BRKENT-2060 - Cisco SD-WAN Cloud OnRamp For Multicloud

Cisco SD-WAN Cloud OnRamp for Multicloud
From Connectivity to Application Integration
Nikolai Pitaev, SD-WAN TME Leader, Cisco

@pitaev
BRKENT-2060
Question:
what is this time slot about?
95,212,800 seconds
1,586,880 minutes
26,448 hours
1,102 days
Answer: … since last CL EMEA in Barcelona 2020
BRKENT-2060 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
Cisco Cloud OnRamp solves your cloud problems
Automation Operations
Site-to-Site, Site-to- Cloud Audit, Monitoring,
Cisco
Cloud, Cloud-to-Cloud Prediction and Recommendation
Cloud
OnRamp
Security App Performance
Cloud Security, SIG, On-Prem Service Directory Integration, Mid-
Mile Optimization
• Introduction
• Site-to-cloud:
design, automation, performance, security
Agenda • Site-to-site over CSP
• Cloud / Custom App integration
• Conclusion
Cisco Webex App
Questions?
Use Cisco Webex App to chat
with the speaker after the session
How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install the Webex App or go directly to the Webex space Enter your personal notes here
4 Enter messages/questions in the Webex space
Webex spaces will be moderated

until February 24, 2023.
Your voice matters!
Live poll during this session.
https://app.sli.do/event/d71oy65sDmvgK1YB67RkoU
Introduction
Cisco SD-WAN – Building Blocks
Cisco SD-WAN
Multicloud Security Analytics
BRKNTW-2210
Cisco SD-WAN Cloud OnRamp
Cisco SD-WAN Cloud OnRamp delivers unified policy with IaaS integrations, optimal application experience with
SaaS optimization, and automated, cloud-agnostic branch connectivity with cloud hub and cloud interconnect.
Multicloud SaaS
Cloud Hub Cloud Cloud
Interconnect OnRamp for
THIS SESSION SaaS
AWS TGW
Megaport Microsoft 365
Azure vWAN
Equinix Webex
Google NCC
Custom App
BRKENT-2651, -3297 BRKENT-3412
Introduction: Cloud Hub (aka IaaS)
Cisco delivers cloud trifecta
with top 3 cloud providers
Greater automation
Automate SD-WAN extension to the cloud
with just a few clicks in vManage
Normalized Multicloud experience

MPLS Consistent UI and workflow in vManage
Cisco
SD-WAN
Unified security policies
Internet Extend consistent enterprise segmentation policy into the
cloud
5G
Ease of management
Orchestrate Cisco and cloud provider networking
resources via vManage
Introduction: Cloud Interconnect
• Colocation
Cisco Cisco
SD-WAN
fabric
vManage
SD-WAN
fabric
vManage • CSP-independent
MVE MVE NE NE
• SDN driven
Enterprise site Enterprise site Enterprise site Enterprise site
• Same Use Cases

= Cisco SD-WAN = Cisco SD-WAN
MVE NE
= Megaport = Equinix
virtual router hosted on virtual router hosted on
Virtual Edge Network Edge
Megaport Virtual Edge Equinix Network Edge
= Cisco SD-WAN router on-

premises
Introduction: SaaS Optimization
Which path do I use for SaaS applications?
Direct internet Regional Data center
access breakout backhaul
SaaS
Best quality Medium quality Poor quality

Regional
data center
• Own Probing to SaaS

Data center Branch/campus
Corporate
• Cloud Telemetry for M365
Custom App
software Users
•
SD-WAN fabric
• First Packet Match
Your voice matters!
Live poll during this session.
https://app.sli.do/event/d71oy65sDmvgK1YB67RkoU
Site-to-cloud
Same design principle for all CSPs
BGP CSP Host VPC 1
Tunnel Network
Entity in EU Host VPC n
C8000v
SD-WAN
SD-WAN Routers
Fabric
BGP CSP Host VPC 1
Tunnel Network
Entity in US Host VPC n
• Establish IPSec or GRE tunnel between c8kv and Cloud

