Más contenido relacionado
La actualidad más candente (20)
Similar a Cisco Connect Halifax 2018 Understanding Cisco's next generation sd-wan solution with viptela (20)
Cisco Connect Halifax 2018 Understanding Cisco's next generation sd-wan solution with viptela
- 1. © 2018 Cisco and/or its affiliates. All rights reserved. 1
Understanding Cisco’s Next
Generation SD-WAN
Solution with Viptela
Francis Girard
TSA
April 2018
Cisco
Connect Your Time
Is Now
- 2. 2© 2018 Cisco and/or its affiliates. All rights reserved.
Digital Innovation in the Branch & WAN
of revenue
is generated
in the branch
90%
MORE
THREATS
30%
Of advanced threats will
target branch offices by
2016 (up from 5%)
MORE
USERS
80% Of employee and
customers are served in
branch offices
MORE
DEVICES
73%
Growth in mobile
devices from
2014-2018
MORE
APPS
20-50% Increase in enterprise
bandwidth per year
through 2018
IoT devices
connected to
internet by 2020
30B
Annual increase in
enterprise bandwidth
and video adoption50%
Up to
Mobile-connected
devices by 201910B
Of Organizations primarily
use public cloud by 201980%
- 3. 3© 2018 Cisco and/or its affiliates. All rights reserved.
Software Defined WAN
Hybrid WAN Transport
IPsec Secure
Branch
MPLS (IP-VPN)
Internet
Direct Internet
Access
Private
Cloud
Virtual
Private
Cloud
Public
Cloud
Application
Optimization
Secure
Connectivity
Efficient and
dynamic
load sharing
Agnostic WAN
Transport
Simplified Management, Operation and Orchestration
- 4. 4© 2018 Cisco and/or its affiliates. All rights reserved.
Cost
• Substitute higher cost links or devices for lower cost
• Lower cost of management, troubleshooting
• Leverage Complete Communications for financial analysis
Agility
• Focus on how automation and policy abstraction empower the
organization to innovate faster while transforming the customer and
workforce experience
Visibility
• Provide quantifiable metrics associated with expedited mean time to
detection, mean time to innocence and mean time to repair
Performance
• Quantify frequency and cost associated with outages
• Reduce number of outages affecting user performance
• Improve application performance
Security
• Application relevant topologies
• Segmented virtual WANs and security service chains
Software Defined WAN
Business Case
- 5. 5© 2018 Cisco and/or its affiliates. All rights reserved.
Cloud-first
management
with flexible
deployment options
Accelerate key
SD-WAN use cases;
Cloud-edge and
Segmentation
Sophisticated, but
still simple to deploy
and operate
Complements Cisco’s Enterprise Networks architecture strategy
Why Did Cisco Buy Viptela?
Cisco Digital
Network Architecture
- 6. 6© 2018 Cisco and/or its affiliates. All rights reserved.
Cisco’s New SD-WAN Architecture
- 7. 7© 2018 Cisco and/or its affiliates. All rights reserved.
Design Challenges with Growing Needs and New Innovation
Things to consider with redundant link:
• Administrative distance
• Filtering
• Summarization
• Traffic Engineering and path preference
Dual routers designs further complicates
things by introducing:
• Redistribution
• Advanced filtering techniques
• And the Potential for loops
Common WAN Topologies
Design and Deployment Considerations
- 8. 8© 2018 Cisco and/or its affiliates. All rights reserved.
APPLICATION POLICIES
SERVICES DELIVERY PLATFORM
TRANSPORT INDEPENDENT FABRIC
Broadband CellularMPLS
ZERO TOUCH ZERO TRUST
QoSSecurity Segmentation Svc Insertion SurvivabilityRouting Multicast
Per-Segment
Topologies
Cloud Path
(IaaS)
Application
SLA
Secure
Perimeter
Traffic
Engineering
Transport
Hub
Cloud Accel
(SaaS)
Analytics
Monitoring
Operations
Business Driven WAN Infrastructure
- 9. 9© 2018 Cisco and/or its affiliates. All rights reserved.
Cisco SD-WAN Solution Overview
Data Center Campus Branch Home Office
Control Plane
(Containers or VMs)
Data Plane
(Physical or Virtual)
Management Plane
(Multi-tenant or Dedicated)
Orchestration Plane
API
4GINTERNET MPLS
CONTROL
ANALYTICSORCHESTRATION
MANAGEMENT
vManage
vSmart
vEdge
vBond
vAnalytics
- 10. 10© 2018 Cisco and/or its affiliates. All rights reserved.
