Cisco SD-WAN

CVU – Cisco Virtual Update

Per Jensen
[email protected]
June 27th 2018
Agenda
Overview

Solution Elements and Overview

Selective “Deep-Dive”

Bonus

Licensing
Overview

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Intent-based networking for the branch and WAN
Transport
independence

Learning
Centralized cloud Application quality
managed fabric of experience
Intent Context

Security
End-point Integrated
flexibility security
Cisco SD-WAN
Intent-based networking for the branch and WAN
Better user experience
4x Improved application
experience
Deploy applications in minutes on any platform
with consistent application performance

Greater agility
40% WAN opex
savings B ra nch Simplify the deployment and operation of
your WAN and get faster performance
using less bandwidth

Advanced threat protection

3.24h Time to threat
detection
Securely connect your users to applications and
protect your data from the WAN edge to the
cloud
Agenda
Overview

Solution Elements and Overview

Selective “Deep-Dive”

Bonus

Licensing
Cisco SD-WAN Solution Elements
Orchestration Plane
Orchestration Plane
vManage
Cisco vBond
APIs

3rd Party
vAnalytics • Orchestrates control and
Automation
management plane
vBond • First point of authentication
(white-list model)
vSmart Controllers • Distributes list of vSmarts/
vManage to all vEdge routers
MPLS 4G
• Facilitates NAT traversal
INET • Requires public IP Address
vEdge Routers
[could sit behind 1:1 NAT]
• Highly resilient

Cloud Data Center Campus Branch SOHO

Cisco SD-WAN Solution Elements
Control Plane
Control Plane
vManage
Cisco vSmart
APIs

3rd Party • Facilitates fabric discovery

vAnalytics
Automation • Dissimilates control plane
information between vEdges
vBond
• Distributes data plane and app-
vSmart Controllers aware routing policies to the
vEdge routers
MPLS 4G • Implements control plane policies,
such as service chaining, multi-
INET
vEdge Routers topology and multi-hop
• Dramatically reduces control plane
complexity
Cloud Data Center Campus Branch SOHO • Highly resilient
Cisco SD-WAN Solution Elements
Data Plane Data Plane
Physical/Virtual

vManage Cisco vEdge

APIs • WAN edge router

• Provides secure data plane with
3rd Party
vAnalytics remote vEdge routers
Automation
• Establishes secure control plane
vBond with vSmart controllers (OMP)
• Implements data plane and
vSmart Controllers
application aware routing
policies
MPLS 4G
• Exports performance statistics
INET
vEdge Routers • Leverages traditional routing
protocols like OSPF, BGP and
VRRP
• Support Zero Touch Deployment
Cloud Data Center Campus Branch SOHO
• Physical or Virtual form factor
(100Mb, 1Gb, 10Gb)
Cisco SD-WAN Solution Elements
Management Plane
Management Plane
vManage
Cisco vManage
APIs
• Single pane of glass for Day0,
3rd Party
vAnalytics Day1 and Day2 operations
Automation
• Multitenant with web scale
vBond • Centralized provisioning
vSmart Controllers • Policies and Templates
• Troubleshooting and
4G Monitoring
MPLS
INET
• Software upgrades
vEdge Routers • GUI with RBAC
• Programmatic interfaces
(REST, NETCONF)
Cloud Data Center Campus Branch SOHO
• Highly resilient
 Overlay Management Protocol (OMP)
Unified Control Plane
vSmart
• TCP based extensible control plane protocol
• Runs between vEdge routers and vSmart
controllers and between the vSmart controllers
- Inside TLS/DTLS connections
• Advertises control plane context
vSmart vSmart • Dramatically lowers control plane complexity and
raises overall solution scale

vEdge vEdge
VS
Note: vEdge routers need not connect to all vSmart Controllers
Controllers
Deployment Methodology
On-Premise Hosted
vBond vManage vSmart vSmart vBond vManage vSmart vSmart

