Introduction to Cisco SD- interface of that remote vEdge device • Advertised to vSmart controllers...

Introduction to Cisco SD-WAN (Viptela)

Brad Edgeworth, Systems Engineer, CCIE#31574

Dustin Schuemann, Solutions Architect

Madhavan Aruanchalam, Technical Marketing Engineer

LTRCRS-2005

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Spark

Questions? Use Cisco Spark to communicate with the speaker after the session

1. Find this session in the Cisco Live Mobile App

2. Click “Join the Discussion”

3. Install Spark or go directly to the space

4. Enter messages/questions in the space

How

cs.co/ciscolivebot#LTRCRS-2005

• Introduction to SD-WAN

• Cisco SD-WAN (Viptela Fundamentals)

• Initial Device Provisioning

• Policy Administration

• Application Awareness

• Segmentation

• Monitoring/Troubleshooting

• Additional Use Cases

Agenda


Introduction

• Who we are?

• Everyone loves to eat Chorizo

• Not many people know how to make Chorizo; but they can still buy it at the store, or order it at a restaraunt

• In this session, you will learn how to make Chorizo (I.E. SD-WAN) but you do not have to know a lot of these concepts to enjoy it. You can still enjoy SD-WAN from a service provider.

• This session involves a lot of presentation throughout the session and we will have hands-on lab too.

• We will repeat a lot of the key concepts throughout this lab to help you understand it.

Housekeeping

For yourreference only

BRKCRS-2007 5

Introduction to SD-WAN

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 7BRKCRS-2007

Current WAN ChallengesInsufficient

Bandwidth

No Cloud Apps

Readiness

Fragmented

Security

Limited

Scale

High

Cost

Complex

Operations

Is Your WAN

Business

Ready ?

Applications

Downtime

Limited Application

Awareness


Business Requirements for the WAN are evolving

Managing the network is getting more complex

Apps are moving to

the cloud

Mobile/IoT device

proliferation

Internet edge moving

to the branch


Customers want to…

Simplify WAN/Branch

management

Reduce WAN and

operating costs

Optimize application

experience

BRKCRS-2007 9


SD-WAN is the solution

Network capacity

optimization and

increase bandwidth

Protect

application SLA

Lower operating

costs and TCO


APPLICATIONS

SDWANCloudOnRamp

IoTEdge Computing

.…

Fabric

USERS

DC

IaaS

SaaS

vDC

Analytics

SECURE SCALE OPEN

Cloud Delivered

DEVICES

THINGS

Automation Virtualization

11BRKCRS-2007

Cisco SD-WAN Holistic Approach

Cisco SD-WAN Overview


Cisco SD-WAN Solution Pillars

Application

Quality of Experience

Agile

Operations

Cisco

SD-WAN

Cloud-Delivered

Architecture

Comprehensive

Security


4GMPLS

INET

14BRKCRS-2007

Cisco SD-WAN Cloud-Delivered Architecture

Private/Hosted/Managed

Cloud

vEdge Router

vSmart

ControllersvManageSecure

SD-WAN Fabric

Secure

Control Plane

REST API

GUI

An

aly

tics

Multitenant, Cloud-Operated and Cloud-Delivered

Branch

Campus

Cloud

Data Center

Small Office

Home Office

Data Center


Arbitrary VPN Topologies

VPN1 VPN2

VPN3 VPN4

• Each VPN can have it’s own topology- Full-mesh, hub-and-spoke, partial-

mesh, point-to-point, etc…

• VPN topology can be influenced by leveraging control policies

• Applications can benefit from shortest path, e.g. voice takes full-mesh toplogy

• Security compliance can benefit from controlled connectivity topology, e.g. PCI data takes hub-and-spoke topology

Full-Mesh Hub-and-Spoke

Partial Mesh Point-to-Point

BRKCRS-2007 15


OMP Update:

Reachability – IP Subnets, TLOCs

Security – Encryption Keys

Policy – Data/App-route Policies

BGP, OSPF,

Connected,

Static

BFD

IPSec Tunnel

OMP

DTLS/TLS Tunnel

Transport1

Transport2VPN1

A

VPN1

C

BGP, OSPF,

Connected,

Static

vSmart

OMP

Update

OMP

Update

vEdge vEdge

Subnets Subnets

TLOCs TLOCs

Policies

16BRKCRS-2007

Fabric Operation Walk-Through

OMP

UpdateOMP

Update


Critical Applications SLA

Path1: 10ms, 0% loss, 5ms jitter



vManage

App Aware Routing PolicyApp A path must have:

Latency < 150ms

Loss < 2%

Jitter < 10ms

vEdge Routers continuously

perform path liveliness and

quality measurements

Internet

MPLS

4G LTE

IPSec Tunnel

Optimal Path MTU

TCP Optimization

Remote Site

Regional

Data CenterPath 2

Device QoS(shaping, policing,

queuing, marking)


DDoS Protection for vEdge Routers

CPU

PacketForwarding

Control Plane Policing: 300pps per flow 5,000pps

ExplicitlyDefinedSources

Cloud Security

AuthenticatedSources

Implicitly TrustedSources

Other

UnknownSources

vManagevSmart

vBond

vEdge

SD-WAN IPSec

Deny except:1. Return packets matching flow entry (DIA enabled)2. DHCP, DNS, ICMP

* Can manually enable :SSH, NETCONF, NTP, OSPF, BGP, STUN

BRKCRS-2007 18


Transport

(VPN0)

Service

(VPNn)

Out-of-band Management

(VPN512)

IF

• VPNs are isolated from each other, each VPN

has its own forwarding table

• Reachability within VPN is automatically

advertised by the OMP

IF,

Sub-IF

IF,

Sub-IF

IF,

Sub-IF

IF,

Sub-IF

vEdge VPNs and Security Zoning

Internet

MPLS

Untrust Zone

Trust Zone

BRKCRS-2007 19


APIs

vSmart Controllers

vAnalytic

s

3rd Party

Automatio

n

vManage

Data Center Campus Branch SOHOCloud

vBond

vEdge

Routers

4GMPLS

INET

20BRKCRS-2007

Cisco SD-WAN Solution ElementsOrchestration Plane

Cisco vBond

• Orchestrates control and management plane

• First point of authentication (white-list model)

• Distributes list of vSmarts/ vManage to all vEdge routers

• Facilitates NAT traversal

• Requires public IP Address [could sit behind 1:1 NAT]


vSmart Controllers

vAnalytics3rd Party

Automation

vManage


vBond

vEdge

Routers

4GMPLS

INET

APIs

21BRKCRS-2007

Cisco SD-WAN Solution ElementsControl Plane

Cisco vSmart

• Facilitates fabric discovery

• Dissimilates control plane information between vEdges

• Distributes data plane and app-aware routing policies to the vEdge routers

• Implements control plane policies, such as service chaining, multi-topology and multi-hop


APIs

vSmart Controllers

vAnalytics3rd Party

Automation

vManage


vBond

vEdge

Routers

4GMPLS

INET

22BRKCRS-2007

Cisco SD-WAN Solution Elements

Cisco vEdge

• WAN edge router

• Provides secure data plane with remote vEdge routers

• Establishes secure control plane with vSmart controllers (OMP)

• Implements data plane and application aware routing policies

Data Plane


vSmart Controllers

vAnalytics3rd Party

Automation

vManage


vBond

vEdge

Routers

4GMPLS

INET

APIs

23BRKCRS-2007

Cisco SD-WAN Solution ElementsManagement Plane

Cisco vManage

• Single pane of glass for Day0, Day1 and Day2 operations

• Multitenant with web scale

• Centralized provisioning

• Policies and Templates

• Troubleshooting and Monitoring

• GUI with RBAC


vSmart vSmart

vSmart

vEdge vEdge

Note: vEdge routers need not connect to all vSmart Controllers

24BRKCRS-2007

Overlay Management Protocol (OMP)Unified Control Plane

VS

• TCP based extensible control plane protocol

• Runs between vEdge routers and vSmart

controllers and between the vSmart controllers- Inside TLS/DTLS connections

• Advertises control plane context

• Dramatically lowers control plane complexity and

raises overall solution scale

• OMP Session is established in VPN0

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 25

Establishing OMP Neighbors

• System IP is like a Router ID- Unique per-fabric element

- Non-routable in the overlay

- Learned and advertised by vManage

• OMP peering establishes between

System IPs- Over TLS/DTLS tunnels

• Single OMP peering between vEdge

and vSmart, even if multiple TLS/DTLS

INETMPLS

vSmart vSmart

System IP: 1.1.1.53 System IP: 1.1.1.54

DTLS/TLS

vEdge

System IP: 1.1.1.1

BRKCRS-2007


INETMPLS

vSmart

OMP: vRoutes (OMP Routes)