Orchestration Plane
APIs
vSmart Controllers
vAnalytics
3rd Party
Automation
vManage
Data Center Campus Branch SOHOCloud
vBond
vEdge Routers
4GMPLS
INET
• Orchestrates connectivity
between management, control
and data plane
• First point of authentication
• Requires public IP Address
• Facilitates NAT traversal
• All other components need to
know the vBond IP or DNS
information
• Authorizes all control
connections (white-list model)
• Distributes list of vSmarts to
all vEdges
Orchestration Plane
Cisco vBond
- 11. 11© 2018 Cisco and/or its affiliates. All rights reserved.
Management Plane
Management Plane
Cisco vManage
• Single pane of glass for Day0,
Day1 and Day2 operations
• Real time alerting
• Centralized provisioning
• Configuration standardization
• Simplicity of deploying
• Simplicity of change
• Supports
• REST API
• CLI
• Syslog
• SNMP
• NETCONF
vSmart Controllers
vAnalytics
3rd Party
Automation
vManage
Data Center Campus Branch SOHOCloud
vBond
vEdge Routers
4GMPLS
INET
APIs
- 12. 12© 2018 Cisco and/or its affiliates. All rights reserved.
Control Plane
Control Plane
Cisco vSmart
• Centralized brain of the solution
• Facilitates fabric discovery
• Establishes OMP peering with all
vEdges
• Implements control plane policies,
such as service chaining, traffic
engineering and per VPN topology
• Dramatically reduces complexity of
the entire network
• Distributes connectivity information
between vEdge
• Orchestrates secure data plane
connectivity between vEdges
vSmart Controllers
vAnalytics
3rd Party
Automation
vManage
Data Center Campus Branch SOHOCloud
vBond
vEdge Routers
4GMPLS
INET
APIs
- 13. 13© 2018 Cisco and/or its affiliates. All rights reserved.
Data Plane
Data Plane
Physical/Virtual
Cisco vEdge
• WAN edge router
• Provides secure data plane with
remote vEdge routers
• Establishes secure control plane
with vSmart controllers (OMP)
• Implements data plane and
application aware routing policies
• Exports performance statistics
• Leverages traditional routing
protocols like OSPF and BGP.
• Layer 2 redundancy VRRP
• Support Zero Touch Deployment
• Physical or Virtual form factor
(100Mb, 1Gb, 10Gb)
APIs
vSmart Controllers
vAnalytics
3rd Party
Automation
vManage
Data Center Campus Branch SOHOCloud
vBond
vEdge Routers
4GMPLS
INET
- 14. 14© 2018 Cisco and/or its affiliates. All rights reserved.
Cisco SD-WAN Solution
- 15. 15© 2018 Cisco and/or its affiliates. All rights reserved.
Ingress
vEdge
VPN 3
VPN 1
VPN 2
SD-WAN
IPSec
Tunnel
20
IP
8
UDP
36
ESP
4
VPN
…
Data
Egress
vEdge
Interface
VLAN
• Segment connectivity across fabric w/o
reliance on underlay transport
• vEdge routers maintain per-VPN routing
table
• Labels are used to identify VPN for
destination route lookup
• Interfaces and sub-interfaces (802.1Q tags)
are mapped into VPNs
VPN1
VPN2
Interface
VLAN
VPN1
VPN2
Secure Segmentation
End-to-End Segmentation
- 16. 16© 2018 Cisco and/or its affiliates. All rights reserved.
Application Aware Topologies
Arbitrary VPN Topologies
VPN1
Full-Mesh
VPN2
Hub-and-Spoke
VPN3
Partial Mesh
VPN4
Point-to-Point
Unified
Communications
Security
Compliance
Regional
Services
Partner
Connectivity
• Leverage control policies to influence per-VPN topology
- 17. 17© 2018 Cisco and/or its affiliates. All rights reserved.
Application Quality Probing
Regional
Hub
Remote Site
ISP2
ISP1
SD-WAN
Fabric
Loss/
Latency
!
Data Center
Cloud onRamp for SaaS
SaaS Optimization
Data Center
Regional
Hub
Remote Site
SD-WAN
FabricMPLS
ISP1
Loss/
Latency
!
ISP2
- 18. 18© 2018 Cisco and/or its affiliates. All rights reserved.
L4-L7 Service Insertion
Regional Secure Perimeter
Data
Center
Remote
Office
Regional
Hub
MPLS INET
4G
L4-L7 Service
Advertisement
Policy
Advertisement*
vSmart
VPN1
VPN1
Traffic Path
Control Plane
FW
* For data policy only. Control policy enforced on vSmart.
VPN1
• Can chain numerous L4-L7 services
- 19. 19© 2018 Cisco and/or its affiliates. All rights reserved.
