Brkxar 1003

#CiscoLive
Enterprise End-to-End WAN

Architectures
Rinku Mahecha, Solutions Integration Architect
Sonny Malick, Systems Architect
BRKXAR-1003
#CiscoLive
• Current State WAN
Architecture
• Enterprise Private WAN
• DC to Transport Handoff
SDWAN Optimization
Agenda
•
• End State Architecture

• End-to-End Visibility
BRKXAR-1003 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Cisco Webex App
Questions?
Use Cisco Webex App to chat
with the speaker after the session
How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install the Webex App or go directly to the Webex space Enter your personal notes here
4 Enter messages/questions in the Webex space
Webex spaces will be moderated

by the speaker until June 9, 2023. https://ciscolive.ciscoevents.com/ciscolivebot/#BRKXAR-1003
#CiscoLive BRKXAR-1003 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Evolution of
Travel
The Evolution of Travel
• Static path determination • Intelligent route mapping

• No intelligence into real time traffic • Dynamic decision making
• Path determined by Taxi Driver • Driver determines path selection
Current State
Architecture
Where we were before cloud
• Prior to the cloud adoptions enterprises had their DC’s on prem
• Enterprises usually had two DC’s regionally
• DCIs(Data Center Interconnect) built out a point-to-point link
• Traffic was backhauled to the DC
Business
applications Data center Commercial SP Branch
Enterprise Architecture Pre-Cloud
MPLS MPLS
Internet
Internet
Service Provider
Dark fiber
Layer 1
Ethernet P2P
Data center Data center
Business applications Business applications

MPLS MPLS
Internet
Internet
Service Provider
Dark fiber
Layer 1
Ethernet P2P

MPLS MPLS
Internet
Internet
Service Provider
Dark fiber
Layer 1
Ethernet P2P

MPLS MPLS
Internet
Internet
Service Provider
Dark fiber
Layer 1
Ethernet P2P

Cloud adoption
• Services began to move to the cloud both enterprise hosted and SaaS
• Enterprises began leveraging colocations to achieve close connection points to the cloud
• SD-WAN became the primary method of sending branch traffic to the cloud or to DC’s
SD-WAN
Colo
Enterprise Architecture Post-Cloud
Business
applications Cloud provider
Business
Cloud provider applications Region B
Region A
SD-WAN
Commercial SP Commercial SP
Colo
Colo
Service Provider
Dark fiber
Internet Layer 1
Internet
Ethernet P2P
Data center
Data center
Business
Business
Region A
SD-WAN
Colo
Colo
Service Provider
Dark fiber
Internet Layer 1
Internet
Ethernet P2P
Data center
Data center
Business
Business
Region A
SD-WAN
Colo
Colo
Service Provider
Dark fiber
Internet Layer 1
Internet
Ethernet P2P
Data center
Data center
Business
Business
Region A
SD-WAN
Colo
Colo
Service Provider
Dark fiber
Internet Layer 1
Internet
Ethernet P2P
Data center
Data center
Business
Business
Region A
SD-WAN
Colo
Colo
Service Provider
Dark fiber
Internet Layer 1
Internet
Ethernet P2P
Data center
Data center
Business
Business
Region A
SD-WAN
Colo
Colo
Service Provider
Dark fiber
Internet Layer 1
Internet
Ethernet P2P
Data center
Data center
The old way doesn’t make sense
Colo’s effectively became extensions of your DC’s The branch traffic is inefficient
Applications live in the cloud, and in the

SP services are costly
internet as SaaS
What is MPLS
Components of MPLS
Service Protocols
L2 VPN services LDP L2 VPN services (EVPN)
L3 VPN services MP-BGP

Too complex for
MP-BGP
L3 VPN services
most Enterprises
Segment Routing
Transport Protocols
Inter-Domain Traffic Engineering
Inter-Domain MPLS LSP BGP-LU SR-PCE Inter-Domain MPLS LSP
MPLS
Intra-Domain Traffic Engineering Intra-Domain Traffic Engineering

