BRKCRS-2110 Delivering Cisco Next Generation SD-WAN with Viptela David Klebanov, Engineer, Technical Marketing Nikolai Pitaev, Engineer, Technical Marketing
Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot#brkcrs-2110 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
What s in it for me?" In this session Introduction and Design, Building Blocks Use Cases, Operation and Security Live Demo during the session Out of scope Detailed explanation how it works under the hood Troubleshooting and debugging Step-by-step Migration to SD-WAN 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Design is not just what it looks like and feels like. Design is how it works. Steve Jobs 2003 BRKCRS-2110 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Why should I care? Real life examples 80 percent reduction in cost/mbps for a US insurance provider. $20 million reduction in OpEx over three years for a retailer. 5-fold improvement in Office 365 performance for an energy provider 4-fold improvement in application latency for a healthcare provider. M&A integration within 2 weeks for a Fortune 50 healthcare provider. Securely isolated 100+ business partners for a US manufacturer with more than 1000 sites. BRKCRS-2110 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Key Message Cisco SD-WAN Solution helps you to: Reduce Cost Operate Faster Integrate Latest Cloud and Network Technologies BRKCRS-2110 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
SD-WAN learning Journey at Cisco Live Monday Tuesday Wednesday Thursday Friday Deep Dive BRKCRS-2110 Delivering Cisco Next Generation SD-WAN with Viptela BRKCRS-2111 Migration to Next-Gen SD-WAN SP orchestration Serviceability Architecture and solution Migration and vqoe TECCRS-20004 Cisco SD-WAN Technical Deep Dive BRKCRS-2113 Cloud-Ready WAN for IAAS and SAAS with Cisco Next-Gen SD- WAN BRKRST-2514 Next Gen SDWAN with application acceleration/optimization BRKRST-2557 SD-WAN and NFV Orchestration for Managed Service Providers BRKCRS-2112 Serviceability for Next Generation SD-WAN
Agenda Introduction Architecture Use Cases Demo Conclusion
Customer Requirements Security Operations Network Planning Network Manager Network Operations Security and Compliance are critical areas and require us to have the appropriate Segmentation, Policing, Access Controls and Visibility from end-to-end I want to Simplify Deployments and Automate Policy Enforcement to ensure a Consistent and Seamless Application Experience I need to Replace or Change existing Infrastructure and WAN Services to Lower Costs and Maximize Investments I want to Centralized Policy Enforcement and Assurance to Accelerate Time to Resolution BRKCRS-2110 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Traditional and Legacy Architectures cannot scale to address changing needs EXPENSIVE Hardware-centric Fixed capacity POORLY INTEGRATED Conflicting policies and configurations Inflexible and static Risk from accidental interactions and vulnerabilities DIFFICULT TO SUPPORT Discrete device-by-device configurations Complex management silos Require slow truck rolls for changes CONNECTIVITY-CENTRIC Fragmented, incomplete user experience Not application-centric INFLEXIBLE Tightly controlled, client server model Historical vs predictive management BRKCRS-2110 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Cisco SD-WAN is an integrated part of our Digital Network Architecture (DNA) Cisco DNA is a complete system for intent-based networking Cloud service management Automation Assurance Virtualization DNA-ready physical and virtual infrastructure Security BRKCRS-2110 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
SD-WAN Architecture
Cisco SD-WAN Architecture Overview Orchestration = vbond vorchestrator ZTP Management = vmanage (Multi-tenant or Dedicated) Control Plane = vsmart (Containers or VMs) API Analytics vmanage vsmart vedge 4G/LTE Internet Data Plane = vedge (Physical or Virtual) MPLS Data Center Campus Branch SOHO Cloud BRKCRS-2110 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
vbond is SD-WAN Orchestrator Orchestrates connectivity between management, control and data plane. Serves as the first point of authentication. Requires public IP Address. All other components need to know the vbond IP or DNS. Authorizes all control connections (white-list model). BRKCRS-2110 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
vmanage is your NMS for SD-WAN Single pane of glass for Day 0, Day 1 and Day 2 operations. Enables centralized provisioning and simplifies changes. Supports REST API, CLI, Syslog, SNMP, NETCONF. Provides real time alerting. BRKCRS-2110 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
