Contenu connexe Similaire à Understanding Cisco Next Generation SD-WAN Solution (20) Plus de Cisco Canada (20) Understanding Cisco Next Generation SD-WAN Solution1. Cisco Confidential© 2016 Cisco and/or its affiliates. All rights reserved. 1
Understanding Cisco’ Next
Generation SD-WAN Solution
Danny Blais & Luis Cruz
Network Eng. Consultants, Canada
2. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Digital Innovation in the Branch & WAN
of revenue
is generated
in the branch
90%
MORE
THREATS
30%
Of advanced threats will
target branch offices by
2016 (up from 5%)
MORE
USERS
80% Of employee and
customers are served in
branch offices
MORE
DEVICES
73%
Growth in mobile
devices from
2014-2018
MORE
APPS
20-50% Increase in enterprise
bandwidth per year
through 2018
IoT devices
connected to
internet by 2020
30B
Annual increase in
enterprise bandwidth
and video adoption50%
Up to
Mobile-connected
devices by 201910B
Of Organizations primarily
use public cloud by 201980%
3. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Software Defined WAN
Hybrid WAN Transport
IPsec Secure
Branch
MPLS (IP-VPN)
Internet
Direct Internet
Access
Private
Cloud
Virtual
Private
Cloud
Public
Cloud
Application
Optimization
Secure
Connectivity
Efficient and
dynamic
load sharing
Agnostic WAN
Transport
Simplified Management, Operation and Orchestration
4. SD-WAN
Business Case
Cost
• Substitute lower cost links or devices for higher cost
• Lower cost of management, troubleshooting
• Leverage Complete Communications for financial analysis
Agility
• Focus on how automation and policy abstraction empower the
organization to innovate faster while transforming the customer and
workforce experience
Focus
• Provide quantifiable metrics associated with expedited mean time to
detection, mean time to innocence and mean time to repair
Performance
• Quantify frequency and cost associated with outages
• Reduce number of outages affecting user performance
• Improve application performance
Security
• Application relevant topologies
• Segmented virtual WANs and security service chains
5. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Cloud-first
management
with flexible
deployment options
Accelerate key
SD-WAN use cases;
Cloud-edge and
Segmentation
Sophisticated, but
still simple to deploy
and operate
Complements Cisco’s Enterprise Networks architecture strategy
Why Did Cisco Buy Viptela?
Cisco Digital
Network Architecture
6. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Better Together
Leading Routing &
SD-WAN Platforms
Goal: Building next generation SD-WAN solutions
Together, helping businesses and IT to innovate faster, securing and delivering
better customer outcomes, while reducing costs and lowering risk
Cloud-managed &
Feature-rich SD-WAN
7. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Choosing the Appropriate SD-WAN Solution
• Cloud and OnRamp
• More than two active transports
or active LTE
• Comprehensive WAN
connectivity & services
• Complex topologies
• Custom policies at scale
• Advanced routing &
segmentation
• Native dynamic cloud
application acceleration
Advanced SD-WAN
• Hybrid WAN
• L3 overlay for hub-spoke
deployments
• Dynamic path selection
• Cloud-managed
• Zero touch deployment with
templates and easy to use
dashboard
SD-WAN Common
• Single pane-of-glass
management for full stack
infrastructure across the branch
• Existing Meraki customers
evaluating SD-WAN
• Competitive pricing pressure
• Integrated branch security and
network connectivity solution
Single Dashboard
8. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
• Cisco IWAN has over 200,000 sites deployed or in
deployment
• No plans to EOL or EOS – 3+ years of support
• IWAN 2.x & IWAN App support and roadmap will continue
as per prior customer commitments
Direct Cloud Access, Scale Increase, Hardening, MC Placement, APIC behind NAT
Now What About IWAN
9. Cisco Confidential 9© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco’s New SD-WAN Architecture
10. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Design Challenges with Growing Needs and New Innovation
Common WAN Topologies
Design and Deployment Considerations
11. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Complexity Grows with Scale and Changing Business Requirements
Common WAN Topologies
Growing Complexity - Scale, Policy, Segmentation
12. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
APPLICATION POLICIES
