100 color biz-internet restrict max-control-connections 1 [service list] interface ge0/3 ip address /24 tloc-extension ge0/0 no shutdown ip route / ip route / MPLS br1-vedge1 ip route / ge0/ /24 ge0/ /24 ge0/ /24 Add route to reach br1-vedge2 mpls tunnel end-point ge0/0 dhcp ge0/ /24 ge0/ /24 INET br1-vedge2 vpn 0 interface ge0/0 description INET tunnel ip dhcp-client nat Do not forget NAT tunnel-interface encapsulation ipsec color biz-internet restrict max-control-connections 1 [service list] interface ge0/2 ip address /24 tloc-extension ge0/0 no shutdown interface ge0/3 description MPLS tunnel ip address /24 tunnel-interface encapsulation ipsec color mpls restrict max-control-connections 1 [service list] ip route /

31 Replace Existing MPLS CE with vegdes in Branch 1 DC1 Site ID 100 San Jose Wkst-1 Host FW Host FW DC2 Site ID 200 Chicago X / OSPF DC1 DC1 VEDGE OSPF.212 DC2 DC2 VEDGE / X Controllers MPLS Transport AS 100 Internet Transport AS 200 ZTP BR VRRP.2.3 BR1 VEDGE BR / OSPF /24 Los Angeles BR1 Site ID Test Host Dallas BR2 Site ID /24 Test Host.21

32 VPN 20 IOT/PCI VPN Segment DC1 Site ID 100 San Jose Test Host Test Host DC2 Site ID 200 Chicago / /24.2 VRRP.3.2 VRRP DC1 DC1 VEDGE DC2 DC2 VEDGE Controllers MPLS Transport AS 100 Internet Transport AS 200 ZTP BR /24 Los Angeles BR1 Site ID 300 VRRP Test Host BR1 VEDGE /24 Dallas BR1 Site ID 400 BR2 Test Host

33 VPN 40 GuestWiFi VPN Segment DC1 Site ID 100 San Jose DC1 DC1 VEDGE DC2 DC2 VEDGE Controllers MPLS Transport AS 100 Internet Transport AS 200 ZTP BR /24 Los Angeles BR1 Site ID 300 VRRP Test Host BR1 VEDGE /24 Dallas BR1 Site ID 400 BR2 Test Host

34 Policy

35 Policy - Overview The SD-WAN overlay is controlled by centralized policies. The policies that dictate the network topology are called Control Policies. These policies manipulate the advertisement of routes and TLOCs (Transport Location) information. The policies are configured via the vmanage GUI. The policies are applied to the vsmart controller. The vsmart controller propagates the necessary information to the vedge routers as per the policy directives. 35

36 Policy - Workflow Inbound Policy: determines which routes are installed in the local routing database of the vsmart controller. Outbound Policy: applied AFTER a route is retrieved from routing database, but BEFORE the vsmart controller advertises it. 36

37 Hub & Spoke Topology

38 Hub & Spoke Topology By default SDWAN solution supports full mesh To make the solution more scalable, hub and spoke topology can be created In our example, we will create hub and spoke for VPN 10 and 20 VPN 40 will be restricted using VPN-Membership policy Currently, Branch 1 can directly talk to Branch 2 because of the full mesh topology After applying StrictHub-n-Spoke policy, Branch 1 can talk to Branch 2 via hub on 38

39 Strict Hub and Spoke Before Policy Application DC1 Site ID 100 San Jose Wkst-1 Host FW Host FW DC2 Site ID 200 Chicago X / OSPF DC1 DC1 VEDGE OSPF.212 DC2 DC2 VEDGE / X Controllers MPLS Transport AS 100 Internet Transport AS 200 ZTP BR VRRP.2.3 BR1 VEDGE BR / OSPF /24 Los Angeles BR1 Site ID Test Host Dallas BR2 Site ID /24 Test Host.21

40 Policy Definition vpn-membership vpnmembership_ sequence 10 match vpn-list corpvpn action accept sequence 20 match vpn-list pcivpn action accept default-action reject control-policy Hub-n-SpokeALLVPN sequence 1 match tloc site-list AllDC action accept sequence 11 match tloc action reject sequence 21 match route site-list AllBranches vpn-list corpvpn action reject sequence 31 match route site-list AllBranches vpn-list pcivpn action accept set tloc-list DC-TLOCS default-action accept 40

41 Strict Hub and Spoke After Policy Application DC1 Site ID 100 San Jose Wkst-1 Host FW Host FW DC2 Site ID 200 Chicago X / OSPF DC1 DC1 VEDGE OSPF.212 DC2 DC2 VEDGE / X Controllers MPLS Transport AS 100 Internet Transport AS 200 ZTP BR VRRP.2.3 BR1 VEDGE BR / OSPF /24 Los Angeles BR1 Site ID Test Host Dallas BR2 Site ID /24 Test Host.21

42 Preferential Data Centers

43 Preferential Data Centers By default vedge will perform load balancing for all routes coming via the DC There are situations when a certain site may want to prefer one DC over the other In our example, there are 4 vedges in the DC advertising DC routes These DC are also advertising default route ( ) for the Internet The goal: Branch 1 should prefer DC1 for default routes and Branch 2 should prefer DC2 for the default route 43