• Learn cloud routes via BGP
• Mutually Redistribute OMP <-> BGP
Next step: automate this design
AWS as example SD-WAN
Single UI vManage Workflow: Standard IPSec + BGP

from Service VPN
AZ1
1. have two c8kv ready
2. define AWS Account AZ2
AWS TGW
IGW
3. discover and tag host VPCs Host VPC Cisco c8kv

INET
VPC
4. deploy CGW (c8kv + TGW) Attachment
Host VPC MPLS
5. Map host VPCs to SD-WAN Cisco c8kv
VGW Direct
Connect
AZ1
Transit VPC
AZ2
18
Your Main benefit: single UI for SD-WAN and Cloud
Same workflow
for all CSPs!
Segmentation
Mapping different SD-WAN networks with different cloud VPCs
ENG
VPC AWS TGW
ENG
Cisco c8kv
SD-WAN
Cisco c8kv HR
HR SD-WAN VPC
VPC
Topics to consider:
• Automated in vManage single UI
• Overlapping IP addresses
Under the hood: different route tables on TGW
SD-WAN on AWS
Design details for AWS
• 3 different Solutions supported today
US-West-1
• AWS Cloud WAN support coming soon
Host VPC Host VPC • All – automated in Cisco vManage!
AWS
TGW
IPSec or GRE tunnels
(next slide with details)
SD-WAN TVPC
CoR Multicloud Global Settings in vManage:
Branch 1 Branch 2 Branch 3 AWS Cloud WAN

Branch coming soon!
Connect: Extending SD-WAN Fabric
Direct IPSec to to the cloud
AWS TGW
Different connectivity options to AWS TGW available today
vManage vManage Custom automation
SD-WAN via VPN Attachment SD-WAN via TGW Connect SD-WAN via VPC Attachment
Host VPC1 Host VPC1
Host VPC1
AZ1 AZ1
VPC Transit VPC VPC Transit VPC
Attachment VPN AZ1 Attachment VPC
VPC Transit VPC
Attachment Attachment
AZ2 Attachment Connect AZ2
Attachment
AZ2
Host VPC2 SD-WAN Host VPC2 SD-WAN
Host VPC2 SD-WAN
AZ1
AWS Transit AZ1
AWS Transit
Gateway Gateway
AZ1
AWS Transit
Gateway
AZ2 AZ2
AZ2
• SD-WAN Routers in Transit VPC establish BGP over • GRE tunnel to TGW instead of IPSec: 5 instead of • No dynamic routing between SD-WAN routers and TGW
IPSec tunnels to TGW 1.25 Gbps • SD-WAN Routers in Transit VPC have TGW as next hop for
• Automated workflow including inter-region use case • Usage of private IP for GRE tunnel possible cloud routes
with Cloud onRamp for Multicloud • Automated as Cloud onRamp for Multicloud • Scales up to 50 Gbps TGW Limit.
• AWS TGW Limit of 1.25 Gbps for one IPSec Tunnel • C8kv VM performance depends on the AWS VM type
• No Cloud onRamp automation, custom automation needed
Adoption: Customer Case Study
https://aws.amazon.com/partners/success/engie-cisco/
SD-WAN on Azure
Cisco SD-WAN integration with Microsoft vWAN
Azure Azure
Different Terminology Monitor Monitor
vWAN, vHub and VNet Cisco vManage
Very similar design, same use cases

