LTRCRS-2005 Introduction to Cisco SD- WAN (Viptela) Brad Edgeworth, Systems Engineer, CCIE#31574 Dustin Schuemann, Solutions Architect Madhavan Aruanchalam, Technical Marketing Engineer
Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot#ltrcrs-2005 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Agenda Introduction to SD-WAN Cisco SD-WAN (Viptela Fundamentals) Initial Device Provisioning Policy Administration Application Awareness Segmentation Monitoring/Troubleshooting Additional Use Cases
Introduction Housekeeping For your reference only Who we are? Everyone loves to eat Chorizo Not many people know how to make Chorizo; but they can still buy it at the store, or order it at a restaraunt In this session, you will learn how to make Chorizo (I.E. SD-WAN) but you do not have to know a lot of these concepts to enjoy it. You can still enjoy SD-WAN from a service provider. This session involves a lot of presentation throughout the session and we will have handson lab too. We will repeat a lot of the key concepts throughout this lab to help you understand it. BRKCRS-2007 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Introduction to SD-WAN
Current WAN Challenges Insufficient Bandwidth Complex Operations Limited Application Awareness High Cost Is Your WAN Business Ready? Applications Downtime Limited Scale Fragmented Security No Cloud Apps Readiness BRKCRS-2007 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Business Requirements for the WAN are evolving Apps are moving to the cloud Mobile/IoT device proliferation Internet edge moving to the branch Managing the network is getting more complex BRKCRS-2007 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Customers want to Simplify WAN/Branch management Reduce WAN and operating costs Optimize application experience BRKCRS-2007 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
SD-WAN is the solution Network capacity optimization and increase bandwidth Protect application SLA Lower operating costs and TCO BRKCRS-2007 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Cisco SD-WAN Holistic Approach Cloud Delivered Analytics Automation Virtualization USERS SDWAN Cloud OnRamp. IoT Edge Computing DC DEVICES Fabric IaaS APPLICATIONS SaaS THINGS SECURE SCALE OPEN vdc BRKCRS-2007 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Cisco SD-WAN Overview
Cisco SD-WAN Solution Pillars Cloud-Delivered Architecture Agile Operations Cisco SD-WAN Application Quality of Experience Comprehensive Security BRKCRS-2007 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Analytics Cisco SD-WAN Cloud-Delivered Architecture Multitenant, Cloud-Operated and Cloud-Delivered REST API GUI vmanage vsmart Controllers Cloud Data Center Secure SD-WAN Fabric Private/Hosted/Managed Cloud MPLS 4G Data Center Secure Control Plane INET vedge Router Small Office Home Office Campus BRKCRS-2007 Branch 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Arbitrary VPN Topologies Full-Mesh Hub-and-Spoke VPN1 VPN2 Each VPN can have it s own topology - Full-mesh, hub-and-spoke, partialmesh, point-to-point, etc VPN topology can be influenced by leveraging control policies Partial Mesh VPN3 Point-to-Point VPN4 Applications can benefit from shortest path, e.g. voice takes fullmesh toplogy Security compliance can benefit from controlled connectivity topology, e.g. PCI data takes hub-and-spoke topology BRKCRS-2007 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Fabric Operation Walk-Through OMP DTLS/TLS Tunnel IPSec Tunnel BFD OMP Update OMP Update vsmart Policies OMP Update: Reachability IP Subnets, TLOCs Security Encryption Keys Policy Data/App-route Policies OMP Update OMP Update vedge Transport1 vedge TLOCs TLOCs BGP, OSPF, Connected, Static VPN1 A Transport2 VPN1 C BGP, OSPF, Connected, Static Subnets BRKCRS-2007 Subnets 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Critical Applications SLA vedge Routers continuously perform path liveliness and quality measurements Device QoS (shaping, policing, queuing, marking) Remote Site Path1: 10ms, 0% loss, 5ms jitter Path2: 200ms, 3% loss, 10ms jitter Path3: 140ms, 1% loss, 10ms jitter Path 2 vmanage Internet MPLS 4G LTE App Aware Routing Policy App A path must have: Latency < 150ms Loss < 2% Jitter < 10ms Regional Data Center Optimal Path MTU TCP Optimization IPSec Tunnel BRKCRS-2007 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
DDoS Protection for vedge Routers vbond Authenticated Sources vsmart vmanage Implicitly Trusted Sources vedge SD-WAN IPSec CPU Control Plane Policing: 300pps per flow 5,000pps Explicitly Defined Sources Unknown Sources Cloud Security Other Packet Forwarding Deny except: 1. Return packets matching flow entry (DIA enabled) 2. DHCP, DNS, ICMP * Can manually enable :SSH, NETCONF, NTP, OSPF, BGP, STUN BRKCRS-2007 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