SERVICES DELIVERY PLATFORM
TRANSPORT INDEPENDENT FABRIC
Broadband CellularMPLS
ZERO TOUCH ZERO TRUST
QoSSecurity Segmentation Svc Insertion SurvivabilityRouting Multicast
Per-Segment
Topologies
Cloud Path
(IaaS)
Application
SLA
Secure
Perimeter
Traffic
Engineering
Transport
Hub
Cloud Accel
(SaaS)
Analytics
Monitoring
Operations
Business Driven WAN Infrastructure
13. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Cisco SD-WAN Solution Overview
Data Center Campus Branch Home Office
Control Plane
(Containers or VMs)
Data Plane
(Physical or Virtual)
Management Plane
(Multi-tenant or Dedicated)
Orchestration Plane
API
4GINTERNET MPLS
CONTROL
ANALYTICSORCHESTRATION
MANAGEMENT
vManage
vSmart
vEdge
vBond
vAnalytics
14. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Orchestration Plane
APIs
vSmart Controllers
vAnalytics
3rd Party
Automation
vManage
Data Center Campus Branch SOHOCloud
vBond
vEdge Routers
4GMPLS
INET
• Orchestrates connectivity
between management, control
and data plane
• First point of authentication
• Requires public IP Address
• Facilitates NAT traversal
• All other components need to
know the vBond IP or DNS
information
• Authorizes all control
connections (white-list model)
• Distributes list of vSmarts to
all vEdges
Orchestration Plane
Cisco vBond
15. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Management Plane
Management Plane
Cisco vManage
• Single pane of glass for Day0,
Day1 and Day2 operations
• Real time alerting
• Centralized provisioning
• Configuration standardization
• Simplicity of deploying
• Simplicity of change
• Supports
• REST API
• CLI
• Syslog
• SNMP
• NETCONF
vSmart Controllers
vAnalytics
3rd Party
Automation
vManage
Data Center Campus Branch SOHOCloud
vBond
vEdge Routers
4GMPLS
INET
APIs
16. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Control Plane
Control Plane
Cisco vSmart
• Centralized brain of the solution
• Facilitates fabric discovery
• Establishes OMP peering with all
vEdges
• Implements control plane policies,
such as service chaining, traffic
engineering and per VPN topology
• Dramatically reduces complexity of
the entire network
• Distributes connectivity information
between vEdge
• Orchestrates secure data plane
connectivity between vEdges
vSmart Controllers
vAnalytics
3rd Party
Automation
vManage
Data Center Campus Branch SOHOCloud
vBond
vEdge Routers
4GMPLS
INET
APIs
17. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Overlay Management Protocol (OMP)
Unified Control Plane
• Runs on top of TCP, extensible control plane
protocol
• Runs between vEdge routers and vSmart
controllers and between the vSmart
controllers
- Inside TLS/DTLS connections
• Advertises control plane contextvSmart vSmart
vSmart
vEdge vEdge
VS
Note: vEdge routers need no control connections amongst them
18. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Data Plane
Data Plane
Physical/Virtual
Cisco vEdge
• WAN edge router
• Provides secure data plane with
remote vEdge routers
• Establishes secure control plane
with vSmart controllers (OMP)
• Implements data plane and
application aware routing policies
• Exports performance statistics
• Leverages traditional routing
protocols like OSPF and BGP.
• Layer 2 redundancy VRRP
• Support Zero Touch Deployment
• Physical or Virtual form factor
(100Mb, 1Gb, 10Gb)
APIs
vSmart Controllers
vAnalytics
3rd Party
Automation
vManage
Data Center Campus Branch SOHOCloud
vBond
vEdge Routers
4GMPLS
INET
20. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Ingress
vEdge
VPN 3
VPN 1
VPN 2
SD-WAN
IPSec
Tunnel
20
IP
8
UDP
36
ESP
4
VPN
…
Data
Egress
vEdge
Interface
VLAN
• Segment connectivity across fabric w/o
reliance on underlay transport
• vEdge routers maintain per-VPN routing
table
• Labels are used to identify VPN for
destination route lookup
• Interfaces and sub-interfaces (802.1Q tags)
are mapped into VPNs
VPN1
VPN2
Interface
VLAN
VPN1
VPN2
Secure Segmentation
End-to-End Segmentation
21. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Application Aware Topologies
Arbitrary VPN Topologies
VPN1
Full-Mesh
VPN2
Hub-and-Spoke
VPN3
Partial Mesh
VPN4
Point-to-Point
Unified
Communications
Security
Compliance
Regional
Services
Partner
Connectivity
• Leverage control policies to influence per-VPN topology
22. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Application Quality Probing
Regional
Hub
Remote Site
ISP2
ISP1
SD-WAN
Fabric
Loss/
Latency
!