C8kv as vHub Service Endpoint Azure APIs
Region 1 Region 2
Segmentation Telemetry Telemetry
One Route Table, no n:m segmentation yet data data
vHub
Security
Azure Backbone vHub
SD-WAN SD-WAN
Integration with Azure Firewall. Endpoint Endpoint
`
Cisco SD-WAN fabric
Branch DC Branch
Multiple vHubs per Azure Region From 20.11
Problem SW Release
CoR Azure vWAN solution supports only one vHub in single
region. For large scale deployments would like to extend the
SD-WAN Fabric to more than one vHub per Region as
Region 1 Region 2
Single vHub can only scale up to 1000 sites per region.
Solution Route-table
Azure Virtual WAN vHub
Route-table
vHub
c8kv
c8kv
• Cloud OnRamp for Multi-Cloud now supports customers to Azure Backbone
deploy Cloud Gateways into multiple Virtual Hubs within the Route-table
Route-table vHub
same region vHub VHUB
Route-table
c8kv
c8kv
c8kv
• Cloud Gateways (c8kv) will advertise all VNets connected to all
the vHubs, and we can direct traffic flows using SD-WAN
Centralized policies.
Caveats
• No segmentation
• Supports up to 20 vHub per region
Azure Express Route as Transport with SD-WAN in a Click
Problem Statement:
• NVAs (c8kv) inside the vHub can only have two interfaces.
One is for the service VPN and the other is for transport.
• Currently, the default template assigns a color of default to
the transport interface. This means only TLOC with public
colors can form tunnels to the NVA with public IPs.
• Express Route is a private link that uses a private IP address
since the default template color is a public category that by
nature tries to form the tunnels in public space where the
express route can't reach.
Solution:
Change the color of GE1 of the NVAs inside the vHub from
default to a private color. It allows the usage of both Express
Route and Public Internet as SD-WAN transports.
Benefits:
• redundant paths from edge locations to Azure Workload
VNets
Private Colors: Public Colors: • higher throughput and lower latency
metro-ethernet 3g, lte
mpls biz-internet If two ends have a private color: private IP address used for SD-WAN connection.
private1-private6 public-internet If endpoint has public color: public IP is used.
blue, green, red
gold, silver, bronze BRKENT-2060 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Adoption: CoR on Azure
• 100+ CoR Multicloud

Deployments on Azure
• Azure examples:
Adecco, URC Vietnam
SD-WAN on GCP
GCP Technical Design: High Level for site-to-cloud and site-to-site use cases
Control/ SD-WAN Fabric
Management Google Region 1
Cloud APIs
S2C Transit VPC
Device Traffic App Workload VPC
Config Policy Policy
WAN VPC
BGP VPC
SD-WAN Site 1 Peering Workload VPC
GCR
c8kv
SD-WAN Site 2
Interconnect VPC
GCR S2S Transit VPC
for SDCI from 20.9
SD-WAN Overlay
Workload VPC
WAN VPC
BGP VPC
SD-WAN Site 3 Peering Workload VPC
GCR
c8kv
S2C Transit VPC
SD-WAN Site N
Google Region N
Google Network Connectivity Center (NCC)
GCP Networking is different - global virtual networks that are truly global:
1. create a VPC network
2. create a subnet in the US, put your US VM in it
3. create a subnet in Singapore, put your Singapore VM in it
Non-technical reason: source and dest. IP must be in GCP
Details:
• Hub-and-spoke model
• Pure Connectivity Management
• Data plane – direct SD-WAN tunnel
between two c8kv in different regions
Customizing Cloud onRamp
Problem definition
• You successfully deployed CoR for Multicloud with 1,001 Routes from SD-WAN
Transit VPC, AWS TGW and two SD-WAN Routers AZ1 to AWS TGW via BGP
TGW
• AWS TGW gets all routes, but you want to send only AZ2
Host VPC
few of them to TGW.
Cisco CSR
VPC
Attachment
Host VPC
• If you send more than 1,000 routes, BGP goes down.

Cisco CSR
AZ1
Transit VPC
• There is no BGP template for CoR in vManage, where AZ2
you can do route filtering!
Solution: Add-on CLI Template!
Let’s look at the configs
Router Config
route-map AWS_TGW_CSR_ROUTE_POLICY deny 1
CLI Add-On Template
match as-path 15
! route-map AWS_TGW_CSR_ROUTE_POLICY permit 110
route-map AWS_TGW_CSR_ROUTE_POLICY permit 11 match as-path 250
match as-path 25 !
!
Result
match as-path 15
!
route-map AWS_TGW_CSR_ROUTE_POLICY permit 11
match as-path 25
!
route-map AWS_TGW_CSR_ROUTE_POLICY permit 110
match as-path 250
!
Performance
Performance in the cloud
Scale options:
• Horizontal Scale = spin up many VMs
• Single VM Scale = use the top instance type
Questions to consider:
• Packet size: Jumbo / Large / IMIX
• Automation for horizontal scale
• Cloud Limitations (may be not visible at the first look)
Performance Details for C8kv on AWS
Performance
• With SD-WAN v17.9/20.9 c8kv can use c5n.18xlarge
VM type
• Before that, then biggest VM size was single c8kv