ESXi or KVM AWS or Azure

VM VM

Physical Server Container Container

SD-WAN Platforms

Branch virtualization Public Cloud

ENCS 5100 ENCS 5400

• Up to 250Mbps • 250Mbps – 2GB

SD-WAN Branch Services

vEdge 100 vEdge 1000 vEdge 2000 ISR 1000 ISR 4000 ASR 1000

• 100 Mbps • Up to 1 Gbps • 10 Gbps

• 4G LTE & Wireless • Fixed • Modular • 200 Mbps • Up to 2 Gbps • 2.5-200Gbps
• Next-gen • Modular • High-performance
connectivity service w/hardware
• Integrated service
• Performance containers assist
flexibility
• Compute with UCS E • Hardware & software
redundancy
vEdge-1000 and vEdge-2000 Routers
Hardware Specification
vEdge 1000 vEdge 2000 vEdge 5000

1 Gbps AES-256
10 Gbps AES-256
20 Gbps AES-256

1RU, standard rack mountable
1RU, standard rack mountable
1RU, standard rack mountable

8x GE SFP (10/100/1000)
4x Fixed GE SFP (10/100/1000)
4 NIMs (Network Interface

TPM chip
2 Pluggable Interface Modules Modules)

3G/4G via USB (or) Ethernet
8 x 1GE SFP (10/100/1000)
8 x 1GE SFP (10/100/1000)

Security, QoS
2 x 10GE SFP+
4 x 10GE SFP+

Dual Power supplies (external)
TPM chip
TPM chip

Low power consumption
3G/4G via USB (or) Ethernet
3G/4G via USB (or) Ethernet

Security, QoS
Security, QoS

Dual power supplies (internal)
Dual power supplies (internal)

Redundant fans
Redundant fans
vEdge-100 Routers
Hardware Specification
vEdge 100m vEdge 100mw

vEdge 100

100 Mbps AES-256
100 Mbps AES-256
100 Mbps AES-256

5x 1000Base-T
1RU
1RU

TPM chip
5x 1000Base-T
5x 1000Base-T

1x POE port
1x POE port

Security, QoS

2G/3G/4G LTE
2G/3G/4G LTE

External AC PS

Internal AC PS
802.11a/b/g/n/ac

Kensington lock

1x USB-3.0
Internal AC PS

Fan-less TPM Board-ID


1x USB-3.0

9” x 1.75” x 5.5”
Kensington lock
TPM Board-ID

GPS
Low power fan
Kensington lock

GPS
Low power fan

GPS
vEdge Cloud Virtual Routers
Deployment Methodology
On-Premise Hosted
vEdgeCloud vEdgeCloud vEdgeCloud vEdgeCloud vEdgeCloud vEdgeCloud

ESXi or KVM AWS or Azure

VM Throughput: VM
Physical Server 2x vCPU 500Mb/s
4x vCPU 1Gb/s
8x vCPU 1.5Gb/s
Agenda
Overview

Solution Elements and Overview

Selective “Deep-Dive”

Bonus

Licensing
BFD

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
 Bidirectional Forwarding Detection (BFD)

vEdge
• Path liveliness and quality measurement detection
protocol
- Up/Down, loss/latency/jitter, IPSec tunnel MTU
• Runs between all vEdge and vEdge Cloud routers in
the topology
- Inside IPSec tunnels
vEdge vEdge
- Operates in echo mode
- Automatically invoked at IPSec tunnel establishment
- Cannot be disabled

• Uses hello (up/down) interval, poll (app-aware)

interval and multiplier for detection
vEdge vEdge - Fully customizable per-vEdge, per-color
Understanding NAT Types

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Full Cone NAT
vEdge1 (192.168.1.1) NAT (Full Cone) vBond (203.0.113.1) vEdge2 (198.51.100.1)

Src=192.168.1.1:12346 Src=192.0.2.1:12346,
Dst=203.0.113.1:12346 Dst=203.0.113.1:12346

Src=203.0.113.1:12346 Src=203.0.113.1:12346
Dst=192.168.1.1:12346 Dst=192.0.2.1:12346

Src= 198.51.100.1:12346 Src=198.51.100.1:12346

Dst=192.168.1.1:12346 Dst=192.0.2.1:12346

• Any external host can send packet to internal address:port by sending

packet to external address:port once the mapping has been created
Restricted Cone NAT
vEdge1 (192.168.1.1) NAT (Restricted Cone) vBond (203.0.113.1) vEdge2 (198.51.100.1)

