Understanding Cisco’

Next Generation
SD-WAN Technology
Colin Boland
SE
February 1, 2018
Cisco
Your Time
Connect Is Now

© 2017 Cisco and/or its affiliates. All rights reserved. 1

The Branch and WAN Are Being Disrupted!

80% Of Organizations primarily Increase in enterprise

use public cloud by 2019
MORE 20-50% bandwidth per year
APPS through 2018

10B 90%
Mobile-connected Growth in mobile
devices by 2019
MORE 73% devices from
DEVICES 2014-2018
of revenue
is generated
Up to Annual increase in in the branch Of employee and
MORE 80%
50% enterprise bandwidth
and video adoption USERS
customers are served in
branch offices

IoT devices Of advanced threats will

30B connected to
internet by 2020
MORE
THREATS
30% target branch offices by
2016 (up from 5%)

• The traditional WAN / branch market is undergoing a massive disruption

• Customers are consuming more cloud services
• Customers are asking for SD-WAN solutions with virtualized services
 The WAN Market Disruption
Multicloud
(AWS,
Azure, etc.) Internet
ISP-RT

WAN New

Remote Site

MSP-RT
MPLS
Existing Existing
Data Center
New

Transport Services Application

Independence Delivery Policies

• Leverage overlay through • Access Cloud Services • Select test application as

existing equipment at data center
for transport agnostic redesign
• Replace remote site equipment
or leverage overlay
© 2016 Cisco and/or its affiliates. All rights reserved.
• Deploy application aware candidate for intelligent traffic
topologies engineering
• Optimize routing, security, QoS, • Test blackout and brownout
failover scenarios
multicast, services insertion and
survivability
3
Why Did Cisco Buy Viptela?

Cloud-first Accelerate key Sophisticated, but

management SD-WAN use cases; still simple to deploy
with flexible Cloud-edge and and operate
deployment options Segmentation

Cisco Digital
Network Architecture
Complements Cisco’s Enterprise Networks architecture strategy
Better Together

Leading Routing & Cloud-managed &

SD-WAN Platforms Feature-rich SD-WAN

Together, helping businesses and IT to innovate faster, securing and delivering

better customer outcomes, while reducing costs and lowering risk

Goal: Building next generation SD-WAN solutions

 Business Driven WAN Infrastructure

Analytics
Application Traffic Per-Segment Secure Cloud Path Cloud Accel Transport
SLA Engineering Topologies Perimeter (IaaS) (SaaS) Hub
APPLICATION POLICIES

Monitoring
Routing Security Segmentation QoS Multicast Svc Insertion Survivability

SERVICES DELIVERY PLATFORM

Operations Broadband MPLS Cellular

TRANSPORT INDEPENDENT FABRIC

© 2016 Cisco and/or its affiliates. All rights reserved. 6
 Reinventing the WAN - 4 Technical Pillars

• Secure Connectivity
• Flexible (Cloud First) Connectivity
Application
Security
Applications
Services
• Application Quality of Experience
Services
• Agile Operations

Flexible Agile
Connectivity Operations
Connectivity Operations

© 2016 Cisco and/or its affiliates. All rights reserved. 7

 Reinventing the WAN
Security
Embedded Security Secure On-Boarding

Security Applications
Application
Centralized Device
Services Scalable Data-Plane
Encryption
Auth-DB

Connectivity
Connectivity Operations

Deep Packet Inspection

App Fingerprinting

Centralized Key Mgmt

DPI
Engine

© 2016 Cisco and/or its affiliates. All rights reserved. 8

 Reinventing the WAN
Connectivity
Provider/Transport
Hybrid WAN Agnostic
AWS
LTE

Data Center
INTERNET

Google
MPLS
Security Applications
Application
Services

Dynamic Per-VPN
Segmentation/VPNs
Connectivity
Connectivity Operations Topologies

© 2016 Cisco and/or its affiliates. All rights reserved. 9

 Reinventing the WAN
Application Services
Application Visibility
Central Orchestration
and Control
App Fingerprinting

DPI
Engine

Transport SLA Monitoring Application Layer

LTE
Security Applications
Application Analytics
Services
INTERNET

MPLS

Connectivity
Connectivity Operations Cloud Services
Application-Aware Integration
Routing
SEN Overlay