Data Center
Cloud onRamp for SaaS
SaaS Optimization
Data Center
Regional
Hub
Remote Site
SD-WAN
FabricMPLS
ISP1
Loss/
Latency
!
ISP2
23. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
L4-L7 Service Insertion
Regional Secure Perimeter
Data
Center
Remote
Office
Regional
Hub
MPLS INET
4G
L4-L7 Service
Advertisement
Policy
Advertisement*
vSmart
VPN1
VPN1
Traffic Path
Control Plane
FW
* For data policy only. Control policy enforced on vSmart.
VPN1
• Can chain numerous L4-L7 services
24. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Deep Packet Inspection Engine
Primary Use Cases:
- Application Visibility
- Application Firewall
- Traffic Prioritization
- Transport Selection
- Analytics
vEdge Router
App 1
App 2
App 3,000
Cloud Data
Center
Data
Center
Campus
Branch
Small Office
Home Office
MPLS INET
3G/4G
Embedded Application Recognition
Deep Packet Inspection
25. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
• Embedded Deep Packet Inspection
engine
• Application and flow level visibility
for the fabric and individual vEdge
routers
• Centralized statistics and
performance
• Export flow level data (IPFIX) to
external collector
Application and Performance Visibility
Deep Packet Inspection
26. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Policy Driven WAN Infrastructure
Policy Augmented Dynamic Routing
vEdge
WAN
router
Access Layer
Branch/DC
vSmart controller – Policy
Enforcement/Advertisement
Control Policy:
Routing and Services
vManage GUI – Policy Orchestration1
2
3
Data Policy:
Extensive Policy-based
Routing and Services
App-Route Policy:
App-Aware SLA-based
Routing
Combine and Apply per Site
Execute Control Policy
Advertise AAR/Data Policies to Sites
Execute AAR and Data Policy as received
Dynamic Routing and Policies Combine to
dictate behavior
27. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
A Flexible Model for Applications Over the WAN
Per-Session Loadsharing
Active/Active
Per-Session Weighted
Active/Active
Application Pinning
Active/Standby
Application Aware Routing
SLA Compliant
SLASLA
Core
Hierarchical Multihop Fabric Single-hop Fabric
28. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
§ Enforce SLA compliant path
for applications of interest
§ Other applications will follow
fabric routing across all
paths
Control Plane
Path1: 10ms, 0% loss, 5ms latency
Path2: 200ms, 3% loss, 10ms latency
Path3: 140ms, 1% loss, 10ms latency
vManage
App Aware Routing Policy
App A path must have:
latency < 150ms
loss < 2%
jitter < 10ms
vEdge1 vEdge2
Internet
MPLS
4G LTE
vSmart Controllers
App A
IPSec Tunnel
Critical Applications SLA
Path Quality Detection Routing
Path 2
29. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
MPLS Internet
• Protect voice and
video quality
Latency < 150 ms
Jitter < 20 ms
• Protect Email applications
from WAN congestion
Loss < 5%
• Voice and video preferred
path SP1
• Email preferred path ISP
• Increase utilization
by load sharing
Multimedia and Critical Data Policy
Business App
Best-Effort Traffic
High Delay
Detected
MPLS Internet
Voice and Video
High Jitter
Detected
Email
Best-Effort Traffic
Protecting Critical Applications While Increasing Link Efficiency
• Protect transactional
business app from brownouts
delay < 250ms
• Preferred path MPLS
• Increase WAN bandwidth
efficiency by load-sharing traffic
over all WAN paths, MPLS +
Internet
Business App and Load-Balancing Policy
30. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
• High latency path between users and
servers, i.e. geo-distances
• vEdge routers terminate TCP sessions and
provide local acknowledgements to prevent
TCP windowing from reacting
• Selective acknowledgements prevents
unnecessary retransmit of the successfully
received segments
• Hosts using old TCP/IP stacks will see the
most benefit
Users Servers
High Latency Path
vEdgevEdge
TCP Connections TCP Connections
Optimized
TCP Connections (Cubic)
SD-WAN
Fabric
Application Optimization
TCP Performance Optimization
31. Cisco Confidential 31© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco SD-WAN
Management and Operation
32. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Zero Touch Provisioning
Plug-n-Play vEdge Secure Bring-up (Zero Trust)
vEdge List
(White-List)
vEdge Configuration