• Routes learned from local service side

• Advertised to vSmart controllers

• In essence, this is the routes from other sites that are reached via the Tunnel (overlay)

• Most prominent attributes:- TLOC

- Site-ID

- Label

- VPN-ID

- Tag

- Preference

- Originator System IP

- Origin Protocol

- Origin Metric

Connected

Static

Dynamic (OSPF/BGP)

vEdge

OMP Update

Service Side

BRKCRS-2007 26


INETMPLS

vSmart

OMP: TLOC Routes

• Routes connecting locations to physical networks

• Provides a method of locating the encapsulating interface of that remote vEdge device


Connected

Static

Dynamic (OSPF/BGP)

vEdge

TLOCs

OMP Update

BRKCRS-2007 27


INETMPLS

vSmart

OMP: Network Service Routes

• Routes for advertised network services, i.e. Firewall, IDS, IPS, generic


• Most prominent attributes:- VPN-ID

- Service-ID

(FW, IDS, IDP, Custom)

- Label

- Originator System IP

- TLOC

vEdge

Firewall

OMP Update

NetworkService

BRKCRS-2007 28


Data

Center

Remote

Office

Regional

Hub

FW

4GMPLS

INET

OMP: Network Service Routes Example

BRKCRS-2007 29


Data

Center

Remote

Office

Regional

Hub

Service

Advertisement

Policy

Advertisement*

(+ Service)vSmart

VPN1

VPN1

VPN1

FW

4GMPLS

INET

OMP: Network Service Routes Example

BRKCRS-2007 30

High Availability


Transport Redundancy - Meshed

Internet MPLS

vEdge routers are directly connected

to all the transports

SD-WAN tunnels are built through

all directly connected transports

Site Network

BRKCRS-2007 32


Transport Redundancy - Meshed

Internet MPLSInternet MPLS Internet MPLS

Circuit Failure Transport Failure Router Failure

vEdge routers are directly connected

to all the transports



Site Network Site Network Site Network

Note: Internet transport is still reachableNote: Internet transport is still reachable

BRKCRS-2007 33


Transport Redundancy – L2 Switch

Internet MPLS

vEdge routers are directly connected to

all the transports through L2 switches



Site Network

BRKCRS-2007 34


Transport Redundancy – L2 Switch

Internet MPLSInternet MPLS Internet MPLS


vEdge routers are directly connected to

all the transports through L2 switches



Site Network Site Network Site Network

Note: Internet transport is still reachable

BRKCRS-2007 35


Transport Redundancy – TLOC Extension

Internet MPLS

Each vEdge router is connected to a

given transports


local and remote transports

Site Network

BRKCRS-2007 36


Transport Redundancy – TLOC Extension

Internet MPLS Internet MPLS


Each vEdge router is connected to a

given transports


local and remote transports

Site Network Site Network

Internet MPLS

Site Network

BRKCRS-2007 37

Key Concept DeepDive

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2007

Terminology

VPNs

• These are like VRFs; used for segmenting traffic

• VPN0 is System Defined

• Used for control plane traffic for OMP, Orchestration, vManage, etc.

• IPsec Tunnels terminate on VPN0 interfaces

• WAN Transports are associated to VPN0

• VPN512 is used for Out-Of-Band System Management

• VPN1-511 is defined by user and used for site-to-site data traffic

• Our lab is using VPN10, VPN20, and VPN40 for data traffic

Colors

• Used to associate an interface in VPN0 to a specific transport type

• Examples include: MPLS, Biz-Internet, Private,Public

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2007

Terminology

Colors

• Used to associate an interface in VPN0 to a specific transport type

• Examples include: MPLS, Biz-Internet, Private,Public

Transport Locator IDs (TLOCS)

• Used to identify the encapsulating interface of a remote

• Primarily this is based on System-ID but includes encapsulating interface IP and Color