vedge VPNs and Security Zoning Trust Zone Untrust Zone IF, Sub-IF Service (VPNn) Transport (VPN0) IF, Sub-IF MPLS IF, Sub-IF IF, Sub-IF Internet Out-of-band Management (VPN512) IF VPNs are isolated from each other, each VPN has its own forwarding table Reachability within VPN is automatically advertised by the OMP BRKCRS-2007 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Cisco SD-WAN Solution Elements Orchestration Plane vbond vanalytic s vsmart Controllers MPLS vmanage INET 4G APIs 3 rd Party Automatio n vedge Routers Cisco vbond Orchestrates control and management plane First point of authentication (whitelist model) Distributes list of vsmarts/ vmanage to all vedge routers Facilitates NAT traversal Requires public IP Address [could sit behind 1:1 NAT] Cloud Data Center Campus Branch SOHO BRKCRS-2007 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Cisco SD-WAN Solution Elements Control Plane vmanage Cisco vsmart vbond Cloud vanalytics vsmart Controllers MPLS INET 4G APIs 3 rd Party Automation vedge Routers Data Center Campus Branch SOHO Facilitates fabric discovery Dissimilates control plane information between vedges Distributes data plane and app-aware routing policies to the vedge routers Implements control plane policies, such as service chaining, multi-topology and multihop BRKCRS-2007 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Cisco SD-WAN Solution Elements Data Plane vmanage Cisco vedge vbond Cloud vanalytics vsmart Controllers MPLS INET 4G APIs 3 rd Party Automation vedge Routers Data Center Campus Branch SOHO WAN edge router Provides secure data plane with remote vedge routers Establishes secure control plane with vsmart controllers (OMP) Implements data plane and application aware routing policies BRKCRS-2007 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Cisco SD-WAN Solution Elements Management Plane vmanage Cisco vmanage vanalytics APIs 3 rd Party Automation Single pane of glass for Day0, Day1 and Day2 operations vbond Multitenant with web scale vsmart Controllers Centralized provisioning MPLS INET 4G vedge Routers Policies and Templates Troubleshooting and Monitoring GUI with RBAC Cloud Data Center Campus Branch SOHO BRKCRS-2007 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Overlay Management Protocol (OMP) Unified Control Plane vsmart vsmart vsmart TCP based extensible control plane protocol Runs between vedge routers and vsmart controllers and between the vsmart controllers - Inside TLS/DTLS connections Advertises control plane context Dramatically lowers control plane complexity and raises overall solution scale OMP Session is established in VPN0 vedge vedge VS Note: vedge routers need not connect to all vsmart Controllers BRKCRS-2007 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Establishing OMP Neighbors System IP: 1.1.1.53 System IP: 1.1.1.54 vsmart vsmart MPLS INET System IP: 1.1.1.1 System IP is like a Router ID - Unique per-fabric element - Non-routable in the overlay - Learned and advertised by vmanage OMP peering establishes between System IPs - Over TLS/DTLS tunnels Single OMP peering between vedge and vsmart, even if multiple TLS/DTLS vedge DTLS/TLS BRKCRS-2007 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
OMP: vroutes (OMP Routes) Routes learned from local service side vsmart Advertised to vsmart controllers MPLS INET vedge Connected Static Dynamic (OSPF/BGP) OMP Update Service Side In essence, this is the routes from other sites that are reached via the Tunnel (overlay) Most prominent attributes: - TLOC - Site-ID - Label - VPN-ID - Tag - Preference - Originator System IP - Origin Protocol - Origin Metric BRKCRS-2007 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
OMP: TLOC Routes Routes connecting locations to physical networks MPLS vsmart INET vedge OMP Update TLOCs Provides a method of locating the encapsulating interface of that remote vedge device Advertised to vsmart controllers Connected Static Dynamic (OSPF/BGP) BRKCRS-2007 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
OMP: Network Service Routes vsmart Routes for advertised network services, i.e. Firewall, IDS, IPS, generic Advertised to vsmart controllers MPLS INET vedge OMP Update Network Service Most prominent attributes: - VPN-ID - Service-ID (FW, IDS, IDP, Custom) - Label - Originator System IP - TLOC Firewall BRKCRS-2007 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
OMP: Network Service Routes Example FW Regional Hub Data Center Remote Office MPLS INET 4G BRKCRS-2007 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
OMP: Network Service Routes Example vsmart Policy Advertisement* (+ Service) Service Advertisement FW VPN1 VPN1 VPN1 Remote Office Regional Hub MPLS INET 4G Data Center BRKCRS-2007 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
High Availability
Transport Redundancy - Meshed vedge routers are directly connected to all the transports SD-WAN tunnels are built through all directly connected transports Internet MPLS Site Network BRKCRS-2007 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Transport Redundancy - Meshed vedge routers are directly connected to all the transports SD-WAN tunnels are built through all directly connected transports Circuit Failure Transport Failure Router Failure Internet MPLS Internet MPLS Internet MPLS Site Network Site Network Site Network Note: Internet transport is still reachable Note: Internet transport is still reachable BRKCRS-2007 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Transport Redundancy L2 Switch vedge routers are directly connected to all the transports through L2 switches SD-WAN tunnels are built through all directly connected transports Internet