Template
vManage
vBondvSmart
Identity Trust
Administrator
ZTP
Server
Network Power
vEdge
DHCP
Identity
(X.509)
Installer
TPM
33. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Template-Based Configurations
Centralized Device Configuration Enforcement
• Templates are attached to provisioned
vEdge routers
• Variables are used for rapid bulk
configuration rollout with unique per-
device settings
• Local configuration changes are not
allowed
- Prevents configuration drift
34. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Single Pane of Glass Operations
vManage GUI
• Intuitive GUI driven operations
- Management, monitoring and
troubleshooting
• Cloud Delivered
- Private, hosted or managed
• Single or Multi-tenant
• Role-based Access Control
• Clustered for scale and high
availability
• REST APIs based
35. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
vAnalytics Dashboard
37. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
Summary: Solution Elements
Orchestration, Control, Data and Management Planes
Control Plane
Cisco vSmart
• Facilitates fabric discovery
• Dissimilates control plane
information between vEdges
• Distributes data plane and app-
aware routing policies to the
vEdge routers
• Implements control plane
policies, such as service
chaining, multi-topology and
multi-hop
• Dramatically reduces control
plane complexity
• Highly resilient
Data Plane
Physical/Virtual
Cisco vEdge
• WAN edge router
• Provides secure data plane
with remote vEdge routers
• Establishes secure control
plane with vSmart controllers
(OMP)
• Implements data plane
policies
• Exports performance statistics
• Leverages traditional routing
protocols like OSPF, BGP and
VRRP
• Support Zero Touch
Deployment
• Physical or Virtual form factor
(100Mb, 1Gb, 10Gb)
Management Plane
Cisco vManage
• Single pane of glass for
Day0, Day1 and Day2
operations
• Centralized provisioning
• Policies and Templates
• Troubleshooting and
Monitoring
• Software upgrades
• GUI with RBAC
• Programmatic interfaces
(REST, NETCONF)
• NMS interfaces (SNMP,
Syslog, IPFIX)
Orchestration Plane
Cisco vBond
• Orchestrates control and
management plane
• First point of authentication
(white-list model)
• Distributes list of vSmarts/
vManage to all vEdge routers
• Facilitates NAT traversal
• Requires public IP Address
[could sit behind 1:1 NAT]
• Highly resilient
38. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Cisco vEdge Routers Portfolio
Branch/SOHO/SMB
(100Mb)
Branch/Campus
(1Gb)
Campus/Data Center
(10Gb)
NFV, vCPE
(N x cores)
IaaS & Cloud
Interconnect
(N x cores)
Campus/Data Center
(20Gb+)
vEdge 100 family vEdge 1000 vEdge 2000 vEdge 5000
vEdge Cloud on
Greybox or
Whitebox
vEdge Cloud
39. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
vEdge Cloud Virtual Routers
Virtualized Branch or Cloud
ESXi or KVM
Physical Server
On-Premise Hosted
VMThroughput:
2x vCPU 500Mb/s
4x vCPU 1Gb/s
8x vCPU 1.5Gb/s
VM
vEdge Cloud vEdge CloudvEdge Cloud vEdge Cloud vEdge CloudvEdge Cloud
AWS or Azure
40. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Controllers
Cloud or On-Premise Delivered
Physical Server
vManage vSmart vSmart
VM
vContainer
vBond*
* Can be deployed as physical vEdge appliance
On-Premise
ESXi or KVM
vManage vSmart vSmartvBond
Hosted
VM
vContainer
AWS or Azure
42. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
Data Center Campus Branch Home Office
4G/LTE
MPLS
Internet
Control Plane
(Containers or VMs)
(vSmart)
Management Plane
(Multi-tenant or Dedicated)
(vManage)
Orchestration Plane
(vBond)
2000 vEdges per vBond
Redundancy Add 1-2 vBonds
Horizontal Scale out Model
Horizontal Scale Out Model
2700 vEdges per vManage
Horizontal Scale out Model
in cluster mode (same DC)
2700 vEdges per vSmart
Redundancy Add 1-2 vSmarts
Horizontal Scale out Model
Scalability
Orchestration/Control/Management Plane
43. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
vEdge100 vEdge1000 vEdge2000
IPSec Tunnels : 250 IPSec Tunnels : 1500 IPSec Tunnels : 6000
Max aggregated throughput:
vEdge-100 – 100MB AES-256 full duplex
vEdge-1000 - 1GB AES-256 full duplex
vEdge-2000 – 10GB AES-256 full duplex
Max number of concurrent VPNs: 64
[vpn 0 and vpn 512 included]
Overlay tunnels are static based on policy.