Fast Re-Route RSVP-TE Fast Re-Route
IGP with
Intra-Domain MPLS LSP LDP Intra-Domain MPLS LSP
SR extensions
IP Routing IGP IP Routing
Data-Plane
Label-based forwarding MPLS MPLS Label-based forwarding
LDP: Label Distribution Protocol, MP-BGP: Multi-protocol BGP, BGP-LU: BGP Labeled-Unicast, PCE: Path Computation Element, RSVP-TE: Reservation Protocol Traffic Engineering
Enterprise Next Gen WAN
Business
applications
Business
applications Enterprise WAN
Cloud provider Cloud provider
Region A Region B
Enterprise private Colo

Colo
WAN
Internet
Internet

Business
Business applications
applications
Modern Enterprise WAN Key Requirements
• Layer-3 and Layer-2 connectivity for datacenters
Multi-Tenancy / divisions / datacenters
• Simplified device operation and troubleshooting

Network • Ease of configuration
Simplification • Programmable – full control of application paths
over the network
• High Availability – 50ms protection

Network Availability • High Resiliency / Isolated Failure Domain
• Service Multi-Homing
• High density / high BW Ethernet routers

Speed and Density • Feature richness (SP-like)
• Power efficiency
Cost • Maintain cost efficiency
Enterprise
Private WAN
What does Private WAN means for Enterprises ?
CE
Ent-PE Ent-PE
Service Provider
PE CE
PE
VRF A PE
PE
PE
PE
VRF A VRF B VRF C
Ent-PE
CE
= Service provider WAN = Enterprise WAN E-Line
What is an Enterprise Private WAN
• aka Corporate WAN or Enterprise WAN can consist of a
Enterprise WAN WAN core + Edge + Metro Access
• WAN core: routers and optical
• Enterprise customer-owned
transport to connect high-
and managed network
capacity locations to data
• Connects centers, cloud, internet
• Headquarters, remote WAN • Edge: routing/optical to link
locations, branch offices Core data centers, or peering with
cloud/content providers
• Data Centers Edge
• Metro Access: often used in
• Connects to internet, cloud Metro Access industries/verticals to backhaul
providers or service provider traffic from outdoor/smaller
peering points Enterprise locations to the WAN Core
• Does not include on-prem WAN • Depending on the
enterprise switching requirements, customers can
use one or more of these
solutions
A modern, scalable, secure, simple
alternative to MPLS…
Segment Routing
BRKXAR-1003
What is Segment Routing?
A network program expressed in the packet
• A source node steers a packet
through a controlled set of Payload Segment3 Segment2 Segment1
instructions, called segments

• A segment is locally defined and
executed at a specific location in
the network
• A segment can represent ANY
function – topological or service-
based or user-defined
One Architecture over Two Data Planes
SR-MPLS
• Instantiation of SR on the MPLS data plane
• One segment is encoded with an MPLS label
Segment Routing
SRv6
• Instantiation of SR on the IPv6 data plane
• One or more segments are encoded with an IPv6 address
Protocol Simplification with Segment Routing
Service Protocols
L2 VPN services LDP L2 VPN services (EVPN)

MP-BGP
L3 VPN services MP-BGP L3 VPN services
Segment Routing
Transport Protocols
Inter-Domain Traffic Engineering
Inter-Domain MPLS LSP BGP-LU SR-PCE Inter-Domain MPLS LSP
MPLS
Intra-Domain Traffic Engineering Intra-Domain Traffic Engineering

Fast Re-Route RSVP-TE Fast Re-Route
IGP with
Intra-Domain MPLS LSP LDP Intra-Domain MPLS LSP
SR extensions
IP Routing IGP IP Routing
Data-Plane
Label-based forwarding MPLS MPLS Label-based forwarding
LDP: Label Distribution Protocol, MP-BGP: Multi-protocol BGP, BGP-LU: BGP Labeled-Unicast, PCE: Path Computation Element, RSVP-TE: Reservation Protocol Traffic Engineering
Intent Based Traffic Steering
Simplified intent-based steering, per destination, per flow
Single infrastructure for different SLA and forwarding requirements
Private Cloud
Low Delay
Encrypted
High Bandwidth
DC1
DC2
Segment Routing WAN
How does it work?
Path expressed in the packet header
Data Segment1
Shortest path
Source
Destination
• Segment: instruction a node executes on the incoming packet