MPLS Site Network BRKCRS-2007 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Transport Redundancy L2 Switch vedge routers are directly connected to all the transports through L2 switches SD-WAN tunnels are built through all directly connected transports Circuit Failure Transport Failure Router Failure Internet MPLS Internet MPLS Internet MPLS Site Network Site Network Site Network Note: Internet transport is still reachable BRKCRS-2007 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Transport Redundancy TLOC Extension Each vedge router is connected to a given transports SD-WAN tunnels are built through local and remote transports Internet MPLS Site Network BRKCRS-2007 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Transport Redundancy TLOC Extension Each vedge router is connected to a given transports SD-WAN tunnels are built through local and remote transports Circuit Failure Transport Failure Router Failure Internet MPLS Internet MPLS Internet MPLS Site Network Site Network Site Network BRKCRS-2007 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Key Concept DeepDive
Terminology VPNs These are like VRFs; used for segmenting traffic VPN0 is System Defined Used for control plane traffic for OMP, Orchestration, vmanage, etc. IPsec Tunnels terminate on VPN0 interfaces WAN Transports are associated to VPN0 VPN512 is used for Out-Of-Band System Management VPN1-511 is defined by user and used for site-to-site data traffic Our lab is using VPN10, VPN20, and VPN40 for data traffic Colors Used to associate an interface in VPN0 to a specific transport type Examples include: MPLS, Biz-Internet, Private,Public BRKCRS-2007 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Terminology Colors Used to associate an interface in VPN0 to a specific transport type Examples include: MPLS, Biz-Internet, Private,Public Transport Locator IDs (TLOCS) Used to identify the encapsulating interface of a remote Primarily this is based on System-ID but includes encapsulating interface IP and Color BRKCRS-2007 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
VPN0 Color: MPLS Visualizing the Concepts VPN0 MPLS Internet Control Plane VPN0: VSMART Used for Control Plane Underlay Routing Nothing is Encapsulated BRKCRS-2007 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
VPN0 Color: MPLS Visualizing the Concepts User Defined VPN MPLS Internet Control Plane VPN0: VSMART Used for Control Plane Data Plane VPN1 A BRKCRS-2007 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
VPN0 Color: MPLS Visualizing the Concepts User Defined VPN MPLS Internet Control Plane VPN0: VSMART Used for Control Plane Data Plane VPN1 VPN2 A B BRKCRS-2007 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
VPN0 Color: MPLS Visualizing the Concepts User Defined VPN MPLS Internet Control Plane VPN0: VSMART Used for Control Plane Data Plane VPN1 VPN2 A B BRKCRS-2007 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Logging in to the Lab
Lab Orientation Every student works by themselves. Don t have to wait on others to proceed! BRKCRS-2007 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Lab Topology Site id: 100 vpod GW 198.18.133.1 198.18.133.40 198.18.133.36 WANem ad1 WANem wkst1 VLAN-PRIMARY 133.211 198.18.133.34 LiveAction 198.18.128.0/18 Hub Site 1 San Jose 198.18.133.200 Viptela 133.212 FW DC 1 Management Cloud.12.10 DC1-VEDGE1.2 DC1-VEDGE2.2.2 172.16.10.2/30 172.16.11.2/30 172.16.12.2/30.2 172.16.13.2/30 ZTP.1.1.1.1 DC1-MPLS-CE.2 DC1-INET-CE.2 100.64.1.0/30 vedge 172.16.1.0/30 172.16.2.0/30.1 vmanage vsmart.1 MPLS Transport AS 100.1.1.13.2.11 Internet Transport AS 200.1 172.16.4.0/30.1.1 vbond 10.3.0.10 BR1-PC BR1-VEDGE1 WANem br0 172.16.3.0/30.2 TLOC.2.3 Virtual IP: 10.3.0.1 DHCP BR1-VEDGE2 10.3.0.0/24 Based on LAN Pool Branch 1 Miami 100.64.3.0/30 BR2-PC 100.64.4.0/30.2 BR2-VEDGE1 Site id: 300 Site id: 400 WANem br1 10.4.0.10 DHCP.1 BR2-Core.1 10.4.254.0/24 Branch 2 Chicago 10.4.0.0/24 BRKCRS-2007 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Accessing the Lab Access to the lab is obtained by launching Cisco Anyconnect and connecting to: dcloud-lon-anyconnect.cisco.com Your instructor will have your desktop already VPNed in. If it is not VPNed in, then please reach out to your instructor to provide you with your username and credentials that are unique to your pod. BRKCRS-2007 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Accessing the Lab Initiate a remote desktop session to the Dcloud workstation 198.18.133.36 by clicking on the start button and typing in: mstsc /v:198.18.133.36 You will be prompted for user credentials. Use the username: WKST1\demo and the password: C1sco12345 BRKCRS-2007 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Accessing the Lab If a different username is shown than above, click on use another account and type in the appropriate username. BRKCRS-2007 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot#ltrcrs-2005 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Complete Your Online Session Evaluation Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/. 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Tech Circle Meet the Engineer 1:1 meetings Related sessions BRKCRS-2007 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Thank you