Deep Packet Inspection Engine
Primary Use Cases:
- Application Visibility
- Application Firewall
- Traffic Prioritization
- Transport Selection
- Analytics
vEdge Router
App 1
App 2
App 3,000
Cloud Data
Center
Data
Center
Campus
Branch
Small Office
Home Office
MPLS INET
3G/4G
Embedded Application Recognition
Deep Packet Inspection
- 20. 20© 2018 Cisco and/or its affiliates. All rights reserved.
• Embedded Deep Packet Inspection
engine
• Application and flow level visibility
for the fabric and individual vEdge
routers
• Centralized statistics and
performance
• Export flow level data (IPFIX) to
external collector
Application and Performance Visibility
Deep Packet Inspection
- 21. 21© 2018 Cisco and/or its affiliates. All rights reserved.
A Flexible Model for Applications Over the WAN
Per-Session Loadsharing
Active/Active
Per-Session Weighted
Active/Active
Application Pinning
Active/Standby
Application Aware Routing
SLA Compliant
SLASLA
Core
Hierarchical Multihop Fabric Single-hop Fabric
- 22. 22© 2018 Cisco and/or its affiliates. All rights reserved.
Enforce SLA compliant path
for applications of interest
Other applications will follow
fabric routing across all
paths
Control Plane
Path1: 10ms latency, 0% loss, 5ms jitter
Path2: 200ms latency, 3% loss, 10ms jitter
Path3: 140ms latency , 1% loss, 10ms jitter
vManage
App Aware Routing Policy
App A path must have:
latency < 150ms
loss < 2%
jitter < 10ms
vEdge1 vEdge2
Internet
MPLS
4G LTE
vSmart Controllers
App A
IPSec Tunnel
Critical Applications SLA
Path Quality Detection Routing
Path 2
- 23. 23© 2018 Cisco and/or its affiliates. All rights reserved.
MPLS Internet
• Protect voice and
video quality
Latency < 150 ms
Jitter < 20 ms
• Protect Email applications
from WAN congestion
Loss < 5%
• Voice and video preferred
path SP1
• Email preferred path ISP
• Increase utilization
by load sharing
Multimedia and Critical Data Policy
Business App
Best-Effort Traffic
High Delay
Detected
MPLS Internet
Voice and Video
High Jitter
Detected
Email
Best-Effort Traffic
Protecting Critical Applications While Increasing Link
Efficiency
• Protect transactional
business app from brownouts
delay < 250ms
• Preferred path MPLS
• Increase WAN bandwidth
efficiency by load-sharing traffic
over all WAN paths, MPLS +
Internet
Business App and Load-Balancing Policy
- 24. 24© 2018 Cisco and/or its affiliates. All rights reserved.
• High latency path between users and
servers, i.e. geo-distances
• vEdge routers terminate TCP sessions and
provide local acknowledgements to prevent
TCP windowing from reacting
• Selective acknowledgements prevents
unnecessary retransmit of the successfully
received segments
• Hosts using old TCP/IP stacks will see the
most benefit
Users Servers
High Latency Path
vEdgevEdge
TCP Connections TCP Connections
Optimized
TCP Connections (Cubic)
SD-WAN
Fabric
Application Optimization
TCP Performance Optimization
Self-Healing
Software Upgrade and Configuration Change
Active Software
Available Software
Available Software
Available Software
A
B
C
D
Activate
Rollback
vEdge Router
1
2
3
Failed
Upgrade
vEdge Router
1
Attach Template
vManage
2
Connectivity
Lost
Rollback
3
Self-Healing
Software Upgrade and Configuration Change
Active Software
Available Software
Available Software
Available Software
A
B
C
D
Activate
Rollback
vEdge Router
1
2
3
Failed
Upgrade
vEdge Router
1
Attach Template
vManage
2
Connectivity
Lost
Rollback
3
- 25. 25© 2018 Cisco and/or its affiliates. All rights reserved.
Cisco SD-WAN
Management and Operation
- 26. 26© 2018 Cisco and/or its affiliates. All rights reserved.
vEdge and Controllers White-List
• Administrator adds controllers (vSmarts and
vBonds) on the vManage
- Can trigger CSR generation, forwarding to
Symantec, retrieval and installation of signed CSR
back into the controllers
• Controllers list is distributed by vManage to all
the controllers
• Digitally Signed vEdge list is provided by Viptela
and it is uploaded into the vManage by the
administrator
- Downloadable from Viptela support page
• vEdge List is distributed by vManage to all the
controllers
Signed
vEdge List
Administrator
Defined
Controllers
vManage vSmart
vBond
- 27. 27© 2018 Cisco and/or its affiliates. All rights reserved.