• SID → a segment identifier
How does it work?
Path expressed in the packet header
Data Segment1 Segment2 Segment3
Source
Destination
Traffic engineered path
• Segment list: an ordered set of segments
Segment Routing – Making WAN Simple
Modern Enterprise WAN Key Requirements Solutions
VPN
• Layer-3 and Layer-2 connectivity for datacenters • BGP-based L3VPN
Multi-Tenancy / divisions / datacenters • BGP-based L2VPN - Ethernet VPN (EVPN)
• L2VPN - PW / VPLS
Segment Routing (SR)

• Simplified device operation and troubleshooting
• MPLS-proven data-plane or the new IPv6 data-plane
Network • Ease of configuration
• Source routing paradigm - stateless IP fabric
Simplification • Programmable – full control of application paths • Elimination of protocols -> no LDP / RSVP-TE
over the network
• Intent-based SR Traffic Engineering (SR-TE)
• High Availability – 50ms protection SR Topology-Independent Loop Free Alternate (TI-LFA)

• Automated FRR for ANY topology
Network Availability • High Resiliency / Isolated Failure Domain
SRTE Flexible Algorithms for multi-plane designs
• Service Multi-Homing EVPN all-active multi-homing
• High density / high BW Ethernet routers • Carrier-class OS (IOS-XR)

• Fixed / modular 1/10/100/400 Gigabit Ethernet
Speed and Density • Feature richness (SP-like)
platforms
• Power efficiency • Line-rate L2 link encryption (MACSec)
• Leverage CoLocation facilities to build the WAN

Cost • Maintain cost efficiency
• Convenient interconnect to Public Cloud and Internet
Next-Gen Enterprise Private WAN in Carrier
Neutral Facilities
Internet
DC1 DC2
Segment Routing Core built in CoLo Facility
DC to transport
Handoff
Why Handoff between DC and Transport ?
Different requirements between DC and

Domain Isolation
transport
Different tools to automate and operate DC and

Different teams managing DC and transport
transport
DC to transport
handoff options
Supported DC to transport handoff options
VXLAN EVPN ACI Classic L2/L3
Handoff Handoff Handoff
VRF-lite SR-MPLS SRv6 MPLS LDP VRF-lite SR-MPLS SRv6 MPLS LDP VRF-lite SR-MPLS SRv6 MPLS LDP
BGP-3107 BGP-3107 BGP-3107
Transport network Transport network Transport network

Datapath Datapath Datapath
Why SR handoff
from DC?
Current VRF-Lite handoff from DC
• Per VRF Interface and routing protocol session between DC Core or Border Leaf or Border PE and DC-PE
• Automation and scalability are key challenges in this solution due to per VRF routing protocol and sub-interface configuration
• Simple solution to connect DC and transport that allows any type of transport datapath encapsulation (SR-MPLS, LDP or SRv6)
• Supported on all hardware platforms
VXLAN EVPN WAN

VRF-1
or MPLS LDP/SR-MPLS/SRv6
VRF-2
Classic LAN MP-BGP L3 VPN

VRF-n VPNv4/v6
or
VRF-Lite DC-PE PE
ACI
Routing protocol per VRF
Data Center
IP-Handoff
VXLAN EVPN to SR-MPLS transport Handoff
• Single control plane and data plane session instead of per VRF control plane and data plane session
• Addresses automation and scalability challenges of VRF-lite solution
eBGP IPv4 labeled unicast

