Cisco SDWAN presentation for Branches to HQ

Cisco SD-WAN
Miroslav Brzek
Technical Solutions Architect

Agenda
©2022 Cisco and/or its affiliates. All rights reserved. Cisco Public
• WAN Network Transformation
• Cisco SD-WAN solution overview
• SD-WAN Use Cases
• Conclusion
2

3
Enterprise Networks are Transforming
Devices and Things
Campus and Branch
Users
Mobile Users
Data Center/ Private Cloud
SaaS
IaaS
Apps are moving to the Cloud;
Application Experience is
critical
Cyber Threats are increasing
and sophisticated
Mobility is prevalent; IoT is
growing explosively
WebEx
Cisco SD-WAN Fabric
Traditional Security Perimeter
is changing

WAN Network Transformation
Apps: Hosted in datacenter
Users: Connected to corporate network to work
Network: Centralized
Security: On-premises security stack
Apps: More hosted in the cloud
Users: More work done off-network
Network: De-centralized
Security: Gaps in protection
Internet
VPN
MPLS
Internet
SaaS IaaS
Private cloud
Browsing
VPN
MPLS
Bottle neck
Before What’s changed

The traditional networking model is inadequate
Changes in traffic patterns are creating bottlenecks and performance challenges
Problems:
• Costs
• App performance
• User experience
• SaaS adoption issues
VPN
MPLS
TRAFFIC
Internal 20%
Internet 80%
Roaming/mobile
Branch offices HQ
TRAFFIC
Internal 20%
Internet 80%
Bottleneck
Internet
SaaS IaaS
Private cloud
Browsing
Data Center Backhaul
• Increased App Latency
• Unpredictable User
Experience

Perimeter security appliances
to protect network
User-to-application
Site-to-site
The new role of WAN
Site-to-site connectivity
MPLS transport
Core routing services
Perimeter security
Connectivity
SLA
Site-to-Cloud Connectivity
SD-WAN/IP overlays over Internet
Routing, observability
Cloud-delivered security
Application SLA
Digital
Exchange
Internet
MPLS MPLS

Cloud Access is Shifting
Situation
Cloud migration for IT agility in delivering best experience
60% of organizations expect majority of apps to be SaaS
79% of orgs shifting to some or all direct internet access
Impact
Complexity in provisioning across multiple cloud providers in many ways
Expanded attack surface
Gaps in visibility beyond the campus network boundaries

Cisco SD-WAN Solution Overview

Cisco SD-WAN Architecture
APIs
3rd Party
Automation
vManage
vBond
4G
MPLS
INET
vAnalytics
Data Center Campus Branch CoLo
Cloud
WAN Edge Routers
• Dissimilates control plane information
between vEdges
• Distributes data plane policies
• Implements control plane policies
Management Plane
• Single pane of glass for Day0, Day1 and
Day2 operations
• Multitenant or single-tenant
• Centralized provisioning,
troubleshooting and monitoring
• RBAC and APIs
Control Plane
Orchestration Plane
• First point of authentication
• Distributes list of vSmarts/
vManage to all vEdge routers
• Facilitates NAT traversal
Data Plane
• Physical or virtual
• Zero Touch Provisioning
• Establishes secure fabric
• Implements data plane policies
• Exports performance statistics
vSmart Controllers

Cisco SD-WAN - Zero Trust Architecture
Signed
WAN Edge List
SD WAN
Edge
vBond
Administrator
Defined
Controllers
vMan
age
vSmart
vBond
vSmart vManage
SD WAN
Edge
WAN Edge and Controllers White-
List
Certificate Based Mutual
Trust
• Bi-directional certificate-based trust
between all elements
- Public or Enterprise PKI
• White-list of valid WAN Edges and controllers
- Certificate serial number as unique
identification

OMP Update:
 Reachability – IP Subnets, TLOCs
 Security – Encryption Keys
 Policy – Data/App-route Policies
BGP, OSPF,
Connected,
Static
OMP
DTLS/TLS Tunnel
IPSec Tunnel
BFD
Transport
1
Transport
2
VPN1
A
VPN2
B
VPN1
C
VPN2
D
BGP, OSPF,
Connected,
Static
vSmart
OMP
Update
OMP
Update
SDWAN Edge SDWAN Edge
Subnets Subnets
TLOCs TLOCs
Policies
OMP
Update
OMP
Update
Cisco SD-WAN – Automated Data Plane Establishment

SD-WAN use cases
On demand & optimized cloud networking
Optimized user application experience
Centralized configuration management
and application visibility
Secure segmentation & Secure Branch