© 2016 Cisco and/or its affiliates. All rights reserved. 10

 Reinventing the WAN
Operations
Centralized Operations Centralized
Distributed Execution Policy Orchestration

Template-based Security Applications

Application Zero Touch Provisioning
Configurations Services

Programmatic APIs
Connectivity
Connectivity Operations
Open Object Model
NetConf Ad-Hoc
Adds/Moves/Changes

© 2016 Cisco and/or its affiliates. All rights reserved. 11

Cisco SD-WAN Architecture

© 2017 Cisco and/or its affiliates. All rights reserved. 12

 Viptela Solution – Key Components
On-Boarding and
Orchestration
vBond

The Viptela branch

office router
vEdge Router

Cloud Data Policy and Service

Center Control Plane
vSmart Controller
Small Office
Home
Office Cloud or on
Campus
premises network
Branch
vManage management
© 2016 Cisco and/or its affiliates. All rights reserved. 13
 vBond: ZTP and Orchestration Plane
Orchestration Plane

vManage
Cisco vBond

APIs
• Used for device on-boarding
3rd Party
vAnalytics (ZTD/ZTD)
Automation
• Orchestrates connectivity
vBond between management, control
and data plane
vSmart Controllers • First point of authentication
• All other components need to
4G know the vBond IP or DNS
MPLS
information
INET
vEdge Routers • Authorizes all control
connections (white-list model)
• Distributes list of vSmarts to all
vEdges
Cloud Data Center Campus Branch SOHO

© 2016 Cisco and/or its affiliates. All rights reserved. 14

 vEdge: The Data Plane
Data Plane
Physical/Virtual

vManage Cisco vEdge

APIs • WAN edge routers

3rd Party • Provides secure data plane with
vAnalytics remote vEdge routers
Automation
• Establishes secure control plane
vBond with vSmart controllers (OMP)
and Implements data plane and
vSmart Controllers
application aware routing policies
• Exports performance statistics
MPLS 4G
• Leverages traditional routing
INET
vEdge Routers protocols like OSPF, BGP and
VRRP
• Physical or Virtual form factor
Cloud Data Center Campus Branch SOHO
(100Mb, 1Gb, 10Gb)

© 2016 Cisco and/or its affiliates. All rights reserved. 15

 vSmart: The Control Plane
Control Plane

vManage
Cisco vSmart

APIs
• Centralized brain of the solution
3rd Party
vAnalytics • Establishes OMP peering with all
Automation
vEdges
vBond • Implements control plane policies,
such as service chaining, traffic
vSmart Controllers
engineering and per VPN topology
• Distributes connectivity information
MPLS 4G between vEdge
INET • Orchestrates secure data plane
vEdge Routers connectivity between vEdges

Cloud Data Center Campus Branch SOHO

© 2016 Cisco and/or its affiliates. All rights reserved. 16

 Overlay Management Protocol (OMP)
Unified Control Plane
vSmart acts like a Key Server
vSmart

• Runs between vEdge routers and vSmart

controllers and between the vSmart
controllers
vSmart vSmart - Inside TLS/DTLS connections
• Advertises control plane context

VS
vEdge vEdge

Note: vEdge routers need no control connections amongst them

© 2016 Cisco and/or its affiliates. All rights reserved. 17
 Fabric Operation
Fabric Walk-Through Deploy Encryption Keys

OMP Update:
vSmart § Reachability – IP Subnets, TLOCs
OMP
DTLS/TLS Tunnel
§ Security – Encryption Keys
§ Policy – Data/App-route Policies
IPSec Tunnel
OMP OMP
BFD Update Update
Policies
OMP OMP
Update Update

vEdge vEdge
Transport1
TLOCs TLOCs

VPN1 VPN2 Transport2 VPN1 VPN2

BGP, OSPF, BGP, OSPF,
Connected, Connected,
Static A B C D Static

Subnets Subnets
© 2016 Cisco and/or its affiliates. All rights reserved. 18
 Secure Segmentation
End-to-End Segmentation
VPN 1
Interface VPN1 SD-WAN VPN1 Interface
IPSec VPN 2
VLAN VPN2 VPN2 VLAN
Tunnel VPN 3
Ingress Egress
vEdge vEdge

