Cisco connect winnipeg 2018 understanding cisco's next generation sdwan solution with viptela

Cisco Confidential© 2016 Cisco and/or its affiliates. All rights reserved. 1
Systems Engineer
Cisco Canada
May, 2018
Cisco Connect Winnipeg 2018
Understanding Cisco’ Next
Generation SD-WAN Solution
with Viptela
Pirasath Kirupakaran MSc(Com.Sc.), CCIE 47062

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
The Branch and WAN Are Being Disrupted!
of revenue
is generated
in the branch
90%
MORE
THREATS
30%
Of advanced threats will
target branch offices by
2016 (up from 5%)
MORE
USERS
80% Of employee and
customers are served in
branch offices
MORE
DEVICES
73%
Growth in mobile
devices from
2014-2018
MORE
APPS
20-50% Increase in enterprise
bandwidth per year
through 2018
IoT devices
connected to
internet by 2020
30B
Annual increase in
enterprise bandwidth
and video adoption50%
Up to
Mobile-connected
devices by 201910B
Of Organizations primarily
use public cloud by 201980%
• The traditional WAN / branch market is undergoing a massive disruption
• Customers are consuming more cloud services
• Customers are asking for SD-WAN solutions with virtualized services

Existing
Data Center
Remote Site
MSP-RT
MPLS
NewWAN
Internet
ISP-RT
New
The WAN Market Disruption
Services
Delivery
• Access Cloud Services
• Deploy application aware
topologies
• Optimize routing, security, QoS,
multicast, services insertion and
survivability
Transport
Independence
• Leverage overlay through
existing equipment at data center
for transport agnostic redesign
• Replace remote site equipment
or leverage overlay
Application
Policies
• Select test application as
candidate for intelligent traffic
engineering
• Test blackout and brownout
failover scenarios
Existing
Multicloud
(AWS,
Azure, etc.)

EXPENSIVE
Hardware-centric
Fixed capacity
DIFFICULT TO SUPPORT
Discrete device-by-device
configurations
Complex management silos
Require slow truck
rolls for changes
INFLEXIBLE
Tightly controlled, client server model
Historical vs predictive management
CONNECTIVITY-CENTRIC
Fragmented, incomplete user experience
Not application-centric
POORLY INTEGRATED
Conflicting policies
and configurations
Inflexible and static
Risk from accidental interactions and
vulnerabilities
Traditional and Legacy Architectures
Cannot Scale to Address Changing Needs

Bandwidth
Oversubscription
Path
Brownout
Static
Topologies
All Links
Failure
Corporate
Data Center
Small Office
Home Office
Cloud
Data Center
Single Link
Failure
Cloud
Applications
Latency
Path MTU
Changes
CPE Device
Failure
4G/LTE
Internet MPLS
BranchCampus
Business Continuity
Critical Application SLAs

APPLICATION POLICIES
SERVICES DELIVERY PLATFORM
TRANSPORT INDEPENDENT FABRIC
Broadband CellularMPLS
QoSSecurity Segmentation Svc Insertion SurvivabilityRouting Multicast
Per-Segment
Topologies
Cloud Path
(IaaS)
Application
SLA
Secure
Perimeter
Traffic
Engineering
Transport
Hub
Cloud Accel
(SaaS)
Analytics
Monitoring
Operations
Business Driven WAN Infrastructure

Cloud-first
management
with flexible
deployment options
Accelerate key
SD-WAN use cases;
Cloud-edge and
Segmentation
Sophisticated, but
still simple to deploy
and operate
Complements Cisco’s Enterprise Networks architecture strategy
Why Did Cisco Buy Viptela?
Cisco Digital
Network Architecture

Better Together
Leading Routing &
SD-WAN Platforms
Goal: Building next generation SD-WAN solutions
Together, helping businesses and IT to innovate faster, securing and delivering
better customer outcomes, while reducing costs and lowering risk
Cloud-managed &
Feature-rich SD-WAN

• Secure Connectivity
• Flexible (Cloud First) Connectivity
• Application Quality of Experience
• Agile Operations
Reinventing the WAN - 4 Technical Pillars
Security
Applications
Services
Connectivity Operations
Flexible
Connectivity
Agile
Operations
Application
Services

Centralized Device
Auth-DB
Centralized Key Mgmt
Scalable Data-Plane
Encryption
Embedded Security Secure On-Boarding
Reinventing the WAN
Security
Security Applications
Services
Connectivity OperationsConnectivity Operations
Application
Services
Deep Packet Inspection
App Fingerprinting
DPI
Engine

