Introducing Cisco SD-WAN Brian Joanis Systems Engineer, Cisco Systems

Looking at things differently The way ZK puts it: Today's networks are extremely manually intensive to operate. Engineers must be familiar with a cryptic command line interface and repeat many tasks, box after box, to implement a change. Software-defined networks (SDNs) have made networks easier to manage by automating certain tasks, but engineers still need to identify all the tasks. With an IBN, the administrator determines the "what," and the system then figures out the "how." A good analogy to help understand this is the difference between an automated car feature and an autonomous car. Parallel-park assist automates the task of parking, but the driver still needs to drive to the destination, look for parking spots, and determine which is the best one. With an autonomous vehicle, the driver would issue the command "go home," and the car would figure out the least-congested route and determine the best parking spot, which may or may not include parallel parking. Automation makes the parking process itself easier, whereas the self-driving car would transform the entire experience. IBN lets network administrators issue commands like "put all my IoT devices in a single zone" or "prioritize bandwidth for the top 10% of my UC customer base" and rely on the network for all the behind-the-scenes magic that makes it happen. If devices move or things change, the network automatically reconfigures to adapt. Cisco's IBN is a closed-loop system that continually gathers contextually relevant data from a number of different sources, including network devices and IoT endpoints. Using machine learning, the system delivers insights that can help enterprises make better business decisions. Software Defined WAN…..

Definition An SD-WAN simplifies the management and operation of a WAN by decoupling the networking hardware from its control mechanism.

Cisco SD-WAN Platform for Digital Transformation Analytics Cloud Delivered Automation Virtualization USERS SDWAN Cloud OnRamp IoT Edge Computing .… DC DEVICES APPLICATIONS Cisco SD-WAN Fabric IaaS At the heart of the digital transformation is Cisco SD-WAN, which lays foundation for connecting users, devices and things to the applications residing in private, public and hybrid cloud environments. Powered by Viptela technology, it is secure, scalable and open fabric, which caters to the variety of use cases around SD-WAN, cloud onRamp, IoT etc… It’s cloud delivered control, management and analytics elements can be easily consumed by the enterprises and they can also be offered as-a-service by the service providers. The high degree of automation allows zero touch operation without compromising on security or feature richness. SaaS SECURE SCALE OPEN THINGS vDC

Cisco’s SD-WAN Solutions Cisco SD-WAN Cloud and OnRamp More than two active transports or active LTE Comprehensive WAN connectivity & services Complex topologies Custom policies at scale Advanced routing & segmentation Advanced SD-WAN Hybrid WAN L3 overlay for deployments Dynamic path selection Cloud-managed Zero touch deployment with templates and easy to use dashboard SD-WAN ESSENTIALS Discover Listening Consensus Breakthrough 4D Insight Single pane-of-glass management for full stack infrastructure across the branch Existing Meraki customers evaluating SD-WAN Integrated branch security and network connectivity solution Single Dashboard

Cisco SD-WAN Architecture The Power of Abstraction vManage APIs Management Plane 3rd Party Automation vAnalytics vBond Control Plane vSmart Controllers Orchestration Plane 4G MPLS INET Cisco SD-WAN architecture applies the principles of SDN onto the wide area network environment. By clearly separating control plane, data plane and management plane functions, Cisco SD-WAN fabric achieves high degree of modularity. Lets review in more detail the key elements of the Cisco SD-WAN solution. vEdge Routers Data Plane Cloud Data Center Campus Branch SOHO

Cisco SD-WAN Solution Elements Orchestration Plane Cisco vBond vManage Orchestrates connectivity between management, control and data plane First point of authentication Requires public IP Address Facilitates NAT traversal All other components need to know the vBond IP or DNS information Authorizes all control connections (white-list model) Distributes list of vSmarts to all vEdges APIs 3rd Party Automation vAnalytics vBond vSmart Controllers MPLS 4G INET vEdge Routers Cloud Data Center Campus Branch SOHO

Cisco SD-WAN Solution Elements Management Plane Cisco vManage vManage Single pane of glass for Day0, Day1 and Day2 operations Real time alerting Centralized provisioning Configuration standardization Simplicity of deploying Simplicity of change Supports REST API CLI Syslog SNMP NETCONF APIs 3rd Party Automation vAnalytics vBond vSmart Controllers MPLS 4G INET vEdge Routers Cloud Data Center Campus Branch SOHO

Cisco SD-WAN Solution Elements Control Plane Cisco vSmart vManage Centralized brain of the solution Facilitates fabric discovery Establishes OMP peering with all vEdges Implements control plane policies, such as service chaining, traffic engineering and per VPN topology Dramatically reduces complexity of the entire network Distributes connectivity information between vEdge Orchestrates secure data plane connectivity between vEdges APIs 3rd Party Automation vAnalytics vBond vSmart Controllers MPLS 4G INET vEdge Routers Cloud Data Center Campus Branch SOHO

Cisco SD-WAN Solution Elements Data Plane Physical/Virtual Cisco vEdge WAN edge router Provides secure data plane with remote vEdge routers Establishes secure control plane with vSmart controllers (OMP) Implements data plane and application aware routing policies Exports performance statistics Leverages traditional routing protocols like OSPF, BGP and VRRP Support Zero Touch Deployment Physical or Virtual form factor (100Mb, 1Gb, 10Gb) vManage APIs 3rd Party Automation vAnalytics vBond vSmart Controllers MPLS 4G INET vEdge Routers Cloud Data Center Campus Branch SOHO

