SDWAN 2.0 Working Group Update

Neil Danilowicz – Versa

Linda Dunbar - Huawei

Mike Elrom – Itential

Shane Jenkins – First Republic

David Mann – McGraw-Hill

Angelique Medina –ThousandEyes

Dogu Narin – Versa

Sal Rannazzizi – Merck

Shafeeq Shaikh – PwC

Steve Wood – Cisco

Contributors

The ONUG SD-WAN 2.0 Working Group is working to define a reference architecture for optimal enterprise multi-cloud integration. The working group is developing reference solutions for these use cases:

(1) Branch directly accessing SaaS/IaaS(2) Multi-cloud attachment to SD-WAN fabric(3) Security for Branch and Cloud (4) Automated cloud-edge integration to SDWAN(5) SDWAN Client for End-users

Architectural scenarios and functional requirements have been documented for each of the use cases.

ONUG SDWAN 2.0 WG Wiki

10/25/2019

Mobile User

SD-WAN 2.0 Architecture

Cloud Security

Proxy

Remote Site

Cloud Edge Layer

SD-WAN Cloud

Gateway

SD-WAN Overlays

Branch to SaaS/Int. – Internet Breakout

Branch/remote user to Security Proxy

CSP direct connectivity

Vnet/VPC

Vnet/VPC

= SDWAN Fabric Edge

SD-WAN Cloud

Gateway

Core/DC

CoLo Facility or IXP Peering Point

IaaS/PaaS

SaaS

Public

Internet

= SDWAN client

Internet

Private

Mobile

SDWAN Fabric

21

3

2 APP-to-APP

App-to-app traffic

Remote Site2

1

2

5

SDWAN

Controller

4

AP

Is

2

Multicloud Attach via Fabric Extension to CSP Environment

6

CSP Region SDWAN Fabric

SDWAN Controller

SDWAN Site 1

Orchestrator

Site-to-Site FabricInterconnect

AppPolicy

DeviceConfig

TrafficPolicy

SDWAN Site N

INET

VPC

Apps

VPC

Apps

vHub

CSP Hub/Gateway

SDWAN Edge Gateway

SDWAN

SDWAN

HubPeering

VPC

VNET/VPC Peering

VNET/VPCPeering

DX/ER

ctrl/mgmtctrl/mgmt

Controller APIs

Multicloud Attach to Cloud via Cloud Gateway Service

7

CSP Region SDWAN Fabric

SDWAN Controller

SDWAN Site 1

Orchestrator

Site-to-Site FabricInterconnect

AppPolicy

DeviceConfig

TrafficPolicy

SDWAN Site N

INET

VPC

Apps

VPC

Apps

vHub

CSP Hub/Gateway

SDWAN Cloud Gateway aaS

SDWAN

SDWAN

IPSec

VPC

VNET/VPC Peering

VNET/VPCPeering

MPLS

ctrl/mgmtctrl/mgmt./APIs

Controller APIs

IPSec

SDWAN 2.0 Security Use Cases Summary

• Finalize Use Case requirements for “RFP”

• Define low-level design requirements and setup for reference solution testing and outcomes

• Liasons:

• Orchestration & Automation WG: API service definitions and use case abstractions at enterprise policy layer

• Observability WG: controller APIs for telemetry sharing and collection from SDWAN

• Security WG: security requirements for APP-to-APP flows across hybrid multicloud

• MEF: OSE SDWAN reference model, APIs and use case requirements

What’s Next for SDWAN 2.0?

10 10/25/2019

Thank You

ONUG SDWAN 2.0 Working Group

SD-WAN Security – Use Case 1: PCI Compliance

VPN1

Employee 1

Data Center

Applications

SD-WAN

HQ Destined Traffic

Employee Internet TrafficEmployee 2

PCI Compliance

Internet

IPSEnt. FW App Aware

11

ONUG SDWAN 2.0 Working Group

SD-WAN Security - Use Case 2: Guest Access

GuestEmployee

VPN2 Data CenterApplications

SD-WAN

HQ Destined Traffic

Employee Internet Traffic

VPN1

Guest Internet Traffic

Guest Access

Ent. FW App Aware

URL Filtering

Internet

12

ONUG SDWAN 2.0 Working Group

SD-WAN Security – Use Case 3: Direct Cloud Access

GuestEmployee

VPN2 Data Center

Applications

SD-WAN

HQ Destined Traffic

Employee Internet Traffic

VPN1

Direct Cloud Access

Employee SAAS Traffic

SaaS

Guest Internet Traffic

Internet

DNS/web layer security

Ent. FW App Aware

IPS URL Filtering

13

ONUG SDWAN 2.0 Working Group

GuestEmployee

VPN2 Data Center

Applications

SD-WAN

HQ Destined Traffic

Employee Internet Traffic

VPN1

Direct Internet Access

Employee SAAS Traffic

SaaS

SD-WAN Security - Use Case 4: Direct Internet Access

Internet

DNS/web layer security

Ent. FW App Aware

IPS URL Filtering AMP TG

14