Zero Touch Provisioning
Plug-n-Play vEdge Secure Bring-up (Zero Trust)
vEdge List
(White-List)
vEdge Configuration
Template
vManage
vBondvSmart
Identity Trust
Administrator
ZTP
Server
Network Power
vEdge
DHCP
Identity
(X.509)
Installer
TPM
- 28. 28© 2018 Cisco and/or its affiliates. All rights reserved.
vEdge Appliance – Router Identity
• Each physical vEdge router is uniquely identified by
the chassis ID and certificate serial number
• Certificate is stored in onboard Temper Proof
Module (TPM)
- Installed during manufacturing process
- Certificate is signed by Avnet root CA
- Trusted by Control Plane elements
• Symantec root CA chain of trust is used to validate
Control Plane elements
Alternatively, if used, Enterprise root CA chain of trust
can be used to validate Control Plane elements
Can be automatically installed during ZTP
Root Chain
During Manufacturing
In Viptela Software
Device
Certificate
TMP
Chip
- 29. 29© 2018 Cisco and/or its affiliates. All rights reserved.
vEdge Cloud – Router Identity
• OTP/Token is generated by vManage
- One per (chassisID, serial number) in the uploaded vEdge
list
• OTP/Token is supplied to vEdge Cloud in Cloud-Init
during the VM deployment
• vManage issues self-signed certificate for the vEdge
Cloud post OTP/Token validation
- vManage removes OTP to prevent reuse
• Symantec root CA chain of trust is used to validate
Control Plane elements
Alternatively, if used, Enterprise root CA chain of trust can
be used to validate Control Plane elements
Can be provided in Cloud-Init
In Viptela Software
Issued by vManage
Device
Certificate
Root Chain
- 30. 30© 2018 Cisco and/or its affiliates. All rights reserved.
• Bi-directional certificate-based trust between all
elements
Public or Enterprise PKI
• White-list of valid vEdges and controllers
Certificate serial number as unique identification
Signed
vEdge List
Administrator
Defined
Controllers
vEdge
vBond
vManage
vSmart
Certificate-Based Trust
- 31. 31© 2018 Cisco and/or its affiliates. All rights reserved.
MPLS
INET
Transport
(VPN0)
Service
(VPNn)
Management
(VPN512)
IF
• VPNs are isolated from each other, each
VPN has its own forwarding table
• Reachability within VPN is advertised by
the OMP
IF,
Sub-IF
IF,
Sub-IF
IF,
Sub-IF
IF,
Sub-IF
Cisco SD-WAN VPNs
vEdge Router Security Zones
- 32. 32© 2018 Cisco and/or its affiliates. All rights reserved.
Software Defined Centralized Control
Control Plane
DTLS/TLS
Legacy
O(n^2) complexity
SD-WAN
O(n) complexity
Control Elements
• Virtual Fabric over any transport
• Virtual or Physical Platforms (vEdge)
• Centralized reachability, security and
application policies
• Secure Channel to SD-WAN Controller
(vSmart, vBond, vManage)
Single extensible control plane
Operates over DTLS/TLS authenticated and
secured tunnels
• Dramatically lowers complexity and
increases overall solution scale
- 33. 33© 2018 Cisco and/or its affiliates. All rights reserved.
Overlay Management Protocol (OMP)
Unified Control Plane
• Runs on top of TCP, extensible control plane
protocol
• Runs between vEdge routers and vSmart
controllers and between the vSmart
controllers
- Inside TLS/DTLS connections
• Advertises control plane contextvSmart vSmart
vSmart
vEdge vEdge
VS
Note: vEdge routers need no control connections amongst them
- 34. 34© 2018 Cisco and/or its affiliates. All rights reserved.
OMP Update:
Reachability – IP Subnets, TLOCs
Security – Encryption Keys
Policy – Data/App-route Policies
BGP, OSPF,
Connected,
Static
BFD
IPSec Tunnel
OMP
DTLS/TLS Tunnel
Transport1
Transport2VPN1
A
VPN2
B
VPN1
C
VPN2
D
BGP, OSPF,
Connected,
Static
vSmart
OMP
Update
OMP
Update
vEdge vEdge
Subnets Subnets
TLOCs TLOCs
Policies
Fabric Operation
Fabric Walk-Through
OMP
Update
OMP
Update
- 35. 35© 2018 Cisco and/or its affiliates. All rights reserved.