Not dynamically generated on-demand.
Dual LTE variant
back
Scalability
Data Plane and IPsec
45. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Viptela Integration Plan
Phase 2
Platform Integration
Phase 1
No Integration
Phase 3
Management Integration
Platform:
• As-is
Management:
• vManage
Platform:
• vEdge capabilities integrated into all IOS-XE
platforms (ISR, CSR, ENCS, ASR1K)
Management:
• vManage for SD-WAN capabilities on IOS-XE
Management:
• Cloud hosted DNA Center integrates vManage
capabilities
• Full DNA Center capabilities (Assurance,
Integrated workflows for SD-Access and
SD-WAN)
Support current Viptela
customers
Viptela SD-WAN on strategic ISR
platform
Deliver end-to-end experience
with full DNA integration
DeploymentScenariosBenefitsDetails
vEdge ISR4K + vEdge SW
DNA Center
+ SD-WAN
ISR4K + vEdge SW
vManage
vEdge
vManage
vEdge
46. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
High-level Feature Integration Plan
Existing IOS-XE CapabilitiesExisting Viptela Capabilities
ü Day 0, Workflows (User
Configuration, System setup,
Segmentation Setup)
ü Day 1, Control phase setup, ZTP,
Templates), Segmentation, DC
routing, Topologies
ü Day N, Application Policy, Qos, DIA,
Cloud Express, Monitoring &
Troubleshooting, Upgrade Options
üPlatform & Interfaces:
ASR1K, CSR, ISR4K, T1/E1, FSX/FXO etc
üSecurity & Services:
ZBF, Umbrella, WAAS, UC, etc
üAdvanced Capabilities: QoS, BGP etc.
47. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
SD-WAN Evolution
MSP NaaSSecurity Integration
(Umbrella + CloudLock, ISE)
Easy Troubleshooting & Ops
Scale cloud-ops
CoreSDWAN
Application QoE
One-click
Cloud Networking
TestDrive
Quick Deploy
VDI Acceleration
NaaS P2
Analytics
Visibility
InnovateWith
Portfolio
Voice, App acceleration Platform diversity Appliance security
ZBF, URL filtering, IPS/IDS
DNA Center
+ SD-WAN
LeapfrogWith
ArchEvolution
SDWAN + SDA
Analytics
EN wide Multi-cloud connect
SAE
6-12 months Target 12-24 months Planning
48. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
APPs
SDWAN
Cloud IoT
.…
SDWAN Fabric
USERS
DC
IaaS
SaaS
vDC
Analytics
SECURE SCALE OPEN
Cloud Delivered
DEVICES
THINGS
SDA Fabric
(branch & campus)
SDA Fabric
(branch & campus)
DC
ACI Fabric
• User / Device Identity, network-wide
• Policy abstraction at User / Group and
Application levels
• Policy at Fabric Edge. Over-the-top.
• Increased Simplicity. Seamless Mobility.
End-to-end Context
SD-WAN Fabric Integration with DNA
49. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Cisco is the market and technology leader in SD-WAN, combining
the flexibility of Viptela, Meraki, and ISR IOS-XE
• Cisco’s SD-WAN solution (Viptela) is both a cloud and on-prem
(hardware) based solution, offering unmatched capabilities
• Cisco will merge the Viptela and IOS-XE capabilities into a
common ISR 4K-based platform, but the complimentary Viptela
core products are here to stay in foreseeable future
Key Takeaways