Virtual SD-WAN Interactive Test Drive

Instructor Facilitated Customer Experience

Ricardo Soler Mesquita

Technical Solutions Architect
Enterprise Networks Brazil
Oct 20th, 2020 CCIE #28156
Introduction & Agenda
 Module 1: Ice Breaker Trends and Use Cases
Trends, Challenges, Benefits & Capabilities

Module 2: Solution Elements

SD-WAN
ZTP and SWIM
Cisco SD-WAN Overview Operations

Module 3: Security Use SD-WAN and Performance and

Securing and Troubleshooting the WAN Cases SASE Troubleshooting

Module 4:
Application Experience
Application Performance

Module 5: Direct Internet Access Connecting to Multiple Clouds

Cloud Application Performance

Module 6: SD-WAN Programmability

Programmability/DevNet

Module 7: SD-WAN Portfolio New Additions

Hardware Platforms

Elements and Performance &

Cisco Capture the Flag 🚩 Operations
ZTP and SWIM
Troubleshooting
DIA and DCA
Module 1:
Trends, Challenges,
Benefits and Capabilities
Today Applications are Moving to Multiple Clouds
Devices & Things

IaaS
WAN SaaS

Mobile Users Campus & Branch Users

DC/Private Cloud
Benefits of Cisco SD-WAN
Predictable app experience Right security, right place Enterprise grade, simplified

Support for evolving Secure segmentation across Intent-based networking

business application strategy entire network stack with multi-domain policy

Cloud OnRamp for IaaS, Full edge security stack from Proven deployments to
SaaS and Colocation branch to cloud and colocations over 10,000+ sites

One user interface for Security and SD-WAN across branch, cloud, and co-location
Module 2:
Cisco SD-WAN Overview
Cisco SD-WAN Architectural Elements
Orchestration Plane
vManage
Cisco vBond

Control Plane
Cisco vSmart
vBond

vSmart Controllers Data Plane

Physical/Virtual
Cisco vEdge/cEdge
WAN
Edge Platforms
Management Plane
Cisco vManage

Cloud Data Center Campus Branch SOHO

Zero Touch Provisioning
Control and Policy
Zero Touch Bring Up Elements
Server

1 2

Re po
3 4 5

sp
co
on ate
r

nic rol
on
ztp

se

ag from
Qu tela

mu cont
r

a ti
. vip

wi rche
ery .co

e
th

vM ation
o

comitial

fig evic

e
Full Registration

to m

red trat
and Configuration

In

an
D
ur
ire or
s
ct

con
to
Assumption:
§ DHCP on Transport Side (WAN)
§ DNS to resolve ztp.viptela.com*

* Factory default config WAN Edge Platform § Delivered as-a-Service

 Centralized Software Upgrades
Failed
2 Upgrade
• All software upgrades are performed
centrally from vManage
• One or two stage upgrade
Activate Active Software A Rollback
• Load software and reboot now
Available Software B Load software and reboot later
1 3 •

Available Software C
• Self-healing on upgrade failure
Available Software D
• Device will revert to the last good image

• There is no requirement to run the same

software version on all elements
• Controllers should have higher software
version than routers
vEdge/cEdge
 Bidirectional Forwarding Detection (BFD)
vEdge/cEdge
• Tunnel Health Monitoring
- Up/Down, loss/latency/jitter, IPSec tunnel MTU
• Runs between all edge platforms in the topology
- Inside IPSec tunnels
- Operates in echo mode
- Automatically invoked at IPSec tunnel establishment
vEdge/ vEdge/ - Cannot be disabled
cEdge cEdge

• Uses hello (up/down) interval, poll (app-aware)

interval and multiplier for detection
- Fully customizable per-platform, per-color

vEdge/cEdge vEdge/cEdge
 Overlay Management Protocol (OMP)
Unified Control Plane
vSmart
• TCP based extensible control plane protocol
• Runs between vEdge/cEdge routers and vSmart
controllers and between the vSmart controllers
- Inside TLS/DTLS connections
• Advertises control plane context
vSmart vSmart • Dramatically lowers control plane complexity and
raises overall solution scale

VS
vEdge/cEdge

Note: vEdge/cEdge routers need not connect to all vSmart Controllers

Transport Locators (TLOCs)
vSmarts advertise TLOCs to
vSmart all vEdges/cEdges*
(Default)

Full Mesh
SD-WAN Fabric TLOCs advertised to vSmarts
(Default)
vEdge/
cEdge

Local TLOCs
(System IP, Color, Encap)

vEdge/ vEdge/
cEdge cEdge

vEdge/ vEdge/
cEdge cEdge * Can be influenced by the control policies
Transport Locator (TLOC) OMP IPSec Tunnel
 Transport Colors
T1 T2
Public T1
T3 T4 T3 T4 T2
Public
T1 T3 T1 DMZ T3
vEdge vEdge vEdge vEdge
T2 T4 T2 T4
Private
Private
T1, T3 – Public Color T2, T4 – Private Color
T1, T3 – Public Color T2, T4 – Private Color