Transport1
Transport2
Each vEdge advertises its local IPsec
encryption keys
Encryption key is per-transport
Local
Remote
vSmart
Controllers
vEdgevEdge
Local
Remote
Symmetric encryption keys used
asymmetrically
Traffic Encrypted with Keys 1’ / 2’
Traffic Encrypted with Keys 1 / 2
Data Plane Security Encryption
Control Plane
AES256-GCM
OMP
Update
OMP
Update
- 36. 36© 2018 Cisco and/or its affiliates. All rights reserved.
Policy Driven WAN Infrastructure
Policy Augmented Dynamic Routing
vEdge
WAN
router
Access Layer
Branch/DC
vSmart controller – Policy
Enforcement/Advertisement
Control Policy:
Routing and Services
vManage GUI – Policy Orchestration1
2
3
Data Policy:
Extensive Policy-based
Routing and Services
App-Route Policy:
App-Aware SLA-based
Routing
Combine and Apply per Site
Execute Control Policy
Advertise AAR/Data Policies to Sites
Execute AAR and Data Policy as received
Dynamic Routing and Policies Combine to
dictate behavior
- 37. 37© 2018 Cisco and/or its affiliates. All rights reserved.
vManage
vSmart vEdge
Device Configuration Device Configuration
Local Control Policy
(OSPF/BGP)
Local Data Policy
(QoS/Mirror/ACL)
Centralized Control Policy
(Fabric Routing)
Centralized Data Policy
(Fabric Data Plane)
Centralized App-Aware Policy
(Application SLA)
Centralized Data Policy
(Fabric Data Plane)
Centralized App-Aware Policy
(Application SLA)
Centralized
Policies
Localized
Policies
NETCONF/YANG
OMP
Policy Framework
Centralized and Localized Policies
- 38. 38© 2018 Cisco and/or its affiliates. All rights reserved.
Template-Based Configurations
Centralized Device Configuration Enforcement
• Templates are attached to provisioned
vEdge routers
• Variables are used for rapid bulk
configuration rollout with unique per-
device settings
• Local configuration changes are not
allowed
- Prevents configuration drift
- 39. 39© 2018 Cisco and/or its affiliates. All rights reserved.
Self-Healing
Software Upgrade and Configuration Change
Active Software
Available Software
Available Software
Available Software
A
B
C
D
Activate
Rollback
vEdge Router
1
2
3
Failed
Upgrade
vEdge Router
1
Attach Template
vManage
2
Connectivity
Lost
Rollback
3
- 40. 40© 2018 Cisco and/or its affiliates. All rights reserved.
Single Pane of Glass Operations
vManage GUI
• Intuitive GUI driven operations
Management, monitoring and
troubleshooting
• Cloud Delivered
Private, hosted or managed
• Single or Multi-tenant
• Role-based Access Control
• Clustered for scale and high
availability
• REST APIs based
- 41. 41© 2018 Cisco and/or its affiliates. All rights reserved.
vAnalytics Dashboard
- 42. 42© 2018 Cisco and/or its affiliates. All rights reserved.
Cisco SD-WAN Elements
- 43. 43© 2018 Cisco and/or its affiliates. All rights reserved.
Summary: Solution Elements
Orchestration, Control, Data and Management Planes
Control Plane
Cisco vSmart
• Facilitates fabric discovery
• Dissimilates control plane
information between vEdges
• Distributes data plane and app-
aware routing policies to the
vEdge routers
• Implements control plane
policies, such as service
chaining, multi-topology and
multi-hop
• Dramatically reduces control
plane complexity
• Highly resilient
Data Plane
Physical/Virtual
Cisco vEdge
• WAN edge router
• Provides secure data plane
with remote vEdge routers
• Establishes secure control
plane with vSmart controllers
(OMP)
• Implements data plane
policies
• Exports performance statistics
• Leverages traditional routing
protocols like OSPF, BGP and
VRRP
• Support Zero Touch
Deployment
• Physical or Virtual form factor
(100Mb, 1Gb, 10Gb)
Management Plane
Cisco vManage
• Single pane of glass for
Day0, Day1 and Day2
operations
• Centralized provisioning
• Policies and Templates
• Troubleshooting and
Monitoring
• Software upgrades
• GUI with RBAC
• Programmatic interfaces
(REST, NETCONF)
• NMS interfaces (SNMP,
Syslog, IPFIX)
Orchestration Plane
Cisco vBond
• Orchestrates control and
management plane
• First point of authentication
(white-list model)
• Distributes list of vSmarts/
vManage to all vEdge routers
• Facilitates NAT traversal
• Requires public IP Address
[could sit behind 1:1 NAT]
• Highly resilient
- 44. 44© 2018 Cisco and/or its affiliates. All rights reserved.