Src=192.168.1.1:12346 Src=192.0.2.1:5678,
Dst=203.0.113.1:12346 Dst=203.0.113.1:12346

Src=203.0.113.1:12346 Src=203.0.113.1:12346
Dst=192.168.1.1:12346 Dst=192.0.2.1:5678

Src=198.51.100.1:12346
Dst=192.0.2.1:5678
X
Src=192.168.1.1:12346 Src=192.0.2.1:5678,
Dst=198.51.100.1:12346 Dst=198.51.100.1:12346

Src=198.51.100.1:12346 Src=198.51.100.1:12346
Dst=192.168.1.1:12346 Dst=192.0.2.1:5678

• Any external host can send packet to internal IP address if the internal device initiates a
connection to the external host using previously created address mappings
Port Restricted Cone NAT
vEdge1 (192.168.1.1) NAT (Port Restricted Cone) vBond (203.0.113.1) vEdge2 (198.51.100.1)

Src=192.168.1.1:12346 Src=192.0.2.1:5678,
Dst=203.0.113.1:12346 Dst=203.0.113.1:12346
12346

Src=203.0.113.1:12446
12446
Dst=192.0.2.1:5678
X
Src=203.0.113.1:12346 Src=203.0.113.1:12346
Dst=192.168.1.1:12346 Dst=192.0.2.1:5678

• Similar to Address restricted cone NAT with ports added to the mapping
Symmetric NAT
vEdge1 (192.168.1.1) NAT (Symmetric) vBond (203.0.113.1) vEdge2 (198.51.100.1)

Src=192.168.1.1:12346 Src=192.0.2.1:5678,
Dst=203.0.113.1:12346 Dst=203.0.113.1:12346

Src=203.0.113.1:12346 Src=203.0.113.1:12346
Dst=192.168.1.1:12346 Dst=192.0.2.1:5678

Src=192.168.1.1:12346 Src=192.0.2.1:9012
9012,
9012
Dst=198.51.100.1:12346 Dst=198.51.100.1:12346

Src=198.51.100.1:12346 Src=198.51.100.1:12346
Dst=192.168.1.1:12346 Dst=192.0.2.1:9012

Src=198.51.100.1:12346
Dst=192.0.2.1:5678
X
• Request from the same internal IP address and port to a specific destination IP
address and port is mapped to a unique external source IP address and port
• Only an external host that receives a packet from an internal host can send a
packet back
NAT Traversal Combinations
Side A Side B IPSec Tunnel Status
Public Public

Full Cone Full Cone

Full Cone Port/Address Restricted

Port/Address Restricted Port/Address Restricted

Public Symmetric

Full Cone Symmetric

Symmetric Port/Address Restricted

Symmetric Symmetric

Direct IPSec Tunnel No Direct IPSec Tunnel (traffic traverses hub) Mostly Encountered
 NAT Traversal – Dual Sided Full Cone
vBond
NAT Detection • vBond discovers post-NAT
IP1’ IP2’
public IP and communicates
Port1 Port2 back to vEdges
vSmart - STUN Server
• vEdges notify vSmart of their
post-NAT public IP address
NAT Filter: NAT Filter:
Any source IP/Port Any source IP/Port • NAT devices enforce no filter
IP1’ Full Full IP2’ - Full-cone NAT
Port1 Cone Cone Port2

IP1 IP2’ IP1’ IP2

Port1 Port2 Port1 Port2
vEdge1 vEdge2 • Note: vEdge establishes initial
connection with vBond at each
Successful IPSec connection
bootup.
 NAT Traversal – Full Cone and Symmetric
vBond
NAT Detection • vBond discovers post-NAT public IP
and communicates back to vEdges
IP1’ IP2’
Port1 Port2 - STUN Server
vSmart • vEdges notify vSmart of their post-
NAT public IP address
NAT Filter:
• Symmetric NAT devices enforce
NAT Filter: Only from vBond filter
Any source IP/Port From IP1’/Port1 - Only allows traffic from vBond
IP1’ Full IP2’
Port1 Cone
Symmetric
Port2
• vEdge behind symmetric NAT
reaches out to remote vEdge
- NAT entry created with filter to allow
IP1 IP2’ IP1’ IP2 remote vEdge return traffic
Port1 Port2 Port1 Port2 - Remote vEdge will learn new
vEdge1 vEdge2 symmetric NAT source port (data
plane learning)
Successful IPSec connection
Port Hopping
• Port Hopping • Defaults:
• Adds increments from standard port to • Base port 12346
facilitate NAT-traversal • Port offset: 0
• Port Offset
• Configure a static offset from the standard port
(+-20)
Policy framework