Branch/
campus
Users
SD-WAN fabric
Regional
data
venter
SaaS optimization challenges
Which path has better
SLA for Microsoft
365?
Should all apps go to the
DC first or can trusted
apps like Microsoft 365
use DIA?
How do I increase
performance for each
path?
How do I
automatically
steer traffic to
another path?
Which path do I use for SaaS
applications?
Direct
internet
access
Regional
breakou
t
Data
center
backhaul
SaaS
Data center
Corporat
e
software
Best
quality
Medium
quality
Poor
quality
COR for SaaS

Cisco SD-WAN
fabric
Data center
Corporate
software
Branch/campus
Users
Cisco SD-WAN Cloud OnRamp for SaaS
Optimized connectivity to cloud applications
Visibility on quality
of experience metrics
SDWAN Edge router picks the best performing
path based on the performance metrics (loss &
delay), Fully Automated
G Suite
Zendesk SugarCRM
SaaS
AWS
Box
GoToMeeting
Zoho
Microsoft 365
Salesforce Oracle
SAP Concur Dropbox
Intuit
Regional
data venter
COR for SaaS
Continuously monitors the SD-WAN Edge router
to SaaS performance on all available paths

Cloud OnRamp for Microsoft 365
Microsoft 365 Optimization Challenges
• How to optimize only certain Microsoft 365
Categories?
• How to gain Application telemetry view to
gain insights into Application Performance?
• When specific path is having performance
issues, How to automatically steer traffic?
ISP2
Data Center
Regional
Data Center
Remote Site
ISP1
SD-WAN
Fabric
MPLS
User

Microsoft 365 Cloud Feed – Pre-Populated Update
• SD-AVC container runs on Cisco vManage
• SD-AVC Container pulls Microsoft 365 URL
Categories using Microsoft 365 web
service
• SD-AVC Container dynamically pre-populates
Edge router’s NBAR cache with Microsoft
365 IP addresses and URL Categories
SD-AVC Cloud Service
CACHE
CACHE
CACHE
SD-AVC

Microsoft 365 URL/IP Categories and Service Areas
• First Packet Classification using pre-
populated NBAR cache
• Microsoft 365 divides applications into 3
categories based on sensitivity
• On SD-WAN routers, we classify Microsoft
365 traffic using URL categories i.e.,
Optimize, Allow and Default
• Enable Cloud OnRamp for specific Microsoft
365 categories like Optimize or Optimize
and Allow or All Categories
• You can also enable CoR for SaaS for only
specific Service Areas such as
Exchange, SharePoint, Skype or
Common
SD-WAN
Fabric
Branch Colo/DC/Hub
Optimize Allow Default
teams.microsoft.com*
(Skype Service Area)
sharepoint.microsoft.com*
(Sharepoint and Common Service Area)
onedrive.microsoft.com*
(Sharepoint and Common Service Area)
office.microsoft.com*
(Common Service Area)

Microsoft 365 Optimization
Application Informed Network Routing
• Traditional SD-WAN only probes the app
front-end detect the best path for the
appropriate SaaS app.
• Probe measurement only covers part of
the network part.
• It does not take service performance
into
account
Problem
WAN
Access
M365
Middle Mile
M365
Front Door
SDWAN
Router
App
Server
Traditional SDWAN visibility
?
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public

Microsoft 365 Optimization
Problem
• Traditional SD-WAN only probes the app
front-end detect the best path for the
appropriate SaaS app.
• Probe measurement only covers part of
the network part.
• It does not take service performance
into
account
Solution
• Cisco Cloud onRamp for SaaS probing is
augmented by M365 SaaS telemetry.
• Microsoft monitors performance of App
service and computes a score
WAN
Access
M365
Middle Mile
M365
Front Door
SDWAN
Router
App
Server
Traditional SDWAN visibility
Extended visibility with
Telemetry sharing

SD-WAN
Fabric
Remote
Branch
Data
Center
vManage
App Telemetry
Data from M365
Telemetry Data
from edge devices
vAnalytics
WAN link Telemetry
to M365
• Developed in Partnership with Microsoft
Cisco SD-WAN Solution is Microsoft Networking Partner
Program Certified
• vAnalytics receives Exchange, Teams and
SharePoint telemetry data from Microsoft
• vAnalytics sends Network telemetry data to
Microsoft 365
• Application and Network Telemetry provides
application performance insights
• vAnalytics uses Network and App telemetry data to
compute best path
• SD-WAN router selects best path based on results
received from vAnalytics
Microsoft 365 Optimization with Cisco SD-WAN

Cisco SD-WAN Cloud OnRamp for Multicloud
Automate SD-WAN extension to IaaS via vManage
Cisco is the only market player to partner with top 3 cloud providers for end-to-end solution
Cisco
SD-WAN
5G
MPLS
Internet
Greater automation
Automate SD-WAN extension to the cloud with just a few clicks
Normalized multicloud experience
Consistent UI and workflow in vManage
Unified security policies
Extend consistent enterprise segmentation policy into the cloud
Ease of management
Orchestrate Cisco and cloud provider networking resources via vManage