44 DC Preference Before policy application DC1 Site ID 100 San Jose Wkst-1 Host FW Host FW DC2 Site ID 200 Chicago X / OSPF DC1 DC1 VEDGE OSPF.212 DC2 DC2 VEDGE / X Controllers MPLS Transport AS 100 Internet Transport AS 200 ZTP BR VRRP.2.3 BR1 VEDGE BR / OSPF /24 Los Angeles BR1 Site ID Test Host Dallas BR2 Site ID /24 Test Host.21

45 DC Preference Policy control-policy PreferDC1 sequence 1 match route site-list DC1 action accept set preference 100 sequence 11 match route site-list AllBranches vpn-list pcivpn action accept set tloc-list DC-TLOCS default-action accept control-policy PreferDC2 sequence 1 match route site-list DC2 action accept set preference 100 sequence 11 match route site-list AllBranches vpn-list pcivpn action accept set tloc-list DC-TLOCS default-action accept 45

46 DC Preference After policy application DC1 Site ID 100 San Jose Wkst-1 Host FW Host FW DC2 Site ID 200 Chicago X / OSPF DC1 DC1 VEDGE OSPF.212 DC2 DC2 VEDGE / X Controllers MPLS Transport AS 100 Internet Transport AS 200 ZTP BR VRRP.2.3 BR1 VEDGE BR / OSPF /24 Los Angeles BR1 Site ID Test Host Dallas BR2 Site ID /24 Test Host.21

47 Service Insertion

48 Service Insertion Workflow VPN1 Traffic Path Control Plane Remote Office vsmart FW VPN1 Regional Hub MPLS INET 4G Policy Advertisement Service Advertisement VPN1 Data Center vedge router with connected service makes advertisement - Service route - Service VPN label Service is advertised in the VPN Service can be singly or dually connected (Firewall trust zones) to the advertising vedge Policies are used to insert the service into the matching traffic forwarding path - Match on 6-tuple or DPI signature - Applied on ingress/egress vedge 48

49 DC Preference Policy control-policy MultiTopologyFWInsertion sequence 1 match route site-list AllBranches vpn-list pcivpn action accept set tloc-list DC-TLOCS sequence 11 match route site-list AllBranches vpn-list corpvpn action accept set service FW vpn 10 default-action accept DC vedges Configuration vpn 10 service FW address

50 Service Insertion Traffic Flow after policy Activation DC1 Site ID 100 San Jose Wkst-1 Host FW Host FW DC2 Site ID 200 Chicago X / OSPF DC1 DC1 VEDGE OSPF.212 DC2 DC2 VEDGE / X Controllers MPLS Transport AS 100 Internet Transport AS 200 ZTP BR VRRP.2.3 BR1 VEDGE BR / OSPF /24 Los Angeles BR1 Site ID Test Host Dallas BR2 Site ID /24 Test Host.21

51 Application-Aware Routing

52 Application Aware Routing - Overview Cisco SD-WAN provides the ability to use multiple transports in more than just an active-active fashion. It provides the ability to use intelligent decision making for application steering on different transports. App-Aware Routing leverages the following logic: Measure loss, latency, jitter characteristics on all active tunnels. Network administrator defines a central policy that specifies SLAs for applications. The SD-WAN solution steers application traffic onto the paths that satisfy the SLAs. Traffic can be steered on any best path, or provided hierarchy in terms of what preferred path to be taken for a given application. 52

53 Application Aware Routing - Workflow vedges measure path liveliness and quality vmanage App Aware Routing Policy App A path must have: Latency < 150ms Loss < 2% Jitter < 10ms Remote Site Internet Path1: 10ms, 0% loss, 5ms jitter Path2: 200ms, 3% loss, 10ms jitter Path3: 140ms, 1% loss, 10ms jitter Path 2 MPLS 4G LTE Regional Data Center IPSec Tunnel 53

54 Application Aware Routing Lab Notes In this lab, you will: Learn to use the Simulate Flows to observe behavior in default state. Learn to view and modify SLAs for applications. Use a policy that steers DSCP 46 traffic onto MPLS as its preferred path. Observe via using the Simulate Flows capability that traffic steering takes effect. Inject latency into the environment. Observe via using the Simulate Flows that traffic is steered onto a path that satisfies the SLA. 54

55 CloudExpress

56 CloudExpress Overview SD-WAN Fabric 3 a b Direct Connect Cloud Exchange INET MPLS Carrier-Neutral Facility (CNF) Branch 4G 2 Regional Facility (Data Center/Colo) INET 1 Direct Internet Access (DIA) 56

57 CloudExpress Lab Implementation DC1 Site ID 100 San Jose Wkst-1 Host FW Host FW DC2 Site ID 200 Chicago CXP Gateway / OSPF DC1 DC1 VEDGE OSPF.212 DC2 DC2 VEDGE / CXP Gateway Controllers MPLS Transport AS 100 Internet Transport AS 200 ZTP CXP DIA BR VRRP.2.3 BR1 VEDGE BR / OSPF CXP DIA /24 Los Angeles BR1 Site ID Test Host Dallas BR2 Site ID /24 Test Host.21

58 CloudExpress Lab Notes In this lab, you will: Add in a new application to Cloud Express Learn how to add a new DIA Site Monitor vqoe scores for different applications and sites 58

59 Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot#

60 Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Complete Your Online Session Evaluation Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at

61 Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Tech Circle Meet the Engineer 1:1 meetings Related sessions 61

62 Thank you

63