T1 T3 T2 T4 T1 T3 T2 T4

T1 T4 T2 T3 T1 T4 T2 T3

Color restrict will prevent attempt to establish IPSec tunnel to TLOCs

with different color
 Fabric Operation Walk-Through
OMP Update:
vSmart § Reachability – IP Subnets, TLOCs
OMP
DTLS/TLS Tunnel
§ Security – Encryption Keys
§ Policy – Data/App-route Policies
IPSec Tunnel
OMP OMP
BFD Update Update
Policies
OMP OMP
Update Update

vEdge/cEdge vEdge/cEdge
Transport1
TLOCs TLOCs
VPN1 VPN2 Transport2 VPN1 VPN2
BGP, OSPF, BGP, OSPF,
EIGRP, EIGRP,
Connected, A B C D Connected,
Static Static
Subnets Subnets
Module 3:
Securing and
Troubleshooting the WAN
Cisco SD-WAN VPNs
Router Security Zones

IF, IF,
Sub-IF Sub-IF
MPLS
Service Transport
(VPNn) (VPN0)
IF, IF,
Sub-IF Sub-IF
INET

Management
(VPN512)
• VPNs are isolated from each other, each VPN
has its own forwarding table
IF • Reachability within VPN is advertised by the
OMP
 End-to-End Segmentation
VPN 1
Interface VPN1 SD-WAN VPN1 Interface
IPSec VPN 2
VLAN VPN2 VPN2 VLAN
Tunnel VPN 3
Ingress Egress
vEdge vEdge

IP UDP ESP VPN Data

20 8 36 4 …

• Segment connectivity across fabric w/o • Labels are used to identify VPN for
reliance on underlay transport destination route lookup
• vEdge/cEdge routers maintain per-VPN • Interfaces and sub-interfaces (802.1Q
routing table tags) are mapped into VPNs
Arbitrary VPN Topologies
Full-Mesh Hub-and-Spoke

• Each VPN can have its own topology

- Full-mesh, hub-and-spoke, partial-mesh,
VPN1 VPN2 point-to-point, etc…
• VPN topology can be influenced by
leveraging control policies
- Filtering TLOCs or modifying next-hop
TLOC attribute for OMP routes
Partial Mesh Point-to-Point
• Applications can benefit from shortest
path, e.g. voice takes full-mesh topology

VPN3 VPN4 • Security compliance can benefit from

controlled connectivity topology, e.g. PCI
data takes hub-and-spoke topology
SD-WAN exposes new security challenges

Internal & External Threats

Internet
IaaS/SaaS
External
NO SECURITY
• Exposure to malware & phishing due
to direct internet and cloud access
• Data breaches

BASIC/NO SECURITY
Data Center Branch/Campus
• Guest access liability
Corporate
Software Users Internal
• Untrusted access (malicious insider)
• Compliance (PCI, HIPPA, GDPR)
SD-WAN Fabric • Lateral movements (breach
propagation)
WAN Edge Device Existing Security Stack in DMZ
Secure Access Service Edge
Transitioning to a Cloud-First Security Model
Cloud-delivered What is SASE?
Secure Web firewall
Gateway Cloud-delivered
(SWG) security broker (CASB)
“SASE combines network security
functions (such as SWG, CASB,
DNS-layer Interactive Threat FWaaS and ZTNA*), with WAN
security Intel capabilities (i.e., SDWAN) to
support the dynamic secure
access needs of organizations.
These capabilities are delivered
primarily aaS and based upon the
identity of the entity, real time
context and security/compliance
policies.” –Andrew Lerner, Gartner
Inc.

Cisco SD-WAN
https://blogs.gartner.com/andrew-lerner/2019/12/23/say-
Cisco SD-WAN + Umbrella hello-sase-secure-access-service-edge/

* ZTNA = Zero Trust Network Access

Cisco SD-WAN Security & SASE Solution
Consistent across on-prem and cloud

Enterprise Firewall
Layer 3 to 7 apps classified

Intrusion Protection System

Most widely deployed IPS engine in the world

URL-Filtering
Cisco Web reputation score using 82+ web categories
Cisco
Security Adv. Malware Protection
SD-WAN With File Reputation and Sandboxing (TG)

SSL Proxy
Detect Threats in Encrypted Traffic

Umbrella Cloud Security

DNS Security/Cloud FW with Cisco Umbrella
Path Performance
• BFD is used to measure
performance characteristics of
each individual IPSec tunnel
• Loss, latency and jitter is
represented in the tunnel
performance graph on the
vManage
• Realtime views or custom
timeline views granularity
• Views can be zoomed into
Troubleshooting
• Basic connectivity troubleshooting with ping
and traceroute from any vEdge/cEdge in the
topology to any destination

• Advance troubleshooting with real-time queries

against vEdge/cEdge routers

• Expert troubleshooting with full featured CLI and

Linux bash shell

• Traffic analysis with synthetic traffic generation

to test policies
Module 4:
Application Performance
Improving Application Experience