C5n.9xlarge, which had the following SD-WAN
performance with IPSec+QoS+DPI+FNF profile : up to
15.2 Gbps with large packets
• IMIX performance jump: from 6 Gbps to 7.9 Gbps IMIX
• Jumbo Frame Performance 50+ Gbps VPC-to-VPC
Caveats
• 17.7 perf improvement is achieved with AWS
Multi-TxQs, means a setup with 8 SD-WAN
IPsec Tunnels. Same apply to c5n.18x in 17.9.
Performance Details for C8kv on Google Cloud
GCP Horizontal Scale
17.9 introduces ability to spin up up to 8 Catalyst
8000v SD-WAN routers as a part of Cloud
Gateway creation, which address high bandwidth
requirements for GCP.
Single VM c8kv IMIX Performance is appr. 2 Gbps
Caveats
• Number of c8kv routers per region is between
2 and 8.
• Static configuration, no dynamic scale (yet)
based on utilization or other KPIs.
Example with 8 x C8kv on Google Cloud
Host VPC 1 Host VPC 2
10.24.0.0/16 10.25.0.0/16
VPC Peering
s2c-vpc • Two BGP sessions for redundancy
10.76.0.160/27
R2 vrf 10 route table:

.162 .163 B 10.24.0.0/16 [20/100] via 10.76.0.161
BGP
• .161 is the default gateway for s2c VPC
.167
• We do not have technical data for scale
beyond this point.
R2
• Assumption – GCP is not a bottleneck
wan-vpc
10.76.0.128/27
Performance on Azure
• Cloud onRamp (CoR) will spin up 2 c8000v in SD-WAN VPC
• Azure: SKU scale up to 5 Gbps

Targeted for 20.12/17.12:
20 Gbps (4 X sku 10 + 1n)
40 Gbps (4 X sku 20 + 1n)
Security
SD-WAN Security – Overview
SASE
vManage vAnalytics SecureX Identity services ZTNA 3rd Party Eco-System
Identity
Zero Trust
Internet
Unified Policy
SIG Management
Cisco SD-WAN
Distributed Security
Fabric
Enforcement
URL TLS
NGFW Filtering
IPS AMP Proxy
Secure Internet
HQ Gateway
Embedded
SD-WAN Security
Stack
Fabric
Data Center Branches
Visibility & Reporting
AWS: Centralized Firewall Design
Host
Host VPC1
VPC2
Requirements
AWS us-west App1 App2 East-west, north-south traffic must go
through firewall
Shared services VPC
Benefits
AZ1 •Scalable solution
FTDv-1
… AWS TGW
•SD-WAN and security from one hand
Public internet
AWS SD-WAN VPC SD-WAN branch 1

AZ2
GWLB
AZ1 AZ2
FTDv-n SD-WAN fabric
…
c8k-R1 c8k-R2
SD-WAN branch 2
Full Details: https://youtu.be/LHdW_0C3Y6E?t=351

GitHub Repo: https://github.com/CiscoDevNet/sdwan-cor-labinfra
Packet flow: Simplified
Host
AWS us-west Host VPC1
VPC2 From Host VPC to SD-WAN
App1 App2
Host VPC ➔ AWS TGW ➔ GWLB ➔ FTDv ➔ TGW ➔ SD-WAN
Shared services VPC
AZ1
Returning traffic
FTDv-1
SD-WAN ➔ AWS TGW ➔ GWLB ➔ FTDv ➔ TGW ➔ Host VPC
… AWS TGW
GENEVE protocol for load balancing between GWLB and FTDv

AWS SD-WAN VPC
AZ2
GWLB Appliance mode is required for symmetric routing
AZ1 AZ2
FTDv-n
…
c8k-R1 c8k-R2
FTDv = Secure Firewall Threat Defense Virtual (aka FTDv / NGFWv) Geneve = Generic Network Virtualization Encapsulation
GWLB = AWS Gateway Load Balancer AZ = Availability Zone (AWS data center)
For Your
Packet flow: Details for shared services VPC Reference
Shared services VPC Shared services VPC