vsmart is centralized brain of the solution Implements control plane policies, such as service chaining, traffic engineering and segmentation per VPN topology. Reduces complexity of the entire network. Establishes peering with all vedges and distributes connectivity information. BRKCRS-2110 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
vbond, vsmart and vmanage are also known as Controllers. Controllers can be deployed on-prem or on the cloud. On-Premise Hosted vbond vmanage vsmart1 vsmart2 vbond vmanage vsmart1 vsmart2 ESXi or KVM AWS or Azure Physical Server BRKCRS-2110 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
vedge is your SD-WAN data plane Provides secure data plane with remote vedge routers. Establishes secure control plane with vsmart controllers. Implements data plane and application aware routing policies. Exports performance statistics. Physical (100Mb, 1Gb, 10Gb, 20+Gb) or Virtual form factor. BRKCRS-2110 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
SD-WAN Fabric
Cloud-Delivered Control Cisco Cloud Ops MSP Ops Team Enterprise IT Deploy Deploy Deploy vmanage vmanage vmanage vsmart vbond Viptela Cloud vsmart vbond MSP Cloud vsmart vbond Private Cloud BRKCRS-2110 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Unified Control Plane vsmart vsmart vsmart Overlay Management Protocol (OMP) TCP based extensible control plane protocol Runs between vedge routers and vsmart controllers and between the vsmart controllers - Inside TLS/DTLS connections Advertises control plane context and policies Dramatically lowers control plane complexity and raises overall solution scale SD-WAN Traditional vedge vedge VS Note: vedge routers need not connect to all vsmart Controllers O(n) Control Complexity O(n^2) Control Complexity BRKCRS-2110 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Data Plane Establishment TLOCs vsmart vsmarts advertise TLOCs to vedges in TLOC routes SD-WAN Fabric with TLOCs as tunnel endpoints vedge TLOCs advertised to vsmarts in TLOC routes IPsec IPsec IPsec vedge MPLS INET vedge Local TLOCs (System IP, Color, Encap) vedge vedge Transport Locator (TLOC) OMP IPSec Tunnel BRKCRS-2110 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Data Plane Liveliness and Quality vedge vedge vedge Bidirectional Forwarding Detection (BFD) Path liveliness and quality measurement - Up/Down, loss/latency/jitter, IPSec tunnel MTU Runs between all vedge and vedge Cloud routers in the topology - Inside IPSec tunnels - Operates in echo mode - Automatically invoked at IPSec tunnel establishment - Cannot be disabled vedge vedge Uses hello (up/down) interval, poll (app-aware) interval and multiplier for detection - Fully customizable per-vedge, per-color BRKCRS-2110 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Common Data Plane Communication Per-Session Load Sharing Active/Active Per-Session Weighted Active/Active Application Pinning Active/Standby Application Aware Routing SLA Compliant MPLS INET MPLS INET MPLS INET MPLS INET SLA SLA Default Device Configurable Policy Enforced Policy Enforced BRKCRS-2110 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Fabric Operation Walk-Through OMP DTLS/TLS Tunnel IPSec Tunnel BFD OMP Update OMP Update vsmart Control Policies OMP Update: Reachability IP Subnets, TLOCs Security Encryption Keys Policy Data/App-route Policies OMP Update OMP Update vedge Transport1 vedge TLOCs TLOCs BGP, OSPF, Connected, Static VPN1 A VPN2 B Transport2 VPN1 C VPN2 D BGP, OSPF, Connected, Static Subnets BRKCRS-2110 Subnets 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Common Enterprise Deployment Use Cases
Application Visibility and Recognition Deep Packet Inspection Cloud Data Center App 1 App 2 MPLS 4G Data Center App 3,000 vedge Router INET Small Office Home Office App Firewall Traffic prioritization Branch Campus Transport selection BRKCRS-2110 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Critical Applications SLA vedge Routers continuously perform path liveliness and quality measurements vmanage App Aware Routing Policy App A path must have: Latency < 150ms Loss < 2% Jitter < 10ms Internet Remote Site Path 2 MPLS Data Center Path1: 10ms, 0% loss, 5ms jitter Path2: 200ms, 3% loss, 10ms jitter Path3: 140ms, 1% loss, 10ms jitter 4G LTE Optimal Path MTU TCP Optimization SD-WAN IPSec Tunnel BRKCRS-2110 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
vedge VPNs and Security Zoning Trust Zone Untrusted Zone IF, Sub-IF Service (VPNn) Transport (VPN0) IF, Sub-IF MPLS IF, Sub-IF IF, Sub-IF Internet Out-of-band Management (VPN512) IF VPNs are isolated from each other, each VPN has its own forwarding table Reachability within VPN is automatically advertised by the OMP BRKCRS-2110 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Secure Segmentation Security Zoning vedge SD-WAN IPSec Tunnel VPN 1 VPN 2 VPN 3 vedge Compliance Guest Wi-Fi Multi-Tenancy Extranet Per-VPN Topology Full-Mesh Hub-and-Spoke Partial Mesh Point-to-Point BRKCRS-2110 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
