Cloud-Ready WAN For IAAS & SaaS With Cisco s Next- Gen SD-WAN

BRKCRS-2113 Cloud-Ready WAN For IAAS & SaaS With Cisco s Next- Gen SD-WAN Sumanth Kakaraparthi Product Leader SD-WAN Manan Shah Director Of Product Management

Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot#brkcrs-2113 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Session Objectives By end of this session you will learn how to address the challenges for SaaS and IaaS deployments. You will also learn how to configure, monitor and troubleshoot SaaS & IaaS use cases using Cisco SD-WAN software.

Agenda Introduction to Viptela design principle & architecture Challenges with SaaS deployments How to address these challenges with CloudExpress Key challenges with hybrid cloud deployments How to simplify hybrid cloud deployments with Cloud onramp

Evolution of WAN 4 End-point flexibility: Physical or virtual Rich services or lite Branch, Agg, Cloud Cloud Delivered Analytics 1 Cloud delivered WAN with operational simplicity & analytics 3 Application QOE USERS SD-WAN 5 Cloud Use-Cases WAN LEA R N I N G DC DNA Center DEVICES IaaS Apps Policy Automation Analytics INT EN T CON T EX T SaaS Intent- based Network Infrastructure vdc THINGS 0 SEC U R I TY Transport Independent WAN Fabric 2 Superior security architecture cloud based & on-prem BRKCRS-2113 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 7

Cisco SD-WAN: Components Orchestration Plane Management Plane (Multi-tenant or Dedicated) On-boarding, life cycle management ORCHESTRATION vorchestrator vmonitor MANAGEMENT API ANALYTICS vmanage vsmart vbond vedge ISR4k ASR1k ENCS Control Plane (Containers or VMs) CONTROL Policy, Security, Routing INTERNET MPLS 4G Data Plane (Physical or Virtual) Data Center Campus Branch Home Office BRKCRS-2113 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 8

SaaS Adoption & Key Challenges SaaS Adoption SaaS adoption in eneterprise is growing at higher than expected rate Secuirty Enterprise customers highlighted security as a top roadblock for SaaS adoption Performance Enterprise customers highlighted application performance & latency as second roadblock for SaaS adoption SaaS spend in 2018 will grow by 21% 30% of enterprise customers 25% of enterprise customers BRKCRS-2113 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 9

How are customers accessing SaaS today No DIA Users have to back-haul for internet access Single DIA SaaS applications can take the DIA path from branch Dual DIA Dual DIA paths for SaaS, providing additional bandwidth and availability BRKCRS-2113 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 10

Optimize SaaS with SD-WAN for No DIA Best Performing SD-WAN solutions can leverage the best path for SaaS from branch to datacenter based performance metrics such as loss, jitter and delay ISP2 Regional Hub Sub-optimal optimization as it wont address the performance issues from datacenter to SaaS MPLS MPLS INET 4G BRKCRS-2113 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 11

What is CloudExpress? CloudExpress is the Cisco s SD-WAN capability which delivers best application experience for SaaS applications BRKCRS-2113 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 12

Optimize SaaS with Cloud-Express for dual DIA One of the recommended designs, for vqoe deployments Loss/ Latency Best Performing CloudExpress continuously monitors the edge to SaaS performance on both the DIA paths ISP1 ISP2 Regional Hub MPLS 4G CloudExpress picks the best performing path based on the performance metrics (jitter, loss & delay) Remote Site INET BRKCRS-2113 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 13

Performance visibility for dual DIA DNS Server(s) DNS servers are defined in VPN0, vedge performs DNS resolution for the configured SaaS application on each DIA circuits Vedge router initiates periodic HTTP pings toward the configured cloud onramp SaaS application on each DIA circuits ISP1 IF ISP2 IF Vedge router determines best performing DIA circuit based on loss and latency characteristics reported by the HTTP pings vedge Router (remote site) BRKCRS-2113 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 15

SaaS applications & vqoe scores The vqoe value ranges from 0 to 10, with 0 being the worst quality and 10 being the best. vqoe = desired metrics / actual metrics * 10 vqoe score is computed for each remote site application and per path BRKCRS-2113 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 16

DNS resolution for dual DIA DNS Server(s) Host performs DNS resolution for SaaS apps, Vedge router dpi engine intercepts user dns query ISP2 ISP1 IF IF If host dns query is for SaaS, vedge router forwards it to the dns server defined under vpn0 over best performing dia circuit overriding user dns settings Dns queries for non-saas are forwarded according to the routing table, user dns settings are preserved Host Salesforce.c om Cisco.co m VPN0 DPI DNS Query Intercepted vedge Router MPLS INET 4G BRKCRS-2113 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 17