VXLAN EVPN L3 VPN (BGP VPNv4/VPNv6) WAN
SR-MPLS dataplane
or SR-MPLS
Classic LAN
MP-BGP L3 VPN
or VPNv4/v6
ACI
Data Center Border-PE DC-PE PE
Classic LAN to SR-MPLS transport Handoff
VXLAN EVPN WAN
or SR-MPLS
Classic LAN L3 VPN (BGP VPNv4/VPNv6)
SR-MPLS dataplane
MP-BGP L3 VPN
or VPNv4/v6
ACI
Data Center Core Switch DC-PE PE
ACI to SR-MPLS transport Handoff
VXLAN EVPN WAN
or SR-MPLS
Classic LAN
MP-BGP L3 VPN
or VPNv4/v6
BGP EVPN (Prefix+Color)
ACI SR-MPLS dataplane
Data Center Border Leaf DC-PE PE
Advantages of SR handoff
Unified SR transport Network slicing across transport and DC
Scalable connectivity for edge

Cross-domain visibility
Scalable handoff for multiple VRFs for IOT,
Inter-DC user traffic visibility for transport team
enterprise 5G, private cloud use-cases
Segment Routing WAN with SR handoff from
Data Center
Internet
DC-PE1
BGP AS-200
Border Leaf1
BGP AS-100
eBGP IPv4 labeled
unicast SR Core
BGP EVPN
SR-MPLS dataplane
Border Leaf2
BGP AS-100
Data Center DC-PE2

BGP AS-200
SDWAN
Optimization
SR-Aware
SDWAN
Segment Routing Aware SD-WAN
Intent-Based Per-Flow automated Steering
• SD-WAN and SR integration enables differentiated underlay transport SLAs in the core
• Underlay differentiation for SDWAN, Service Assured SLA
DSCP based steering in SR-TE Policy

WAN Edge router
remarks APP traffic
with DSCP value x
Low Delay
Encrypted
High Bandwidth
Remote Site Data Center
Segment Routing WAN
SD-WAN IPSec Tunnel

SDWAN Middle-
mile Optimization
What is the Middle-Mile?
First Mile Middle-Mile Last Mile

WAN Service, Private Network, ASN CSP Network, ASN or
Internet or Private Private Networks
Networks
Cloud Provider
Interconnect Network
Transport
Local Access Transport

Customer
Premises Colocation / PoP Colocation / PoP
Customer
Premises
Middle-Mile Optimization
Service Provider A Service Provider B Service Provider C
SaaS IaaS
Middle-Mile Network Public Cloud
Customer Colocation / PoP Colocation / PoP

Premises Aggregation Aggregation
Edge Edge
Customer
Premises
Service Provider D Service Provider E
Why Cisco SD-WAN with Middle-Mile Optimization?
Cloud WAN NCC
SaaS IaaS
Public Cloud Public Cloud
Flexibility Reliability
Cloud-to-Cloud All or selective traffic Reliable, high-speed
sent based on type or connectivity between
Site-to-Cloud app sites
Enterprise
Site Security On-demand
Site-to-Site End-to-end encryption Automated connectivity
over middle mile global via vManage central
backbone dashboard
= Cisco SD-WAN router

Cisco SD-WAN Fabric Enterprise Site
= Cisco SD-WAN virtual router hosted at mid-mile provider’s
colocation/PoP
Multi-Region
SDWAN
SDCI and multiple SD-WAN Regions
Cloud WAN NCC
Region 1 Region 1
Site Local POP Direct Connect
Region 2 Direct Peering

Local POP
Region 2
Site
Cisco SD-WAN Fabric
Large Enterprise – Regional Meshing and Gateways
EMEA
USA
Hub/Gateway
Private WAN Backbone APAC
Hub/Gateway
Legend
The Network, without Multi-Region Fabric

SD-WAN Tunnels/TLOCs
SD-WAN GW Inter Region Connectivity SD-WAN GW

OMP/BGP OMP/BGP
Redistribution Redistribution
Middle-mile
Backbone Routing
MPLS INET MPLS INET
Centralized vSmarts
SD-WAN CPE SD-WAN CPE
Legend
SD-WAN Tunnels/TLOCs
Core Region
Border Routers Inter Region Connectivity Border Routers
Microsoft Google
OMP Azure
Middle-mile Cloud OMP
Middle-mile
SD-WAN Tunnels
Backbone Routing
Private Equinix AWS Megaport
WAN
MPLS INET MPLS INET
Distributed vSmarts
Edge Routers Edge Routers
SD-WAN CPE SD-WAN CPE