Overlay Management Protocol (OMP) Unified Control Plane vSmart vEdge Runs on top of TCP, extensible control plane protocol Runs between vEdge routers and vSmart controllers and between the vSmart controllers Inside TLS/DTLS connections Advertises control plane context VS

Fabric Operation Fabric Walk-Through OMP Update: Reachability – IP Subnets, TLOCs Security – Encryption Keys Policy – Data/App-route Policies vSmart OMP DTLS/TLS Tunnel Policies IPSec Tunnel OMP Update OMP Update BFD OMP Update OMP Update vEdge vEdge Transport1 To understand the basic Cisco SD-WAN fabric operation, lets look at this simple example. Lets consider a starting point where vSmart controllers had been brought online and two vEdge routers, one at each remote site, are trying to connect as part of a zero touch bring-up process. As described earlier, a bi-directional certificate exchange will happen between the vEdge routers and the vSmart controller where both parties will authenticate and authorize each other. vEdge identity is based on the signed certificate inside the on-board TMP module inserted during the time of manufacturing, vSmart identity is based on the Enterprise or public PKI signed certificate loaded during the vSmart controller deployment phase. Subsequent to the successful bi-directional authentication and authorization, a TLS or DTLS connection will come up between the vEdge routers and the vSmart controller. OMP protocol will establish peering across the TLS/DTLS connections between the vEdge routers and the vSmart controller and following the OMP advertisements, IPSec connection will automatically come up. Once IPSec connections are established each vEdge router will initiate BFD probing mechanism across the IPSec connection to determine up/down state, loss, latency, jitter and maximum path MTU. The next step is to determine reachability for the local service side networks behind each vEdhge router. Each vEdge router will use local mechanisms to determine its local networks, which can be directly connected subnets, statically defined subnets or dynamically learned subnets through OSPF or BGP. vEdge router will place the learnt subnets into the relevant VPN based on the inbound service (LAN) side interface or sub-interface (in case of 802.1q tags) and advertise the reachability to the vSmart controller using OMP update message. vSmart controller will in turn pass this advertisement to the other vEdge router in the topology. Same process will occur for the other vEdge router and bi-directional connectivity between service (LAN) side subnets will be established. As new subnets or new VPNs become part of the fabric, the same process will continue. If implementation includes data or application aware routing policies, such policies will be communicated to the relevant vEdge routers in OMP updates for distributed enforcement. In case of control polices, they will be enforced on the vSmart controller and will not be communicated to the vEdge routers. TLOCs TLOCs Transport2 VPN1 A VPN2 B VPN1 C VPN2 D BGP, OSPF, Connected, Static BGP, OSPF, Connected, Static Subnets Subnets

Policy Driven WAN Infrastructure Policy Augmented Dynamic Routing 1 vManage GUI – Policy Orchestration Control Policy: Routing and Services App-Route Policy: App-Aware SLA-based Routing Data Policy: Extensive Policy-based Routing and Services Combine and Apply per Site 2 vSmart controller – Policy Enforcement/Advertisement Execute Control Policy Advertise AAR/Data Policies to Sites 3 vEdge WAN router Execute AAR and Data Policy as received Dynamic Routing and Policies Combine to dictate behavior Access Layer Branch/DC

Cisco SD-WAN Security Router and Controller Identity vBond vSmart vManage vEdge Router and Controller Identity Zero Trust Security Model Strong Encryption Network Segmentation Application Firewall Infrastructure DDoS Protection

Secure Segmentation Security Zoning Compliance Guest WiFi Multi-Tenancy Extranet VPN 2 VPN 3 VPN 1 IPSec Tunnel Interface VLAN Per-VPN Topology Full-Mesh Hub-and-Spoke Partial Mesh Point-to-Point

Cloud OnRamp: Software as a Service (SaaS) Best Performing Path Regional Internet Exit Small Office Home Office Secure SD-WAN Fabric Regional Internet Exit DIA ISP A Branch ISP B Campus Quality Probing DIA Direct Internet Access

Operations Simplicity and Visibility Rich Analytics Single Pane Of Glass Operations Finally, as motioned earlier in this chapter, vManage system provides a single pane of glass for all operational tasks performed on the fabric. It’s GUI is built upon the REST APIs exposed by the vManage server. vManage can be deployed as a single server solution or as a clustered solution for higher scale and redundancy. An optional layer of analytics can be added to provide deeper insight into the fabric utilization trends, capacity projections, applications quality of experience and a variety of other data.

The Intuitive Network Foundation Security FABRIC DATA Center ACCESS WAN

The Cisco SD Solution…..

Key Foundation Takeaways Summary Power of abstraction provides network agility Automated provisioning accelerates time to market and reduces costs Automatic and adaptive configuration preserves a consistent application experience Insight into application health Simplified operations In this module you learned to: Explain and whiteboard the fundamental components that make up the Cisco SD-WAN solution Explain and whiteboard the role associated with each Cisco SD-WAN component including the devices that make up the fabric Explain and whiteboard how the Cisco SD-WAN solution addresses transport independent fabric, services delivery and application policies

THANK YOU. Brian Joanis – WI Select Systems Engineer brjoanis@cisco.com