MPLS
LTE
INTERNET
Hybrid WAN
Segmentation/VPNs
Dynamic Per-VPN
Topologies
Google
AWS
Data Center
Provider/Transport
Agnostic
Services
Application
Services
Reinventing the WAN
Connectivity

Application Visibility
and Control
Central Orchestration
Application-Aware
Routing
Transport SLA Monitoring
MPLS
LTE
INTERNET
Cloud Services
Integration
SEN Overlay
Application Layer
Analytics
App Fingerprinting
DPI
Engine
Services
Application
Services
Reinventing the WAN
Application Services

Centralized Operations
Distributed Execution
Zero Touch ProvisioningTemplate-based
Configurations
Programmatic APIs
Open Object Model
NetConf Ad-Hoc
Adds/Moves/Changes
Centralized
Policy Orchestration
Services
Application
Services
Reinventing the WAN
Operations

Cisco Confidential 14© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco SD-WAN Architecture

vEdge Router
Cloud Data
Center
Campus
Branch
Small Office
Home
Office
vSmart Controller
vManage
The Viptela branch
office router
Policy and Service
Control Plane
Cloud or on
premises network
management
Viptela Solution – Key Components
vBond
On-Boarding and
Orchestration

vBond: ZTP and Orchestration Plane
APIs
vSmart Controllers
vAnalytics
3rd Party
Automation
vManage
Data Center Campus Branch SOHOCloud
vBond
vEdge Routers
4GMPLS
INET
• Used for device on-boarding
(ZTD/ZTD)
• Orchestrates connectivity
between management, control
and data plane
• First point of authentication
• All other components need to
know the vBond IP or DNS
information
• Authorizes all control
connections (white-list model)
• Distributes list of vSmarts to all
vEdges
Orchestration Plane
Cisco vBond

vEdge: The Data Plane
Data Plane
Physical/Virtual
Cisco vEdge
• WAN edge routers
• Provides secure data plane with
remote vEdge routers
• Establishes secure control plane
with vSmart controllers (OMP)
and Implements data plane and
application aware routing policies
• Exports performance statistics
• Leverages traditional routing
protocols like OSPF, BGP and
VRRP
• Physical or Virtual form factor
(100Mb, 1Gb, 10Gb)
APIs
vSmart Controllers
vAnalytics
3rd Party
Automation
vManage
vBond
vEdge Routers
4GMPLS
INET

vSmart: The Control Plane
Control Plane
Cisco vSmart
• Centralized brain of the solution
• Establishes OMP peering with all
vEdges
• Implements control plane policies,
such as service chaining, traffic
engineering and per VPN topology
• Distributes connectivity information
between vEdge
• Orchestrates secure data plane
connectivity between vEdges
vSmart Controllers
vAnalytics
3rd Party
Automation
vManage
vBond
vEdge Routers
4GMPLS
INET
APIs

Overlay Management Protocol (OMP)
Unified Control Plane
• Runs between vEdge routers and vSmart
controllers and between the vSmart
controllers
- Inside TLS/DTLS connections
• Advertises control plane context
vSmart vSmart
vSmart
vEdge vEdge
VS
Note: vEdge routers need no control connections amongst them
vSmart acts like a Key Server

OMP Update:
§ Reachability – IP Subnets, TLOCs
§ Security – Encryption Keys
§ Policy – Data/App-route Policies
BGP, OSPF,
Connected,
Static
BFD
IPSec Tunnel
OMP
DTLS/TLS Tunnel
Transport1
Transport2VPN1
A
VPN2
B
VPN1
C
VPN2
D
BGP, OSPF,
Connected,
Static
vSmart
OMP
Update
OMP
Update
vEdge vEdge
Subnets Subnets
TLOCs TLOCs
Policies
Fabric Operation
Fabric Walk-Through
OMP
Update
OMP
Update
Deploy Encryption Keys