Path selection first flow vedge router may choose sub-performing DIA circuit for the initial application flow as vedge DPI engine had not yet identified the SaaS application Initial application flow is not rerouted, even if using sub-optimal DIA circuit as NAT changes will break TCP flow Host B Host A Best Performing First Flow For O365 1 NAT1 ISP2 IF VPN0 DPI NAT2 ISP1 IF vedge Router AppQoE (3) Classified as Unknown BRKCRS-2113 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 18

Path selection subsequent flow Once vedge router DPI engine identifies cloud SaaS application, cache table is populated and all subsequent application flows are routed over best performing DIA circuit overriding routing decision If the performance of isp2 degrades & isp1 gets better, existing flows continue on the current path as NAT changes will break TCP flow New flows will select isp1 as appqoe score is better on isp1 Subsequent Flows - O365 Host B Best Performing 2 NAT1 ISP2 IF VPN0 DPI NAT2 ISP1 IF dstip/dstport SaaS App (ISP1 IF) vedge Router BRKCRS-2113 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 19

Demo

Monitor SaaS performance Sites Experiencing Bad Quality Sites Experiencing Average Quality Sites Experiencing Good Quality BRKCRS-2113 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 24

Optimize SaaS with cloud-express for single DIA & gateway

Optimize SaaS with cloud-express single DIA One of the recommended designs, for SaaS deployments CloudExpress continuously monitors the edge to SaaS performance on both DIA path and the back-haul path Loss/ Latency ISP1 ISP2 Best Performing Regional Hub CloudExpress picks the best performing based on the performance metrics (jitter, loss & delay) MPLS MPLS INET 4G BRKCRS-2113 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 27

Performance visibility for single DIA DNS Server(s) ISP2 Vedge at the remote site and the gateway perform DNS resolution for the configured cloud onramp SaaS application DNS Server(s) HTTP ping IF 1 Both vedge routers initiate periodic HTTP pings toward the configured cloud onramp SaaS application Vedge router at the remote site determines best performing path toward the SaaS application based on loss and latency characteristics Vedge compares SLA between local DIA and composite metric of HTTP ping + BFD through the gateway vedge 1 ISP1 IF VPN0 vedge (remote site) 3 2 BFD MPLS 4G INET VPN0 vedge (gateway) BRKCRS-2113 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 28

DNS resolution for single DIA If local DIA circuit is the best path, vedge router forwards DNS query to the DNS server defined under VPN0 over local DIA circuit If gateway vedge router is the best path, local vedge router forwards DNS query to the gateway vedge router, which in turn forwards it to the DNS server defined under VPN0 over it s local DIA circuit. Gateway vedge router dpi engine intercepts dns query for SaaS applications only, dns queries for non-cloud applications are forwarded according to the routing table 1 Host DNS Query for Cloud onramp SaaS application 2 DNS Query for application 1 2 Loss/ Latency ISP1 IF VPN0 DPI DNS Query Intercepted vedge Router (remote site) DNS Server(s) MPLS INET ISP2 IF VPN0 DPI DNS Query Intercepted 4G Best Performing vedge Router (gateway) BRKCRS-2113 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 30

Path selection first flow Host initiates communication with the SaaS application NAT1 NAT2 Best Performing ISP2 IF VPN0 Local site vedge router may choose subperforming path for the initial application flow as vedge DPI engine had not yet identified the SaaS application Initial application flow is not rerouted, even if using sub-optimal path as NAT changes will break TCP flow Host A 1 ISP1 IF VPN0 DPI vedge Router (remote site) MPLS INET DPI 4G BRKCRS-2113 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 31

Path selection subsequent flow Host initiates communication for subsequent flows to SaaS application, as the cache table is already populated and application flows are routed over best performing path, overriding the routing decision. If the performance of chosen path degrades while the flow is still active, existing flows continue on the current path, as nat changes will break tcp flow New flows will select, new optimal path based on the appqoe score for that particular application 2 NAT1 ISP1 IF VPN0 DPI dstip/dstport SaaS App (ISP1 IF) vedge Router (remote site) NAT2 Best Performing vedge Router (gateway) IF VPN0 DPI dstip/dstport -> SaaS App (ISP2 IF) MPLS INET ISP2 4G BRKCRS-2113 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 32

Configuration

Troubleshooting

Demo

Hybrid Cloud & SD-WAN

IaaS Adoption & Key Trends New use cases accelerate adoption Multi-Cloud adoption Container-based applications Serverless Compute Machine learning / AI IoT IaaS spend in 2018 will grow by 22% CAGR BRKCRS-2113 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 44