MPLS

41BRKCRS-2007

Visualizing the ConceptsVPN0

VP

N0

Colo

r: M

PL

S

Internet

Underlay Routing

Nothing is Encapsulated

VPN0: VSMART

Used for Control Plane

Control Plane


Data Plane

MPLS

42BRKCRS-2007

Visualizing the ConceptsUser Defined VPN

VP

N0

Colo

r: M

PL

S

Internet

VPN0: VSMART


Control Plane

VPN1

A


Data Plane

MPLS

43BRKCRS-2007


VP

N0

Colo

r: M

PL

S

Internet

VPN0: VSMART


Control Plane

VPN1

A

VPN2

B


Data Plane

MPLS

44BRKCRS-2007


VP

N0

Colo

r: M

PL

S

Internet

VPN0: VSMART


Control Plane

VPN1

A

VPN2

B

Logging in to the Lab


Lab Orientation

• Every student works by themselves. Don’t have to wait on others to proceed!

48BRKCRS-2007


Lab Topology

49

Hub Site 1

San Jose

Branch 2

Chicago

Branch 1

Miami

DC 1

198.18.133.36

198.18.128.0/18

10.3.0.0/24 Based

on LAN Pool

133.212133.211

10.4.0.0/24

MPLS Transport

AS 100

.1

.2

.1

.1

ad1

198.18.133.1

BR2-PC

10.3.0.10

BR1-PC

VLAN-PRIMARY

BR2-Core

DC1-MPLS-CE

10.4.254.0/24

WANemwkst1

DC1-INET-CE

vPod GW

TLOC

198.18.133.34

LiveAction

ZTP

vEdge

vManage

vSmart

vBond

Internet Transport

AS 200

DC1-VEDGE1 DC1-VEDGE2

BR1-VEDGE1 BR1-VEDGE2

BR2-VEDGE1

172.16.1.0/30

.2

172.16.2.0/30

.1

172.16.3.0/30

.2

172.16.4.0/30

.1

.2

100.64.1.0/30

100.64.3.0/30

100.64.4.0/30

.1

.1.1

DHCP

DHCP

172.16.10.2/30

.2

.1

172.16.13.2/30172.16.12.2/30

172.16.11.2/30

.2

.1

.2

.1

.2

.1

.2

.10

.12

.11

.13

Site id: 100

Site id: 300 Site id: 400

WANem

br0

WANem

br1

WANem

198.18.133.40

10.4.0.10

.2 .3

.1

.1

Virtual IP: 10.3.0.1

FW

198.18.133.200Viptela

Management

Cloud

BRKCRS-2007


Accessing the Lab

50BRKCRS-2007

• Access to the lab is obtained by launching Cisco Anyconnect and

connecting to:

dcloud-lon-anyconnect.cisco.com

• Your instructor will have your desktop already VPNed in. If it is not VPNed

in, then please reach out to your instructor to provide you with your

username and credentials that are unique to your pod.

dcloud-lon-anyconnect.cisco.com


Accessing the Lab

51

• Initiate a remote desktop session to the Dcloud workstation

198.18.133.36 by clicking on the start button and typing in:

mstsc /v:198.18.133.36

• You will be prompted for user credentials.

• Use the username: WKST1\demo and the password: C1sco12345

BRKCRS-2007


Accessing the Lab

52

If a different username is shown than above, click on use another account and

type in the appropriate username.

BRKCRS-2007


Cisco Spark

Questions? Use Cisco Spark to communicate with the speaker after the session

1. Find this session in the Cisco Live Mobile App

2. Click “Join the Discussion”

3. Install Spark or go directly to the space

4. Enter messages/questions in the space

How

cs.co/ciscolivebot#LTRCRS-2005


• Please complete your Online Session Evaluations after each session

• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt

• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/.

Complete Your Online Session Evaluation

http://ciscolive.com/Online

http://www.ciscolive.com/global/on-demand-library/


Continue Your Education

• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• Tech Circle

• Meet the Engineer 1:1 meetings

• Related sessions

55BRKCRS-2007

Thank you

Introduction to Cisco SD- interface of that remote vEdge device • Advertised to vSmart controllers...

Documents

Transcript of Introduction to Cisco SD- interface of that remote vEdge device • Advertised to vSmart controllers...