Cisco vEdge Routers Portfolio
Branch/SOHO/SMB
(100Mb)
Branch/Campus
(1Gb)
Campus/Data Center
(10Gb)
NFV, vCPE
(N x cores)
IaaS & Cloud
Interconnect
(N x cores)
Campus/Data Center
(20Gb+)
vEdge 100 family vEdge 1000 vEdge 2000 vEdge 5000
vEdge Cloud on
Greybox or
Whitebox
vEdge Cloud
- 45. 45© 2018 Cisco and/or its affiliates. All rights reserved.
100 Mbps AES-256
1RU
5x 1000Base-T
1x POE port
2G/3G/4G LTE
Internal AC PS
1x USB-3.0
TPM Board-ID
Kensington lock
Low power fan
GPS
100 Mbps AES-256
1RU
5x 1000Base-T
1x POE port
2G/3G/4G LTE
802.11a/b/g/n/ac
Internal AC PS
1x USB-3.0
TPM Board-ID
Kensington lock
Low power fan
GPS
vEdge 100m vEdge 100mw
100 Mbps AES-256
5x 1000Base-T
TPM chip
Security, QoS
External AC PS
Kensington lock
Fan-less
9” x 1.75” x 5.5”
GPS
vEdge 100
vEdge-100 Routers
Small Office, Home Office Edge
- 46. 46© 2018 Cisco and/or its affiliates. All rights reserved.
vEdge 1000
1 Gbps AES-256
1RU, standard rack mountable
8x GE SFP (10/100/1000)
TPM chip
3G/4G via USB (or) Ethernet
Security, QoS
Dual Power supplies (external)
Low power consumption
vEdge 2000
10 Gbps AES-256
1RU, standard rack mountable
4x Fixed GE SFP (10/100/1000)
2 Pluggable Interface Modules
8 x 1GE SFP (10/100/1000)
2 x 10GE SFP+
TPM chip
3G/4G via USB (or) Ethernet
Security, QoS
Dual power supplies (internal)
Redundant fans
vEdge-1000 and vEdge-2000 Routers
Campus and Data Center Edge
- 47. 47© 2018 Cisco and/or its affiliates. All rights reserved.
Platform Capabilities:
• 4 Network Interface Modules
(NIM) slots
• Variety of NIM options
8 x 1G
4 x 10G
2 x 40G
• Feature parity with Cisco vEdge
2000 platform
vEdge 5000
Campus and Data Center Edge
- 48. 48© 2018 Cisco and/or its affiliates. All rights reserved.
vEdge Cloud Virtual Routers
Virtualized Branch or Cloud
ESXi or KVM
Physical Server
On-Premise Hosted
VMThroughput:
2x vCPU 500Mb/s
4x vCPU 1Gb/s
8x vCPU 1.5Gb/s
VM
vEdge Cloud vEdge CloudvEdge Cloud vEdge Cloud vEdge CloudvEdge Cloud
AWS or Azure
- 49. 49© 2018 Cisco and/or its affiliates. All rights reserved.
Controllers
Cloud or On-Premise Delivered
Physical Server
vManage vSmart vSmart
VM
vContainer
vBond*
* Can be deployed as physical vEdge appliance
On-Premise
ESXi or KVM
vManage vSmart vSmartvBond
Hosted
VM
vContainer
AWS or Azure
- 50. 50© 2018 Cisco and/or its affiliates. All rights reserved.
Cisco SD-WAN Scale
- 51. 51© 2018 Cisco and/or its affiliates. All rights reserved.
vEdge100 vEdge1000 vEdge2000
IPSec Tunnels : 250 IPSec Tunnels : 1500 IPSec Tunnels : 6000
Max aggregated throughput:
vEdge-100 – 100MB AES-256 full duplex
vEdge-1000 - 1GB AES-256 full duplex
vEdge-2000 – 10GB AES-256 full duplex
Max number of concurrent VPNs: 64
[vpn 0 and vpn 512 included]
Overlay tunnels are static based on policy.
Not dynamically generated on-demand.
Scalability
Data Plane and IPsec
- 52. 52© 2018 Cisco and/or its affiliates. All rights reserved.
Data Center Campus Branch Home Office
4G/LTE
MPLS
Internet
Control Plane
(Containers or VMs)
(vSmart)
Management Plane
(Multi-tenant or Dedicated)
(vManage)
Orchestration Plane
(vBond)
2000 vEdges per vBond
Redundancy Add 1-2 vBonds
Horizontal Scale out Model
Horizontal Scale Out Model
2700 vEdges per vManage
Horizontal Scale out Model
in cluster mode (same DC)
2700 vEdges per vSmart
Redundancy Add 1-2 vSmarts
Horizontal Scale out Model
Scalability
Orchestration/Control/Management Plane
- 53. 53© 2018 Cisco and/or its affiliates. All rights reserved.