Hybrid Cloud Connectivity - Today IaaS instance Inet Public Cloud Provider 1 Region 1 IaaS instance Inet Internet DC MPLS/Internet Branch Public Cloud Provider 1 Region 2 IaaS instance Inet DC Branch Public Cloud Provider 2 Region 1 BRKCRS-2113 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 45

Challenges with Hybrid Cloud Migrations User experience Branch to cloud connectivity Traffic trombones through DC IaaS is extension of DC Cisco Cloud ready WAN Cloud connectivity consumable through a single pane Transport independent anyto-any connectivity Resiliency Multi-Transport access End-to-end VPN segmentation/isolation Security Operational model DIA : Protecting branch users & branch router Consistency across multicloud deployments Visibility into IaaS application usage Consistent policy across branch, DC and Cloud sites BRKCRS-2113 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 46

What is Cloud onramp? Cloud onramp is Cisco s SD-WAN capability to simplify hybrid cloud connectivity, by extending WAN fabric to public cloud BRKCRS-2113 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 47

Public Cloud Providers - Terminology Description AWS Azure Virtual Private Cloud/IaaS instance Virtual Private Cloud (VPC) VNET Redundancy construct Availability Zone Availability set Private Circuit Direct Connect Express Route Internet Gateway IGW Internet Gateway IPSec VPN Gateway VGW VPN Gateway Security Security Groups / ACLs Network Security Groups (NSG) BRKCRS-2113 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 48

Public Cloud Connectivity Options Option 1: Internet connection to Public cloud Option 2: Direct Connect to Public Cloud through SP Option 3: Direct Connect to Public Cloud through meet-me locations vedge vedge vedge Internet SP Internet MPLS Carrier PE Colo vedge Public Cloud Provider IaaS/PaaS Public Cloud Provider IaaS/PaaS Public Cloud Provider IaaS/PaaS Internet only for connectivity. MPLS carrier (ATT & Verizon) offers direct connect into public cloud provider Enterprise collocated with public cloud carriers in meet me locations BRKCRS-2113 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 49

Cloud onramp Key Components vedge Cloud Router: A virtualized version of the vedge router. Available on the AWS and Azure marketplace. SD-WAN Fabric vmanage Cloud onramp for IaaS: vmanage application that orchestrates connectivity to IaaS instances across multiple cloud and multiple regions. Provides visibility into cloud instances. BRKCRS-2113 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 50

Cloud onramp for IaaS How it works Public Cloud (AWS & Azure) connectivity solution consumable through the vmanage platform IaaS instances are discovered from users account in a region. User selects instances to operate on User defines vedge gateway parameters and maps IaaS instances to VPN segments in the overlay vmanage Platform Public cloud credentials added to vmanage vmanage invokes instantiation of vedge instances in users accounts & connects IaaS instances to vedge GW VPN segments IaaS instances IaaS instances vedge GW MPLS Branch New instances can be discovered and mapped to VPN segments later Public Cloud Provider 1 Region 1 Internet DC BRKCRS-2113 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 52

Cloud onramp for IaaS AWS solution detail AZ1 R Standard IPSec overlay + BGP to vedge GW Architectural advantages Cloud onramp Share transport (Direct connect and Internet) & vedge Gateways across multiple spoke VPCs in a region AZ2 VGW IGW Share one gateway VPC for all host VPCs in a region. AWS Region Host VPC AZ1 vedge GW Leverage AWS components (IGW, VGW, VPC router) for redundancy. Host VPC AZ2 vedge GW VGW Direct Connect Utilize dynamic routing for fast failover times. AZ1 R Transit VPC Gateway VPC can host firewall for security compliance. AZ2 VGW vmanage instantiated and managed End End security and segmentation BRKCRS-2113 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 53

Demo

Configuration

Monitoring & Troubleshooting

Cloud onramp for IaaS SD-WAN value proposition IaaS instances IaaS instances vedge GW 1. Direct branch to cloud connectivity 2. Consistent Policy management & network visibility for branch & cloud Branch Public Cloud Provider 1 Region 1 MPLS IaaS instances Branch IaaS instances vedge GW 5. Multi-cloud solution Public Cloud Provider 1 Region 2 Internet DC IaaS instances IaaS instances vedge GW 3. Resilient & hybrid access from cloud 4. Application steering DC Public Cloud Provider 2 Region 1 BRKCRS-2113 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 64

Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Complete Your Online Session Evaluation Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/. 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Tech Circle Meet the Engineer 1:1 meetings Related sessions BRKCRS-2113 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 67

Thank you