Cloud OnRamp Automation on vManage
Same configuration workflow for all 3 CSP (AWS, Azure, Google Cloud)
1. Enter Cloud Credentials
2. Create Cisco Cloud GW
3. Discover host VPCs/VNets
4. Map Branch nets to VPCs
23

Cloud OnRamp for Multicloud Automation: How it works
AZ1
AZ2
AZ1
AZ2
Host VPC
TGW
VPC
Attachment
Host VPC
Direct
Connect
VGW
Cisco C8000v
Transit VPC
IGW
VPN Attachment to
TGW Standard IPSec +
BGP From Service
VPN
INET
MPLS
SD-WAN
Cisco C8000v
Single UI vManage Workflow:
1. have two C8000v ready
2. define AWS Account
3. discover host VPCs
4. tag host VPCs as needed
5. enter TGW details
6. deploy and verify
vManage will do the following:
1. Bring up Transit VPC with two CSR
running SD-WAN image
2. Create TGW
3. Connect TGW and CSR
4. Connect host VPCs

Path1: 10ms, 0% loss, 5ms jitter
vManag
e
App Aware Routing Policy
App A path must have:
Latency < 150ms
Loss < 2%
Jitter < 10ms
 WAN Edge Routers
continuously perform path
liveliness and quality
measurements
Interne
t
MPLS
4G LTE
SD-WAN IPSec Tunnel
Remote
Site
Data Center
Path
2
Cisco SD-WAN: Improving Application Experience

Cisco SD-WAN Controller for simplified management
One management dashboard for branch, co-location, cloud and Security
Cisco vManage
Single Monitoring Dashboard
Configuration: OnRamp, Security,
Devices, Policies, Templates
Role based access/
Multi-tenant
Lifecycle
Management

Visualizing Application Paths

Checking Transport Quality

Checking QoS

Cisco SD-WAN - Segmentation
Granular Segmentation Policy
Macro Segmentation
VPN 3
VPN 1
VPN 2
SD-WAN
Overlay
VPN Level Segmentation
Micro Segmentation
IP cameras
Sensors
VOIP
VPN 2
SD-WAN
Overlay
Identity based Group Level
Segmentation - IOT VPN
• IP cameras
• Sensors
• Campus VPN
• IOT VPN
• Guest VPN
Per-VPN Topology
Full-Mesh Hub-and-Spoke Partial Mesh

Why Direct Internet Access (DIA)?
Branch
Data Center
SaaS/IaaS/
Private Cloud/Internet
Cloud
Security
Firewall/IPS Branch
Security
1. Avoid Backhauling
Benefit: Better use of WAN bandwidth
Benefit: Improves user experience
2. Benefit Regional SaaS PoP
Benefit: Improves application performance
3. Enable DIA
Benefit: Consistent Security Policy & monitoring
4. Centralized Policy/Monitoring

Cisco SD-WAN Security Stack
Flexible Deployment Model
Branch
Security
Integrated Security
SD-branch model
Thick branch with routing and security
SD-WAN w/ On-Prem Security
Headquarters/
Data Center
SaaS/IaaS
application
Branch Security
Cloud Security
SD-WAN w/ SIG Integration
and Hybrid Security
SD-WAN with SIG integration
Hybrid model
Thin branch with cloud security
Thick branch with routing and security
Headquarters/
Data Center
Thin Branch
Saas/IaaS
application

Enterprise Firewall
Layer 3 to 7 apps classified
Intrusion Protection System
Most widely deployed IPS engine in the world
URL-Filtering
Web reputation score using 82+ web categories
Cisco
Security
Cisco SD-WAN Security Solution
On-prem security capabilities
Adv. Malware Protection
With File Reputation and Sandboxing (TG)
Cisco
SD-WAN
SSL/TLS Proxy
Detect Threats in Encrypted Traffic
DNS Layer Security
DNS Security with Cisco Umbrella

Cisco Umbrella SIG security capabilities
Integrated security
platform
SecureX
DNS-layer
security
Secure web GW
Incl: RBI, File Control,
App Control
Cisco Umbrella
Visibility across my entire
security stack, with
automated actions
Stop threats before
traffic reaches my
network
Full URL visibility/
control to enforce
policy block advance
threats
L7 security across all
sites to stop non-web-
based threats
Discover, report and
control cloud
application use.
Real-time threat
context expediting
incident investigation
and response
Cloud-delivered
Layer 7 firewall
Cloud access
security broker
(CASB)
Interactive
threat intel

Cisco SD-WAN QOS features
Per-
VPN
QOS
Adaptive
QOS
Per-Tunnel
QOS
Allocates the
Bandwidth on
per tunnel basis
Allocates the
Bandwidth as
per availability
Allocates the
bandwidth on
per VPN basis
© 2021 Cisco and/or its affiliates. All rights reserved.