Ingress
vEdge
VPN 3
VPN 1
VPN 2
SD-WAN
IPSec
Tunnel
20
IP
8
UDP
36
ESP
4
VPN
…
Data
Egress
vEdge
Interface
VLAN
• Segment connectivity across fabric w/o
reliance on underlay transport
• vEdge routers maintain per-VPN routing
table
• Labels are used to identify VPN for
destination route lookup
• Interfaces and sub-interfaces (802.1Q tags)
are mapped into VPNs
VPN1
VPN2
Interface
VLAN
VPN1
VPN2
Secure Segmentation
End-to-End Segmentation

vManage: The Management Plane
Management Plane
Cisco vManage
• Single pane of glass for Day0,
Day1 and Day2 operations
• Real time alerting
• Centralized provisioning
• Configuration standardization
• Supports
• REST API
• CLI
• NETCONF / YANG
• SNMP
• Syslog
vSmart Controllers
vAnalytics
3rd Party
Automation
vManage
vBond
vEdge Routers
4GMPLS
INET
APIs

Single Pane Of Glass Operations
Operations Simplicity and Visibility
Rich Analytics

SD-WAN Fabric and Capabilities

TPM
Chip
Root Chain
Embedded Device Identity
Controller Trust
Zero-Touch Provisioning of the vEdge Router
Identity and Trust
Identity
Cert
vEdge
Dynamic Device Identity
Root Chain
Controller Trust
Identity
Cert
vEdge Cloud

Zero Trust Model
Certificate-Based Trust
• Bi-directional certificate-based trust between all
elements
- Public or Enterprise PKI
• White-list of valid vEdges and controllers
- Certificate serial number as unique identification
Signed
vEdge List
Administrator
Defined
Controllers
vEdge
vBond
vManage
vSmart

Zero Touch Provisioning vEdge Walk-through
Control and Policy
Elements
Full Registration and
Configuration
vEdge
5
* Factory default configured
Assumption:
§ DHCP on Transport Side (WAN)
§ DNS to resolve ZTP server name*
3
4
Zero Touch Provisioning
Server
1
2

Template-Based Configurations
Centralized Device Configuration Enforcement
• Templates are attached to provisioned
vEdge routers
• Variables are used for rapid bulk
configuration rollout with unique per-
device settings
• Local configuration changes are not
allowed
- Prevents configuration drift

Application-Centric Network Capabilities
Per-Session Loadsharing
Active/Active
Per-Session Weighted
Active/Active
Application Pinning
Active/Standby
Application Aware Routing
SLA Compliant
SLASLA
Core
Hierarchical Multihop Fabric Single-hop Fabric

• Embedded Deep Packet Inspection
engine
• Application and flow level visibility
for the fabric and individual vEdge
routers
• Centralized statistics and
performance
• Export flow level data (IPFIX) to
external collector
Application and Performance Visibility

Deep Packet Inspection Engine
Primary Use Cases:
- Application Visibility
- Application Firewall
- Traffic Prioritization
- Transport Selection
- Analytics
vEdge Router
App 1
App 2
App 3,000
Cloud Data
Center
Data
Center
Campus
Branch
Small Office
Home Office
MPLS INET
3G/4G
Embedded Application Recognition

§ Enforce SLA compliant path
for applications of interest
§ Other applications will follow
fabric routing across all
paths
Control Plane
Path1: 10ms, 0% loss, 5ms latency
vManage
App Aware Routing Policy
App A path must have:
latency < 150ms
loss < 2%
jitter < 10ms
vEdge1 vEdge2
Internet
MPLS
4G LTE
vSmart Controllers
App A
IPSec Tunnel
Critical Applications SLA
Application Aware Routing
Path 2

SD-WAN Solution Components
Overview

Cisco vEdge Routers Portfolio Positioning
Branch/SOHO/SMB
(100Mb)
Branch/Campus
(1Gb)
Campus/Data Center
(10Gb)
NFV, vCPE
(N x cores)
IaaS & Cloud
Interconnect
(N x cores)
Campus/Data Center
(20Gb+)
vEdge 100 family vEdge 1000 vEdge 2000 vEdge 5000
vEdge Cloud on
Greybox or
Whitebox
vEdge Cloud

Data Center Campus Branch Home Office
4G/LTE
MPLS
Internet
Control Plane
(Containers or VMs)
(vSmart)
Management Plane
(Multi-tenant or Dedicated)
(vManage)
Orchestration Plane
(vBond)
2000 vEdges per vBond
Redundancy Add 1-2 vBonds
Horizontal Scale out Model
Horizontal Scale Out Model
2700 vEdges per vManage
in cluster mode (same DC)
2700 vEdges per vSmart
Redundancy Add 1-2 vSmarts
Scalability Considerations
Orchestration/Control/Management Plane