…with
Access Region1 Multi-Region Fabric Access Region 2
End State
Architecture
R1B1 R1Bn R2B1 R2Bn
End State – Put it Together

SD-WAN
SD-WAN Region 2
Region 1
Internet
A modular architecture
Public Cloud
with SD-WAN in the
access, and WAN core DC1 DC2
in the backbone Segment Routing
WAN Core
SDWAN Core, WAN
Core and Services
Centralized in CoLo
WAN core using

Segment Routing
DC Handoff To
Segment Routing
Multi-Region SDWAN Full-Mesh SDWAN Core Region
SD-WAN SD-WAN
Region 3 Region 4
R4Bn
R3B1
R3Bn R4B1
End-to-End Network
Visibility
How visibility challenges have changed
● Historically, critical apps and services ran in the datacenter
● Customers had full control over the app stack, network and infrastructure
● Leveraged traditional monitoring methods such as SNMP, PCAP, Flow, Logs...
THE WAY IT WAS THE WAY IT IS
CLOUD is the new WAN is the Enterprise SaaS is the new

DataCenter Responsibility App Stack
Solve problems across the network stack
IP Route Selection SR/DMVPN/SDWAN BGP Internet Outages

Pinpoint unexpected paths, Troubleshoot Tunneled Monitor reachability and Detect ISP & BGP routing outages
dropped packets, WAN Connections route changes to your and take corrective action.
congested links. network.
The ThousandEyes Platform
Customer Employee
Modern WAN Digital Experience
Digital Experience
Dashboards Visualizations Reports & Alerts APIs & Integrations
Scale Out – Collective – Algorithmic
Cloud Agent Enterprise Agent Endpoint Agent

External Vantage Points Internal Vantage Points End-user Experience
180+ Cities Around the World Enterprise Data Centers, Branch Offices & VPCs End-User Laptops and Desktops
ISP | Broadband | Cloud Provider Cisco | Docker | JNPR | Linux | MSFT | VMW Apple | Microsoft
End-to-End WAN Visibility
Public Cloud
Branch Office
Private WAN
SaaS Apps
Monitor Branch to
Cloud & SaaS apps
Enterprise Cloud
Agent Agent
Enterprise Data Center
Correlated Visibility Into ALL Networks
Availability, Performance and Change
Branch
Offices
Microsoft
Datacenter
Enterprise WAN Cloud
Use Case: Bidirectional path visibility
• Symptom: Application failovers

occurring due to unknown ephemeral
network issues between HA Sites.
• Co-located Enterprise Agents within
the same Application subnet to
perform Synthetic tests between HA
Failover locations.
• Resolution: We identified a brief
network failure in our WAN links via TE
path-visualization during a service
failover event.
Key Takeaways
• Design for future growth

• Evolving cloud adoption and new traffic patterns are driving new WAN designs
• Leveraging Internet, Cloud, and CoLo are the new fundamentals of every Enterprise Architecture
• Network design should be based on application requirements
• Should be able to cater to all applications – Cloud or On-Prem
• Optimize DC Connectivity
• Consider multi-region SDWAN for a more scalable design
• Visibility is a key component to any network design
• Keep it simple!
Fill out your session surveys!
Attendees who fill out a minimum of four session

surveys and the overall event survey will get Cisco
Live-branded socks (while supplies last)!
Attendees will also earn 100 points in the

Cisco Live Challenge for every survey completed.
These points help you get on the leaderboard and increase your chances of winning daily and grand prizes
#CiscoLive Session ID © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
• Visit the Cisco Showcase
for related demos
• Book your one-on-one

Meet the Engineer meeting
• Attend the interactive education

with DevNet, Capture the Flag,
Continue and Walk-in Labs
your education • Visit the On-Demand Library

for more sessions at
www.CiscoLive.com/on-demand
BRKXAR-1003 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Continue your Education.....
https://www.segment-routing.net/
Preparing for a Successful Segment Routing Deployment - BRKMPL-2135