Cisco SD-WAN - Segmentation
Granular Segmentation Policy
Macro Segmentation
VPN 3
VPN 1
VPN 2
SD-WAN
Overlay
VPN Level Segmentation
Micro Segmentation
IP cameras
Sensors
VOIP
VPN 2
SD-WAN
Overlay
Identity based Group Level
Segmentation - IOT VPN
• IP cameras
• Sensors
• Campus VPN
• IOT VPN
• Guest VPN
Per-VPN Topology
Full-Mesh Hub-and-Spoke Partial Mesh

Cisco SD-WAN extends segmentation and policies across
the enterprise’s networking domains
SD-WAN
Campus
Users
Things
Data Center
Cisco SD-WAN supports user/device identity SGT tags to be propagated
via SD-WAN overlay, enabling end to end policy propagation.
Private
Public
Policy exchange

Cisco SD-WAN - Identity-based Firewall ISE-SGT integrations
Security policies that align to identities rather than
to IP addresses give organizations easier, more
precise control over who can access the
network/applications—and what they can access.
In a hybrid workforce environment, the users can
access application from anywhere and from any IP,
therefore applying security policy based on prefixes
is not enough.
Cisco SD-WAN introduces capability for a WAN edge
to match user/user-group identities and apply
zone-based firewall policy based on it
IAAS,SAAS
Private Apps
ISE/PXGrid
Employee HR
Active Directory
vManage vSmart
OMP
ZBFW policy
based on SGT
identity
4
Router
SGT-Employee
Source
ZBFW Policy
Destination
SGT
SGT-Employee
SGT-IOT
SGTt-
oHrR
Action
Permit All
Deny All

Application Aware Routing- Best of worst Tunnel Selection
0
20
40
60
80
100
120
140
Tunnel 1 Tunnel 2 Tunnel 3 Tunnel 4
SLA
Latency Loss
Jitter
Required
Jitter
Required
Latency
User 2 User 3 User 4
policy
sla-class Voice
latency 20
jitter 30
This would atleast
provide a
betterUusesre1r
experience
comparatively than the
worst.
None of the Tunnel Meets SLA criteria
Traffic gets routed as per ECMP
This results in an un-deterministic and
inconsistent user experience for same kind
of application.
Therefore, best of worst tunnel is used

Extended visibility with Cisco SD-WAN + ThousandEyes
Cisco SD-WAN + ThousandEyes
native integration
Rapid MTTI/MTTR
Actionable insights
Turn-key agent deployment
Cisco SD-WAN
Measures point-to-point network telemetry
Enables automated routing based on
network performance and availability
Measures hop-by-hop network telemetry and
path (SD-WAN underlay + end to end)
Measures application performance and correlates
with network insight
Cisco ThousandEyes

Cisco SD-WAN Benefits and Differentiation
Multicloud
Connect
Extensive Cloud OnRamp integrations:
• Enables seamless automated
connectivity with any site-to-cloud and
site-to-site configuration.
Industry Firsts
• Offer cloud onramp to the top three
cloud service providers and first to deliver
integrations for Microsoft Virtual Hub
NVA, and Microsoft 365 informed
network routing.
Security
Secure
Micro-segmentation and identity-based
policy management:
• Cisco TrustSec® provides
micro- segmentation and
identity-based
policy management for SDA and non-
SDA branches
• Drives consistent multidomain
policy enforcement.
Analytics
Automate
Enhance visibility into network
behavior and user experience with
applications deployed on-prem or in
cloud:
• Extends end-to-end visibility into
network health and application
performance
• Full hop-by-hop analysis across the
internet
and cloud.
• Expedite troubleshooting & reduce OpEx
by offering actionable insights to help
isolate problem areas
Cisco SD-WAN
True SD-WAN Architecture flexibility:
• Separate and dedicated components for the control plane, data plane, management and
orchestration of the WAN designed for scalability and flexibility to implement overlay, underlay,
physical, and virtual networks
Hierarchical SD-WAN fabric capability:
• These capabilities provides additional enhancement on scale and usability
Proven deployments to over 10,000+ sites
Cisco SD-WAN
portfolio has achieved
MEF SD- WAN 3.0
Certification.

Cisco SDWAN presentation for Branches to HQ

More Related Content

Similar to Cisco SDWAN presentation for Branches to HQ (20)

Recently uploaded (20)

Cisco SDWAN presentation for Branches to HQ