L4-L7 Regional Secure Perimeter Service Chaining Firewalls IDS/IPS/DLP Protected Compute Resources Data Center Small Office Home Office MPLS INET 4G Firewalls IDS/IPS/DLP Cloud Data Center Branch Campus Regional Secure Perimeter DDOS Mitigation Malware/Virus Containment Security Policy Compliance BRKCRS-2110 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Cloud Applications 2 Which way is cloud? 1. Direct Internet Access 2. Regional Breakout 3. Data Center Backhaul 1 ISP1 Regional Data Center 3 ISP2 SD-WAN Fabric User Remote Site MPLS Data Center Viptela vedge Router BRKCRS-2110 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Cloud onramp for SaaS Direct Internet Access Detect application performance through one or more Direct Internet Access circuits Loss/ Latency! Remote Site ISP1 ISP2 SD-WAN Fabric Regional Data Center Data Center vedge routers chose best performing path - Per-Application, Per-VPN Automatic failover in case of performance degradation Fully automated Quality Probing BRKCRS-2110 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Cloud onramp for SaaS Direct Internet Access and Gateways ISP2 Detect application performance through DIAs and gateways - Customer/SP owned and operated - Security, performance, reliability Loss/ Latency! Remote Site ISP1 MPLS SD-WAN Fabric Regional Data Center Data Center vedge routers chose best performing path - Per-Application, Per-VPN Automatic failover in case of performance degradation Fully automated Quality Probing BRKCRS-2110 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Cloud Security Best suited for cloud SaaS applications Interoperates with Cloud onramp for SaaS SOHO Branch MPLS INET 4G Cloud Data Center Data Center Augments native fabric security Can co-exist with on-premise L4-L7 security modes - VPN segmentation Campus BRKCRS-2110 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
SD-WAN and Public Cloud VPC VPC VNET VNET VPC VPC VNET VNET SD-WAN Fabric Cloud Data Center How to provide security, segmentation, QoS and reliability to the cloud workloads? Remote Site Campus Branch Viptela vedge Router BRKCRS-2110 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Cloud onramp for IaaS End-to-End SD-WAN Compute VPC/VNET Remote Site SD-WAN Fabric Cloud Data Center Compute VPC/VNET Campus vedge Cloud routers are instantiated in every VPC/VNET - Marketplace End-to-end SD-WAN fabric between sites and public cloud - Multipathing, QoS and segmentation Shortest-path to Public Cloud Branch BRKCRS-2110 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Cloud onramp for IaaS End-to-End SD-WAN Compute VPCs/VNETs Gateway VPC/VNET Cloud Data Center Gateway VPC/VNET - Customer/SP owned and operated - Security, performance, reliability Remote Site SD-WAN Fabric Campus Easy deployment model - No change to existing compute VPCs/VNETs Branch Full automated from vmanage - No marketplace BRKCRS-2110 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Operations and Migration
Agile Operations Power Tools CLI Linux Shell REST NETCONF Syslog SNMP Flow Export BRKCRS-2110 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
High Availability and Redundancy Site Redundancy Transport Redundancy MPLS INET MPLS INET VRRP OSPF/ BGP OSPF/ BGP Network/Headend Redundancy Control Redundancy vsmart Controllers Site MPLS INET Data Center Control Data MPLS INET BRKCRS-2110 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
SD-WAN Transition Strategy Site B Site B Site B Non- SDWAN SDWAN Non- SDWAN SDWAN SDWAN SDWAN MPLS Internet MPLS Internet MPLS Internet Non- SDWAN SDWAN Non- SDWAN SDWAN SDWAN SDWAN Site A Site A Site A SD-WAN Fabric Secure Tunnel BRKCRS-2110 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Proven Solution Across Multiple Verticals Customer Industry Challenge Solution Retail Financial Tech Healthcare Healthcare High cost, slow change, limited flexibility Needed more bandwidth and guaranteed network uptime for a new teller application Slow performance and MPLS outages provided an expensive and poor user experience With an MPLS contract renewal approaching, Cigna wanted the flexibility to change carriers without a massive technology shift Security and high network cost 60-70% cheaper broadband at high bandwidth, centralized control, full visibility. Dollar cost averaged the bandwidth cost down using a mix of transport (MPLS, Broadband, LTE). Traffic now uses the optimal network path to avoid downtime and slowdowns. Monthly savings reduced the cost