Perpetual cost of
Cisco
SD-WAN CPE
hardware
Subscription
cost of Cisco
SD-WAN
software
(Includes SD-
WAN controller
+ CPE software)
Operational cost
of Cisco SD-
WAN solution
1.Subscription license (1YR, 3YR and 5YR) for Cisco SD-WAN software charged per CPE.
This cost is dependent on two factors:
• Service bandwidth
• Features
2.Perpetual cost of Cisco SD-WAN CPE element.
SD-WAN Pricing Model
Subscription and Perpetual Elements

DNA-Essentials DNA-Advantage
Hub
Spoke Spoke Spoke
MPLS Internet Local
breakout
Hub
Spoke Spoke Spoke
MPLS Internet
Spoke Spoke
Local
breakout
Dynamic Routing
Dynamic
Routing
Hub
Spoke Spoke Spoke
MPLS Internet
Spoke Spoke
Dynamic Routing
Dynamic
Routing
SaaS onRamp
SD WAN
controllers
AnalyticsSD WAN
controllers
SD WAN
controllers
AAR
AAR AAR
E2E
Segmentation
E2E
Segmentation
• Routing: Static
• Topology: Hub-n-spoke only
• Internet/Cloud: NAT, Split tunnel
• Policy: Local ACL only, Data policy
• QoS
• SLA: Application aware routing (5 tuple
only)
• Visibility : DPI for visibility only
• Routing: Dynamic routing (OSPF/BGP)
• Topology: Mesh topology
• Internet/Cloud: Cloud onRamp for IaaS
• Policy: Control policy
• Segmentation: 5 VPNs (1+4)
• SLA: Application aware routing (DPI)
• Multicast
• Segmentation: Unlimited
• Internet/Cloud: Cloud onRamp for
SaaS
• Analytics: vAnalytics platform
Cisco ONE Adv.
License Tier Features
License Tiers

Roadmap

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vManage
Cisco SD-WAN Day 1 Deployment Scenarios
ISR
TI / E! / DSL
DeploymentScenarios
vEdge
ISR Providing Services
vManage
vEdge
Ethernet
ISR
WaaS
UC
Thin Branch
vManage
vEdge
Ethernet

Roadmap
Phase 2
Platform Integration
Phase 1
No Integration
Phase 3
Management Integration
Platform:
• As-is
Management:
• vManage
Platform:
• vEdge capabilities integrated into all IOS-XE
platforms (ISR, CSR, ENCS, ASR1K)
Management:
• vManage for SD-WAN capabilities on IOS-XE
Management:
• Cloud hosted DNA Center integrates vManage
capabilities
• Full DNA Center capabilities (Assurance,
Integrated workflows for SD-Access and
SD-WAN)
Support current Viptela
customers
Viptela SD-WAN on strategic ISR
platforms
Deliver end-to-end experience
with full DNA integration
DeploymentScenariosBenefitsDetails
vEdge ISR4K + vEdge SW
DNA Center
+ SD-WAN
ISR4K + vEdge SW
vManage
vEdge
vManage
vEdge

Positioning Cisco’s SD-WAN Solutions
1. Do you have a requirement to support end-
to-end secure segmentation over the
WAN?
2. What is the size of your branch network?
3. Do you intend to deploy dynamic per VPN
topologies?
4. Do you intend to deploy a network with
intelligent path selection for IaaS or SaaS?
1. Do you have existing Meraki infrastructure?
2. Do you have a requirement to manage a
full branch network (switches, APs, etc.)
through a single management interface?
3. Does your staff desire simple management
and automation for deploying branch
security?

• Cisco is the market and technology leader in SD-WAN, combining
the flexibility of Viptela, Meraki, and ISR IOS-XE
• Cisco’s SD-WAN solution (Viptela) is both a cloud and on-prem
(hardware) based solution, offering unmatched capabilities
• Cisco will merge the Viptela and IOS-XE capabilities into a
common ISR 4K-based platform and DNA Center, but the
complimentary Viptela core products are here to stay in
foreseeable future
Key Takeaways

Cisco connect winnipeg 2018 understanding cisco's next generation sdwan solution with viptela

More Related Content

What's hot (20)

Similar to Cisco connect winnipeg 2018 understanding cisco's next generation sdwan solution with viptela (20)

More from Cisco Canada (20)

Recently uploaded (20)

Cisco connect winnipeg 2018 understanding cisco's next generation sdwan solution with viptela