Monday, Jun 5, 3:00 PM - 4:30 PM PDT
SR IGP Flex-Algo - BRKMPL-2129

Wednesday, Jun 7, 1:00 PM - 2:00 PM PDT
Traffic Engineering with Segment Routing - LTRMPL-2208

Tuesday, Jun 6, 1:00 PM - 5:00 PM PDT
Troubleshooting Segment Routing - BRKMPL-3624

Digital – Recording Available
Next-Generation Service Provider Networking - LABSPG-2004

SRv6 Basics - LABMPL-1201
Walk-in Lab
SRv6 for Next-Generation Transport Networks - BRKMPL-2205

Monday, Jun 5, 1:00 PM - 2:00 PM PDT
Continue your Education.....
Multi-Region Fabric Overview and Principles - BRKENT-2292
Wednesday, Jun 7, 1:00 PM - 2:30 PM PDT
End-to-end visibility and actionable insights using Thousand Eyes, DNAC, ISE and SDWAN. - BRKXAR-3001
Tuesday, Jun 6, 10:30 AM - 12:00 PM PDT
Thousand Eyes from a Network Engineers Perspective. - BRKXAR-2007

Monday, Jun 51:00 PM - 2:00 PM PDT
Thank you
#CiscoLive
Gamify your Cisco Live experience!
Get points for attending this session!
How:
1 Open the Cisco Events App.
2 Click on 'Cisco Live Challenge’ in the side menu.
3 Click on View Your Badges at the top.
4 Click the + at the bottom of the screen and scan the QR code:
#CiscoLive Session ID © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
75
#CiscoLive

Brkxar 1003

Uploaded by

Copyright:

Available Formats

Brkxar 1003

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Brkxar 1003

Uploaded by

Copyright:

Available Formats

#CiscoLive

Enterprise End-to-End WAN

• End State Architecture

2 Click “Join the Discussion”

4 Enter messages/questions in the Webex space

Webex spaces will be moderated

• Static path determination • Intelligent route mapping

Business applications Business applications

Business applications Business applications

Business applications Business applications

Business applications Business applications

Business applications Business applications

Business applications Business applications

Business applications Business applications

Business applications Business applications

Business applications Business applications

Business applications Business applications

Applications live in the cloud, and in the

L2 VPN services LDP L2 VPN services (EVPN)

L3 VPN services MP-BGP

Intra-Domain Traffic Engineering Intra-Domain Traffic Engineering

IP Routing IGP IP Routing

Label-based forwarding MPLS MPLS Label-based forwarding

Enterprise private Colo

Data center Data center

• Simplified device operation and troubleshooting

• High Availability – 50ms protection

• High density / high BW Ethernet routers

Cost • Maintain cost efficiency

instructions, called segments

L2 VPN services LDP L2 VPN services (EVPN)

Intra-Domain Traffic Engineering Intra-Domain Traffic Engineering

IP Routing IGP IP Routing

Label-based forwarding MPLS MPLS Label-based forwarding

Segment Routing WAN

• Segment: instruction a node executes on the incoming packet

Data Segment1 Segment2 Segment3

• Segment list: an ordered set of segments

Segment Routing (SR)

• High Availability – 50ms protection SR Topology-Independent Loop Free Alternate (TI-LFA)

• High density / high BW Ethernet routers • Carrier-class OS (IOS-XR)

• Leverage CoLocation facilities to build the WAN

Segment Routing Core built in CoLo Facility

Different requirements between DC and

Different tools to automate and operate DC and

VXLAN EVPN ACI Classic L2/L3

Handoff Handoff Handoff

Transport network Transport network Transport network

VXLAN EVPN WAN

Classic LAN MP-BGP L3 VPN

eBGP IPv4 labeled unicast

Data Center Border-PE DC-PE PE

VXLAN EVPN WAN

Data Center Core Switch DC-PE PE

VXLAN EVPN WAN

Data Center Border Leaf DC-PE PE

Unified SR transport Network slicing across transport and DC

Scalable connectivity for edge

Data Center DC-PE2