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
 Policy Framework
vManage

NETCONF/YANG

Device Configuration Device Configuration

Centralized Control Policy Local Control Policy

(Fabric Routing) (OSPF/BGP)
Localized
Centralized Data Policy Centralized Policies Local Data Policy
(Fabric Data Plane) Policies (QoS/Mirror/ACL)
Centralized App-Aware Policy
(Application SLA)

OMP

Centralized Data Policy Centralized App-Aware Policy

vSmart (Fabric Data Plane) (Application SLA) vEdge
End-to-End Segmentation

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
 End-to-End Segmentation

VPN 1
Interface VPN1 SD-WAN VPN1 Interface
IPSec VPN 2
VLAN VPN2 Tunnel VPN2 VLAN
VPN 3
Ingress Egress
vEdge vEdge

IP UDP ESP VPN Data

20 8 36 4 …

• Segment connectivity across fabric w/o • Labels are used to identify VPN for
reliance on underlay transport destination route lookup
• vEdge routers maintain per-VPN routing • Interfaces and sub-interfaces (802.1Q
table tags) are mapped into VPNs
Topologies

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Arbitrary VPN Topologies
Full-Mesh Hub-and-Spoke

• Each VPN can have it’s own topology

- Full-mesh, hub-and-spoke, partial-mesh,
VPN1 VPN2 point-to-point, etc…

• VPN topology can be influenced by

leveraging control policies
- Filtering TLOCs or modifying next-hop
TLOC attribute for OMP routes
Partial Mesh Point-to-Point
• Applications can benefit from shortest
path, e.g. voice takes full-mesh topology

VPN3 VPN4 • Security compliance can benefit from

controlled connectivity topology, e.g. PCI
data takes hub-and-spoke topology
Application Routing

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Application Visibility and Recognition

Deep Packet Inspection

Cloud
Data Center App 1
App 2

App 3,000
Data Center vEdge Router
MPLS 4G

INET

 App Firewall
Small Office
Home Office  Traffic prioritization
Campus
 Transport selection
Branch
Critical Applications SLA

vEdge Routers continuously vManage App Aware Routing Policy
perform path liveliness and App A path must have:
Latency < 150ms
quality measurements Loss < 2%
Jitter < 10ms

Internet
Remote Site

MPLS Regional
Path 2 Data Center

4G LTE
Path1: 10ms, 0% loss, 5ms jitter
Path2: 200ms, 3% loss, 10ms jitter
Path3: 140ms, 1% loss, 10ms jitter IPSec Tunnel
Cloud Adoption

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Direct Internet Access
• Can use one or more local DIA exits or
Internet backhaul traffic to the regional hub through
the SD-WAN fabric and exit to Internet from
there
- Per-VPN behavior enforcement

ISP3 • VPN default route for all traffic DIA or data

policy for selective traffic DIA

Regional • Network Address Translation (NAT) on the

Data Center vEdge router only allows response traffic
ISP1 back
- Any unsolicited Internet traffic will be
ISP2
SD-WAN blocked by IP table filters
Fabric
MPLS • For performance based routing toward SaaS
Data Center
Remote Site applications use Cloud onRamp
Cloud onRamp for SaaS – Internet DIA