per Mbps by more than 80%. Diverse circuits improve the reliability of the global network, with more than half of Agilent s sites doubling WAN redundancy. Gained back control of its control plane and created the Cigna Service Provider Agnostic Network. Satisfied strict security and audit requirements and provided greater flexibility for partnerships and secure clinical solutions. Cost reductions with the removal of remote site voice equipment and expensive PRIs, aging WAN acceleration equipment and maintenance. For Your Reference Energy Scale to support evolving field operations, and support cloud migration and application SLAs Provided 30-60% savings in overall bandwidth costs. Enabled faster response to acquisitions, divestitures and policy changes. BRKCRS-2110 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Demo
Demo Summary Demo 1: SD-WAN @ dcloud Demo 2: App-aware routing with vedge Cloud running on ENCS (Enterprise Network Compute System) BRKCRS-2110 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
dcloud provides huge catalog of free demos, training and sandboxes for every Cisco architecture in the cloud 310+ labs for Customers, Partners and Cisco Employees. From scripted demos to fully customizable labs with administrative access! BRKCRS-2110 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
dcloud SD-WAN Demo covers 6 cases For Your Reference Scenario 1 An overview of the SD-WAN vmanage dashboard and Zero Touch Provisioning (ZTP). Scenario 2 Hybrid WAN connectivity over multiple WAN transport connections. Using IP as transport to create flexible data plane topologies from full-mesh to Hub-n-Spoke to any arbitrary topologies. Scenario 3 business defined insertion of services (FW, IPS, IDS, etc.) utilizing centralized policies. Scenario 4 simplicity of using application firewalling policies centrally. Various applications and/or flows would not be allowed between sites. Simple centralized policy activation would enforce such policies to any site on the overlay. Scenario 5 - Application aware routing along with arbitrary topology networking to show the business policy driven view of application classification, connectivity and QoS provisioning. Scenario 6 Policy driven Data Center preferences for different branches. A subset of branches could prefer one Data Center over the other as a regional Internet exit. BRKCRS-2110 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Demo 2: vedge Cloud on ENCS ENCS5104 4-Core ENCS5406 6-Core ENCS5408 8-Core ENCS5412 12-Core ENCS 5104 ENCS 5406 ENCS 5408 ENCS 5412 CPU 4-core, 3.4 GHz 6-core, 1.9GHz 8-core, 2.0GHz 12-core, 1.5GHz PoE No No 200W 200W Capacity Guidance 1-2 VNF 2-3 VNFs 3-4 VNFs 4-5 VNFs BRKCRS-2110 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
vbranch real life example Transport 1 public-internet Transport 2 mpls Connection Dual-homed GE and T1 interfaces VNFs: vedge Cloud ISRv Firepower Firewall Gi0/0 Branch 2 BR2-vEdge1 BR2-ISRv1 BR2-FW1 NFVIS ENCS 5412 LAN1/0 T1 BRKCRS-2110 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Outlook and Summary
Details Benefits Deployment Scenarios Integration Roadmap Phase 1 No Integration Phase 2 Platform Integration Phase 3 Management Integration vmanage vsmart vmanage vsmart DNA Center + SD-WAN vedge vedge ISR4K + vedge SW vedge ISR4K + vedge SW Support and Scale the current sales motion Viptela SD-WAN on strategic ISR platform Deliver end-to-end experience with full DNA integration Platform: As-is Management: vmanage Platform: vedge capabilities integrated into IOS-XE Management: vmanage for SD-WAN capabilities on IOS- XE Management: Cloud hosted DNA Center integrates vmanage capabilities Full DNA Center capabilities (Assurance, Integrated workflows for SD-Access and SD-WAN) BRKCRS-2110 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Innovation Roadmap (FY 2018) Key Areas Of Focus Application QOE Cloud Networking NaaS Security Integration Operational Simplicity & Analytics BRKCRS-2110 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Key Takeaways Summary Video from https://www.cisco.com/c/en/us/solutions/enterprisenetworks/sd-wan/index.html BRKCRS-2110 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Key Message Cisco SD-WAN Solution helps you to: Reduce Cost Operate Faster Integrate Latest Cloud and Network Technologies BRKCRS-2110 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot#brkcrs-2110 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Complete Your Online Session Evaluation Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/. 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Tech Circle Meet the Engineer 1:1 meetings Related sessions BRKCRS-2110 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Thank you