Internet
IaaS/SaaS FEC FEC Capabilities
Header Header

1 2 FEC
Header
FEC FEC 3 • Application SLA
Header Header

P 4 • TCP Optimization
Internet
Internet
Optimized
Data Center 1 (Secondary) 4 Branch/Campus • Forward Error
TCP Connection (Cubic)3
Parity

1 22
App 4 P
1
3 ath4
MPLS
2
1 Correction
A 3 4
Path 2
4
P3ath
2
1
• Packet Duplication
23 4
1 MPLS
(Primary)
4G
MPLS
LTE

App Aware Routing Policy Path1: 10ms, 0% loss

App A path must have Path2: 200ms, 3% loss
latency <150ms & loss <2% Path3: 140ms, 1% loss
Module 5:
Cloud Application
Performance
 Direct Internet Access
• Can use one or more local DIA exits or
Internet backhaul traffic to the regional hub through
the SD-WAN fabric and exit to Internet from
there
- Per-VPN behavior enforcement

ISP3 • VPN default route for all traffic DIA or data

policy for selective traffic DIA

Regional • Network Address Translation (NAT) on the

Data Center vEdge/cEdge router only allows response
ISP1 traffic back
- Any unsolicited Internet traffic will be
ISP2
SD-WAN blocked by IP table filters
Fabric
MPLS • For performance-based routing toward
Data Center
Remote Site SaaS applications use Cloud onRamp
SaaS Optimization

SaaS Optimization via Multipath

Up to 40% faster
Data Center Branch/Campus
Office 365
Corporate
Software Users
Performance

SD-WAN Fabric

Colocation Cisco Cloud Security

Provider SD-WAN Provider

Increased reliability and utilization of best path for SaaS applications

Extending SD-WAN to IaaS

VPC VPC VNet VNet VPC VPC VNet VNet

VPC VNet Cloud OnRamp Automation to IaaS VPC VNet

Transit Transit
VPC Hub VNet VPC Hub VNet
• Cisco WAN Edges deployed in
SD-WAN
a Transit Hub, acting as virtual SD-WAN
Fabric aggregation routers Fabric

• Partial extension of SD-WAN

vManage vManage
Fabric
Branch • Automated deployment Branch

process with vManage

Internet connection Connect to IaaS cloud
to IaaS cloud via co-location
Module 6:
Programmability and
DevNet
Cisco SD-WAN is Open and Programmable

Enterprises Managed Services

OSS/BSS Integration
Learning and Multi-Tenant
hands-on content

Sandbox Partners

Code Exchange Dev Center

Ecosystem Exchange
Module 7:
Hardware Platforms
Broadest Set of SD-WAN Platforms

Branch Aggregation Cloud

Cloud Edge
SD-WAN + Catalyst 8300 Catalyst 8500 Catalyst 8000V
Services
(IOS XE)

ISR 1000 ISR 4000 ASR 1000 CSR 1000V*

SD-WAN
(Viptela OS)
ISR 1100-4G/6G/LTE vEdge 2000
vEdge 2000 vEdge Cloud*
vEdge 5000

Virtualization ENCS 5000 CSP 5000

Continuous Innovation

• 20.1/17.2 (April 2020) • 20.3/17.3 (August 2020)

ü Auto Tunneling with Umbrella ü Service Side NAT
ü TLS/SSL Proxy ü DIA Tracker
ü NAT Enhancements ü Dynamic Tunnels
ü Cloud onRamp for SAAS ü Route Leaking
ü Per-Tunnel QoS ü Multicast AAR
ü QoS Visibility ü TrustSec Integration
ü Multicast ü Custom App
ü UC Phase 1: SRST, FXO/FXS, SIP ü Adaptive QoS
ü UC Phase II: DSP/PVDM, E1/T1
ü Enhanced Cloud (O365, AWS)
Cisco Completes the Acquisition of
Why ThousandEyes

CLOUD IS THE NEW DATACENTER

INTERNET IS THE NEW NETWORK

SAAS IS THE NEW APP STACK

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Empowering organizations
Empowering to see
Organizations tothe
SeeCloud,
the Cloud,
Internet and SaaS
Internet like your
and SaaS own own environment
like your
environment
2010 Founded HQ San Francisco

Austin, USA Toronto, CA Amsterdam, NL

Locations New York, USA Tokyo, JP Dublin, IE
Seattle, USA Sydney, AU London, UK
Singapore, SG Munich, DE

130+ 70+ 6 of the 7 20 of the 25 8 of the 10

Global 2000 Fortune 500 Top US Banks Top SaaS Companies Top Global Software
Companies Companies Companies

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
ThousandEyes + Cisco = Million Eyes

ThousandEyes Business Unit

Customer Digital Employee Digital WAN

Experience Experience Modernization

AppDynamics Cisco Networking

Complete End to End Visibility Provide missing Intelligence

from Application to End User on Internet, Saas and Cloud

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
 WAN Modernization - Viptela SD-WAN

OVERLAY INCREASED LATENCY IN

THE SD-WAN TUNNEL

CAUSED BY LATENCY IN
UNDERLAY COMCAST’S NETWORK

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
Please fill out surveys!
Thank You!