• vEdge router at the remote site performs

quality probing for selected SaaS
applications across each local DIA exit
- Simulates client connection using HTTP ping
Loss/ • Results of quality probing are quantified as
Latency
Regional vQoE score (combination of loss and
Data Center
! latency)
ISP1
• Local DIA exit with better vQoE score is
SD-WAN chosen to carry the traffic for the selected
ISP2 Fabric SaaS application
Remote Site Data Center - Initial application flow may choose sub-
optimal path until DPI identification is
complete and cache table is populated
Quality Probing
Cloud onRamp for SaaS – Regional Gateway
• vEdge routers at the remote site and
regional hub perform quality probing for
selected SaaS applications across their
local Internet exits
ISP2 - Simulate client connection using HTTP ping
Loss/ • Results of quality probing are quantified as
Latency
Regional vQoE score (combination of loss and
! Data Center latency)
- HTTP ping for local DIA and App-
ISP1
Route+HTTP ping for regional Internet exit
SD-WAN • Internet exit with better vQoE score is
MPLS Fabric chosen to carry the traffic for the selected
Remote Site Data Center SaaS application
- Initial application flow may choose sub-
Quality Probing
optimal path until DPI identification is
complete and cache table is populated
Cloud onRamp for IaaS – Attached Compute

• vEdge Cloud routers are instantiated in

Compute Compute
VPC/VNET
Amazon VPCs or Microsoft Azure VNETs
VPC/VNET
- Posted in marketplace
- Use Cloud-Init for ZTP
Cloud • One vEdge Cloud router per VPC/VNET
Data Center - No multicast support, can’t form VRRP
- No router redundancy
SD-WAN • vEdge Cloud routers join the fabric, all fabric
Fabric services are extended to the IaaS instances,
Campus e.g. multipathing, segmentation and QoS
Remote Site
- For multipathing, can combine AWS Direct
Connect or Azure ExpressRoute with direct
internet connectivity
Branch
Cloud Security with Cisco Umbrella

• vEdge router intercepts client DNS queries

- Deep Packet Inspection

• DNS queries are forwarded to Cisco

Umbrella DNS servers based on the data or
application aware routing policies centrally
Regional
defined on vManage
Data Center - Target DNS servers list is defined under the
DIA ISP1 service side VPN
- Policy can pin DNS query for specific
application (DPI based) to specific DNS
SD-WAN server from the list
Fabric
Data Center
Remote Site • Cisco Umbrella enforces security policy
compliance based on DNS resolution
DNS Queries
High Availability and
Redundancy

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
 Site Redundancy - Routed

Redundant pair of vEdge routers operate in
active/active mode
SD-WAN
Fabric
vEdge routers are one or more Layer 3 hops away
from the hosts

Standard OSPF or BGP routing protocols are
running between the redundant pair vEdge routers
vEdge A vEdge B and the site router

Bi-directional redistribution between OMP and
OSPF/BGP and vice versa on the vEdge routers
Site
Router
- OSPF DN bit, BGP SoO community

Site router performs equal cost multipathing for

remote destinations across SD-WA Fabric
- Can manipulate OSPF/BGP to prefer one vEdge router
Host over the other
 Site Redundancy - Bridged

vEdge routers are Layer 2 adjacent to the hosts

SD-WAN - Default gateway for the hosts
Fabric
Virtual Router Redundancy Protocol (VRRP) runs
between the two redundant vEdge routers
- Active/active when using multi-group (per-VLAN)

vEdge B

VRRP Active vEdge responds to ARP requests
vEdge A
VRRP Active VRRP Standby for the virtual IP with its physical interface MAC
VRRP
address
- No virtual MAC

In case of failover, new VRRP Active vEdge

router sends out gratuitous ARP to update ARP
table on the hosts and mac address table on the
intermediate L2 switches
Host
Operational Simplicity and
Transparency

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Simplified Management
Single Pane Of Glass Operations Rich Analytics

Power Tools

REST NETCONF Syslog SNMP Flow Export CLI Linux Shell

Application and Flow Visibility

• Application and flow visibility for

each vEdge router
- DPI needs to be enabled for
application visibility
- Flow data can be exported from
vEdge to external collector

• Realtime views or custom timeline

views granularity

• Views can be zoomed into

Path Performance

• BFD is used to measure

performance characteristics of each
individual IPSec tunnel
• Loss, latency and jitter is
represented in the tunnel
performance graph on the vManage
• Realtime views or custom timeline
views granularity
• Views can be zoomed into
Agenda
Overview

Solution Elements and Overview

Selective “Deep-Dive”

Bonus

Licensing