Perpetual cost of
Cisco SD-WAN
CPE hardware
Subscription cost
of Cisco SD-WAN
software (Includes
SD-WAN
controller + CPE
software)
Operational cost
of Cisco SD-WAN
solution
1. Subscription* license (1YR, 3YR and 5YR) for Cisco SD-WAN software charged per CPE. This cost is dependent on
two factors:
• Service bandwidth
• Features
2. Perpetual cost of Cisco SD-WAN CPE** element.
*Note: Subscription cost of Viptela software includes cost of SD-WAN controllers, 24x7x365 Cisco SD-WAN support, next day hardware
replacement for Cisco SD-WAN CPE, software upgrades on all components and the cost of hosting the Cisco SD-WAN controllers in the
Cisco SD-WAN cloud.
**Note: CPE can be Cisco SD-WAN owned or in the case of Virtual CPE customer owned. Cost here implies Cisco SD-WAN CPE only.
Pricing Model
- 54. 54© 2018 Cisco and/or its affiliates. All rights reserved.
Licensing Tiers
License terms: 1,3,5 Years
Plus Professional
Hub
Spoke Spoke Spoke
MPLS Internet Local
breakout
SDWAN management,
controllers
AA
R
• Fabric: Management, Controllers, ZTP
• Routing: Static
• Topology: Hub-n-spoke only
• Internet/Cloud: NAT, Split tunnel, IPSec
IKEv1/v2, GRE
• Policy: Local ACL only, Data policy
• QoS
• SLA: Application aware routing (5 tuple only)
• Segmentation: 2 VPNs (service + transport)
• Visibility : DPI for visibility only
• Support: 24x7x365, NBD RMA
• All Plus tier features
• Routing: Dynamic routing (OSPF/BGP)
• Topology: Mesh topology, any
• Internet/Cloud: Cloud onRamp for IaaS/SaaS
• Policy: Control policy, service insertion, extranet
• Segmentation: 5 VPNs (transport + 4x service)
• SLA: Application aware routing (DPI)
• Multicast
• All Professional tier features
• Segmentation: Unlimited VPNs
• Analytics: vAnalytics platform
• Optimizations: TCP Optimization
Enterprise
Dynamic Routing
Hub
Spoke Spoke Spoke
MPLS Internet
Spoke IaaS
Cloud
Dynamic
Routing
AAR
E2E
Segmentation
SDWAN management,
controllers
SAAS
Hub
Spoke Spoke Spoke
MPLS Internet
Spoke
Dynamic Routing
Dynamic
Routing
Analytics
AAR
E2E
Segmentation
SDWAN management,
controllers
IaaS
Cloud
SAAS
- 55. 55© 2018 Cisco and/or its affiliates. All rights reserved.
Viptela Confidential14
Technology Use Cases – M&A, Line-of-business
separation, Partner network
Segmentation & Multi-Topology
MPLS
• Independent and isolated virtual topologies
operating at the same time
Internet
Virtual Fabric
User Traffic
Video Traffic
Viptela vEdge
Data Center
VPN1
VPN2
VPN1
VPN2
Video
Video
User
User
SiteASiteB
Viptela Confidential12
Fully Managed WAN With Centralized Control
WAN
NAC & MDM
DC
CoLo
Enterprise
NOC &
Access
Control
Data Center
CoLo & DMZ
Public Cloud
& Network
Services
Branch
routing &
switching
Unified
Communications
Enterprise
Wireless
WAN Opt &
caching
Use Cases & Deployments
Supporting a diverse set of topologies and architectures @ scale
- 56. 56© 2018 Cisco and/or its affiliates. All rights reserved.
Better Together
Leading Routing &
SD-WAN Platforms
Goal: Building next generation SD-WAN solutions
Together, helping businesses and IT to innovate faster, securing and delivering
better customer outcomes, while reducing costs and lowering risk
Cloud-managed &
Feature-rich SD-WAN
- 57. 57© 2018 Cisco and/or its affiliates. All rights reserved.
Choosing the Appropriate SD-WAN Solution
• Cloud and OnRamp
• More than two active transports
or active LTE
• Comprehensive WAN
connectivity & services
• Complex topologies
• Custom policies at scale
• Advanced routing &
segmentation
• Native dynamic cloud
application acceleration
Advanced SD-WAN
• Hybrid WAN
• L3 overlay for hub-spoke
deployments
• Dynamic path selection
• Cloud-managed
• Zero touch deployment with
templates and easy to use
dashboard
SD-WAN Common
• Single pane-of-glass
management for full stack
infrastructure across the branch
• Existing Meraki customers
evaluating SD-WAN
• Competitive pricing pressure
• Integrated branch security and
network connectivity solution
Single Dashboard
- 58. 58© 2018 Cisco and/or its affiliates. All rights reserved.