GWLB
GWLB AZ1
endpoint 7
AZ1
endpoint 2 FTDv-1
FTDv-1
FTDv-2
FTDv-2
3 6
GWLB 5 GWLB
4 cross-zone load
cross-zone
load balancing,
balancing,
GENEVE
GENEVE
Step 2: TGW routes to GWLB endpoint – shared services route table Step 5: Firewall decapsulates GENEVE, inspects the
10.102.0.0/16 local packet, re-encaps and sends it back to GWLB
0.0.0.0/0 vpce-XYZ FW-Endpoint-Service-AZ1 10.102.3.91
Step 6: GWLB removes GENEVE header and forwards
Step 3: GWLB endpoint routes traffic to GWLB using AWS PrivateLink packet to the appropriate GWLB endpoint
Step 4: GWLB routes traffic to a firewall using GENEVE
Target Group: FW-Target-Group-Geneve with 4 firewalls: Step 7: GWLB endpoint sends packet to TGW
10.102.3.174 MC-FTD-IFT-1 6081 us-west-AZ1
10.102.13.67 MC-FTD-IFT-2 6081 us-west-AZ1
…
Connecting SD-WAN
Host
AWS us-west Host VPC1
VPC2 VPN or connect attachment for SD-WAN VPC
App1 App2
Shared services VPC BGP between AWS TGW and SD-WAN routers
AZ1
FTDv-1
AWS TGW
Cisco Catalyst 8000V as SD-WAN router
…
Multi-Region via TGW Peering, AWS Cloud WAN

AZ2
AWS
GWLB
SD-WAN VPC support in near future
AZ1 AZ2
FTDv-n
…
c8k-R1 c8k-R2
Automation: GitHub repo SD-WAN CoR LabInfra
Site-to-Site over CSP
Site-to-Site over Cloud Service Provider
Key Highlights Customer Benefits
Reduced provisioning
Created in less than 5
time from months, to 5
minutes using vManage
minutes
CSP
Dedicated, global
connectivity provisioned
Backbone Reduced latency from
via CSP backbone Los Angeles 560ms to 200ms
Premium, low-latency
Reduced cost from
MPLS-like performance SD-WAN $10K/mo to $2K/mo
with Pay-as-you-Go model
Fabric
Sydney
Supported cloud networking integrations
Multicloud integration
Transit Gateway Network Connectivity Center Virtual WAN

Cloud backbone
Cloud agnostic
backbone
Site-to-Site automated in vManage
Multi Region Fabric solves many Multicloud S2S Challenges
BR/regional hub
ER/branch
• Intuitive user-defined site

grouping. E.g. based on geo
• Finer grouping using sub-regions
• Auto restrict overlay tunnels
between regions
Core region
SP/CSP/Private backbone • Different topologies per region
US region • Mix access transports
EMEA region across regions
• Scale up control-plane
per region(s)
Multi Region Fabric simplifies Multicloud Design
MRF Region 1 MRF Backbone Area MRF Region 2

US West C8kv BR C8kv BR US East
San TGW TGW
San Jose TGW Peering NYC
C8kv Francisco C8kv
ER
ER
Subregion 1 Subregion 1
NorCal C8kv BR C8kv BR Boston
Los Angeles Orlando
VPC Peering
C8kv Subregion 2
ER San Diego Miami
C8kv
Subregion 2 vBond vSmart vManage ER
SoCal
Regional vSmart Regional-vSmart
SD-WAN Controllers
Two Key Customer Requirements / use cases:

1. Independent providers in the MRF backbone area for site-to-site communication
2. Easily isolate specific CSP subregions (cities or countries) in emergency case on demand
Terraform Scripts: https://github.com/CiscoDevNet/sdwan-cor-labinfra
Use Case 1: Redundancy / Load Balancing
MRF Region 1 MRF Backbone Area Details:
US West C8kv BR
•
•
Subregion 1 (SJ) uses by default San Francisco
Subregion 2 (San Diego) uses LA
San
• In case of a single backbone failure -> auto failover
Francisco
C8kv 101.1.1.1
ER
Subregion 1 Border router 1 configuration:

San Jose C8kv BR system
system-ip 101.1.1.1
Los Angeles site-id 101
103.1.1.1
C8kv
region 1
ER subregion 1
!
role border-router
Subregion 2 organization-name mrf-multicloud-demo
San Diego vbond 44.227.177.103
!
Route Table Entry on Edge Router for 10.211.1.11 on the “east side”
Reg1-Sub1-ER1#sh ip ro vrf 10
...
m 10.211.1.11 [251/0] via 101.1.1.1, 06:58:01, Sdwan-system-intf
...
Reg1-Sub1-ER1#
Use Case 1: Redundancy / Load Balancing
MRF Region 1 MRF Backbone Area
US West
X
C8kv BR San
Francisco
C8kv
ER
101.1.1.1
Border router 2 configuration:
Subregion 1 system
San Jose C8kv BR system-ip 103.1.1.1
site-id 103
Los Angeles region 1
103.1.1.1
subregion 2
C8kv
ER !
role border-router
organization-name mrf-multicloud-demo
Subregion 2 vbond 44.227.177.103
San Diego !
Route Table Entry on Edge Router for 10.211.1.11 on the “east side”
Reg1-Sub1-ER1#sh ip ro vrf 10
...
m 10.211.1.11 [251/0] via 103.1.1.1, 06:58:01, Sdwan-system-intf
...
Reg1-Sub1-ER1# BRKENT-2060 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Use Case 2: Isolate a subregion with a simple control policy
policy
MRF Region 1 MRF Backbone Area control-policy block-reg1-sub1
sequence 1
US West C8kv BR
match route
region-enhanced region 1
San
X
region-enhanced subregion 1
C8kv Francisco !
ER
action reject
Subregion 1 !
San Jose C8kv BR !
sequence 2
Los Angeles match tloc
region-enhanced region 1
C8kv
region-enhanced subregion 1
ER
!
action reject
Subregion 2 !
San Diego !
default-action accept
!
Regional-vSmart !
apply-policy
region 1
role border-router
control-policy block-reg1-sub1 out
!
! 55
BRKENT-2060 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
Audit simplifies daily operations
Cloud Audit
• State check
vManage vs. Cloud
• Every two hours & on-demand
• Configurable Auto Correct
Demo:
Cloud Audit
For Your
Cloud Audit compares vManage and Cloud state

Reference
Two types:
• On-demand
• Periodic – every 2 hours
Can be fixed on GCP with one click Audit can NOT fix
• Deletion of the hub or the spokes • Removal of a cloud gateway or any of its
• Deletion of Google cloud routers components
• Deletion of site-to-cloud peering of VPCs • Issues with host VPCs with overlapping CIDRs
mapped to VPNs in vManage • Issues with site-to-site VPCs
• Deletion of VPC peering of VPCs that are • Issues with site-to-cloud VPCs
mapped to other VPCs in vManage • Issues with WAN VPCs
• Missing custom routes
• Missing BGP sessions
• Stale BGP sessions
App Integration
Creating a bridge between cloud apps and SD-
WAN via Google Service Directory
GCP Service
Directory
App “traffic=video”
Use Case Summary Devops
Devops register cloud-based apps at GCP

Service Directory (write metadata “traffic”)
vManage detects cloud-based app SD-WAN

automatically Los Angeles
Fabric
Branch
Netops create SD-WAN policies and ensure

required app experience in the network
Netops
Summary
Call to Action
1. Learn SD-WAN YouTube Channel
2. Test • Cloud onRamp Sandbox: http://cs.co/CoR-Trial
• GitHub:
3. Use SD-WAN Communities
Cisco Webex App
Questions?
Use Cisco Webex App to chat
with the speaker after the session
How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install the Webex App or go directly to the Webex space Enter your personal notes here
4 Enter messages/questions in the Webex space
Webex spaces will be moderated

until February 24, 2023.
Complete your Session Survey
• Please complete your session survey
after each session. Your feedback
is important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (open from Thursday) to
receive your Cisco Live t-shirt.
• All surveys can be taken in the Cisco Events Mobile App or
by logging in to the Session Catalog and clicking the
"Attendee Dashboard” at
https://www.ciscolive.com/emea/learn/sessions/session-catalog.html
Cisco Cloud OnRamp solves your cloud problems
Automation Operations
Site-to-Site, Site-to- Cloud Audit, Monitoring,
Cisco
Cloud, Cloud-to-Cloud Predictions
Cloud
OnRamp
Security App Performance
Cloud Security, SIG, On-Prem Service Directory Integration, Mid-
Mile Optimization
Continue
Agenda Your Education
Visit the Cisco Showcase for related demos.
Book your one-on-one Meet the Engineer meeting.
Attend any of the related sessions at the DevNet,

Capture the Flag, and Walk-in Labs zones.
Visit the On-Demand Library for more sessions

at ciscolive.com/on-demand.
Thank you

BRKENT-2060 - Cisco SD-WAN Cloud OnRamp For Multicloud

Uploaded by

Copyright:

Available Formats

BRKENT-2060 - Cisco SD-WAN Cloud OnRamp For Multicloud

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BRKENT-2060 - Cisco SD-WAN Cloud OnRamp For Multicloud

Uploaded by

Copyright:

Available Formats

Cisco SD-WAN Cloud OnRamp for Multicloud

From Connectivity to Application Integration

Nikolai Pitaev, SD-WAN TME Leader, Cisco

Agenda • Site-to-site over CSP

• Cloud / Custom App integration

4 Enter messages/questions in the Webex space

Webex spaces will be moderated

BRKENT-2651, -3297 BRKENT-3412

Normalized Multicloud experience

• Same Use Cases

= Cisco SD-WAN router on-

Best quality Medium quality Poor quality

• Own Probing to SaaS

• Establish IPSec or GRE tunnel between c8kv and Cloud

Single UI vManage Workflow: Standard IPSec + BGP

3. discover and tag host VPCs Host VPC Cisco c8kv

CoR Multicloud Global Settings in vManage:

Branch 1 Branch 2 Branch 3 AWS Cloud WAN

Host VPC2 SD-WAN Host VPC2 SD-WAN

Host VPC2 SD-WAN

Very similar design, same use cases

Cisco SD-WAN fabric

• Supports up to 20 vHub per region

• 100+ CoR Multicloud

• If you send more than 1,000 routes, BGP goes down.

• There is no BGP template for CoR in vManage, where AZ2

you can do route filtering!

Solution: Add-on CLI Template!

• Before that, then biggest VM size was single c8kv

• IMIX performance jump: from 6 Gbps to 7.9 Gbps IMIX

• Jumbo Frame Performance 50+ Gbps VPC-to-VPC

Single VM c8kv IMIX Performance is appr. 2 Gbps

R2 vrf 10 route table:

• Cloud onRamp (CoR) will spin up 2 c8000v in SD-WAN VPC

• Azure: SKU scale up to 5 Gbps

AWS SD-WAN VPC SD-WAN branch 1

Full Details: https://youtu.be/LHdW_0C3Y6E?t=351

GENEVE protocol for load balancing between GWLB and FTDv

Shared services VPC Shared services VPC

Multi-Region via TGW Peering, AWS Cloud WAN

Key Highlights Customer Benefits

Transit Gateway Network Connectivity Center Virtual WAN

Site-to-Site automated in vManage

• Intuitive user-defined site

MRF Region 1 MRF Backbone Area MRF Region 2

Two Key Customer Requirements / use cases:

Subregion 1 Border router 1 configuration:

• Every two hours & on-demand

• Configurable Auto Correct

Cloud Audit compares vManage and Cloud state

Devops register cloud-based apps at GCP

vManage detects cloud-based app SD-WAN

Netops create SD-WAN policies and ensure

1. Learn SD-WAN YouTube Channel

2. Test • Cloud onRamp Sandbox: http://cs.co/CoR-Trial

3. Use SD-WAN Communities

4 Enter messages/questions in the Webex space

Webex spaces will be moderated

Visit the Cisco Showcase for related demos.