Now What About IWAN
• Cisco IWAN has over 200,000 sites deployed or in deployment
• No plans to EOL or EOS – 3+ years of support
• IWAN 2.x & IWAN App support and roadmap will continue as per prior customer
commitments
Direct Cloud Access, Scale Increase, Hardening, MC Placement, APIC behind NAT
- 59. 59© 2018 Cisco and/or its affiliates. All rights reserved.
Viptela Integration Plan
- 60. 60© 2018 Cisco and/or its affiliates. All rights reserved.
Viptela Integration Plan
Phase 2
Platform Integration
Phase 1
No Integration
Phase 3
Management Integration
Platform:
• As-is
Management:
• vManage
Platform:
• vEdge capabilities integrated into all IOS-XE
platforms (ISR, CSR, ENCS, ASR1K)
Management:
• vManage for SD-WAN capabilities on IOS-XE
Management:
• Cloud hosted DNA Center integrates vManage
capabilities
• Full DNA Center capabilities (Assurance,
Integrated workflows for SD-Access and
SD-WAN)
Support current Viptela
customers
Viptela SD-WAN on strategic ISR
platform
Deliver end-to-end experience
with full DNA integration
DeploymentScenariosBenefitsDetails
vEdge ISR4K + vEdge SW
DNA Center
+ SD-WAN
ISR4K + vEdge SW
vManage
vEdge
vManage
vEdge
- 61. 61© 2018 Cisco and/or its affiliates. All rights reserved.
High-level Feature Integration Plan
Existing IOS-XE CapabilitiesExisting Viptela Capabilities
Day 0, Workflows (User
Configuration, System setup,
Segmentation Setup)
Day 1, Control phase setup, ZTP,
Templates), Segmentation, DC
routing, Topologies
Day N, Application Policy, Qos, DIA,
Cloud Express, Monitoring &
Troubleshooting, Upgrade Options
Platform & Interfaces:
ASR1K, CSR, ISR4K, T1/E1, FSX/FXO etc
Security & Services:
ZBF, Umbrella, WAAS, UC, etc
Advanced Capabilities: QoS, BGP etc.
- 62. 62© 2018 Cisco and/or its affiliates. All rights reserved.
XE-SDWAN Integration Roadmap
vEdgeCapabilities
SD WAN Features:
ZTP
App Route Policy
QoS
Cloud Onramp –IAAS
Segmentation
NAT DIA
BFD PMTU
Routing Protocols
BGP, OSPF
Other Features
VRRP
DHCP server, DNS, RADIUS, Syslog, NTP
Monitoring & Troubleshooting
System & Interface stats
March 2018 -EFT July 2018 -GA release Post GA Roadmap
IOSCapabilities
SD WAN Feature
All EFT features
TLOC Extension
Loopback interface
Generic IPSEC Tunnel (IKEv1 and IKEv2)
Monitoring & Troubleshooting
vManage with DPI & Cflowd, Analytics
SD WAN Features:
Cloud Onramp-SAAS
TCP Optimizations
IPv6 support (Service & Transport)
Service chaining
Services
• Multicast
Capabilities:
NBAR2
Platform
ISR 4331, ASR 1001-x
New Interfaces
Ethernet, 4G LTE, T1/E1
Capabilities:
Security:
• Umbrella (DNS redirect)
• Zone Based Firewall
Services
• NBAR2 SD-AVC
Platforms:
C11xx, ISR43xx, ISR4221, ASR1001-X, ASR1002-X, ASR
1001-HX, ASR 1002 –HX, C111, ISRv (ENCS) 5412
New Interfaces:
xDSL
Capabilities:
• App QoE
• Security
• Umbrella
Services
• AppNav Functionality
• UC –SRST, PSTN GW, SIP GW
• NBAR2-Custom App
SDA segmentation use case
Platforms:
• CSR, ENCS, ISR-4451, ISR-4431
• New Interfaces
• Port Channel
- 63. 64© 2018 Cisco and/or its affiliates. All rights reserved.
Key Takeaways
Cisco’s SD-WAN solution (Viptela) is both a cloud and on-prem
(hardware) based solution, offering unmatched capabilities
Cisco will merge the Viptela and IOS-XE capabilities into a common
ISR 4K-based platform, but the complimentary Viptela core products
are here to stay in foreseeable future
Cisco is the market and technology leader in SD-WAN, combining
the flexibility of Viptela, Meraki, and ISR IOS-XE