IP UDP ESP VPN Data

20 8 36 4 …

• Segment connectivity across fabric w/o • Labels are used to identify VPN for
reliance on underlay transport destination route lookup
• vEdge routers maintain per-VPN routing • Interfaces and sub-interfaces (802.1Q tags)
table are mapped into VPNs
© 2016 Cisco and/or its affiliates. All rights reserved. 19
 vManage: The Management Plane
Management Plane
vManage
Cisco vManage
APIs
• Single pane of glass for Day0,
3rd Party Day1 and Day2 operations
vAnalytics
Automation
• Real time alerting
vBond • Centralized provisioning
• Configuration standardization
vSmart Controllers • Supports
• REST API
• CLI
MPLS 4G
• NETCONF / YANG
INET • SNMP
vEdge Routers • Syslog

Cloud Data Center Campus Branch SOHO

© 2016 Cisco and/or its affiliates. All rights reserved. 20

 Operations Simplicity and Visibility

Single Pane Of Glass Operations Rich Analytics

© 2016 Cisco and/or its affiliates. All rights reserved. 21

 SD-WAN Fabric and Capabilities

© 2017 Cisco and/or its affiliates. All rights reserved. 22

 Zero-Touch Provisioning of the vEdge Router
Identity and Trust
Embedded Device Identity Dynamic Device Identity

TPM
Chip

Identity
Cert
Identity
Cert

Root Chain Root Chain

vEdge Controller Trust vEdge Cloud Controller Trust

© 2016 Cisco and/or its affiliates. All rights reserved. 23
 Zero Trust Model
Certificate-Based Trust
Administrator • Bi-directional certificate-based trust between all
Signed
Defined
vEdge List
Controllers
elements
Public or Enterprise PKI
vManage • White-list of valid vEdges and controllers
Certificate serial number as unique identification

vBond vSmart

vEdge

© 2016 Cisco and/or its affiliates. All rights reserved. 24

 Zero Touch Provisioning vEdge Walk-through
Control and Policy
Zero Touch Provisioning Elements
Server

Re orc

2
d ir
ec
Qu Ser

at l
ic tro
n
3
tt

io
5
ery ver

un o n
he

an tio e
o c ator

m c

vM ra ic
s

ag n
m ial

v
to

Full Registration and

t
orp

e
e
r

1
co nit

om fig d
ZT

Configuration

l
ora

co itia

u
P

In
te

fr n 4

vEdge Assumption:
§ DHCP on Transport Side (WAN)
§ DNS to resolve ZTP server name*
© 2016 Cisco and/or its affiliates. All rights reserved. * Factory default configured 25
 Template-Based Configurations
Centralized Device Configuration Enforcement
• Templates are attached to provisioned
vEdge routers
• Variables are used for rapid bulk
configuration rollout with unique per-
device settings
• Local configuration changes are not
allowed
- Prevents configuration drift

© 2016 Cisco and/or its affiliates. All rights reserved. 26

 Application-Centric Network Capabilities
Per-Session Loadsharing Per-Session Weighted Application Pinning Application Aware Routing
Active/Active Active/Active Active/Standby SLA Compliant

SLA SLA

Hierarchical Multihop Fabric Single-hop Fabric

Core

© 2016 Cisco and/or its affiliates. All rights reserved. 27

 Application and Performance Visibility
Deep Packet Inspection
• Embedded Deep Packet Inspection
engine – similar to AVC (but not the
same)
• Application and flow level visibility
for the fabric and individual vEdge
routers
• Centralized statistics and
performance
• Export flow level data (IPFIX) to
external collector

© 2016 Cisco and/or its affiliates. All rights reserved. 28

 Embedded Application Recognition
Deep Packet Inspection
Deep Packet Inspection Engine
Cloud Data
Center
App 1
App 2

App 3,000
vEdge Router

MPLS INET Data

Center
3G/4G Primary Use Cases:
- Application Visibility
Small Office
Home Office - Application Firewall
Campus
- Traffic Prioritization
Branch
- Transport Selection
- Analytics
© 2016 Cisco and/or its affiliates. All rights reserved. 29
 Critical Applications SLA
Application Aware Routing
vManage
§ Enforce SLA compliant path App Aware Routing Policy
App A path must have:
for applications of interest latency < 150ms
loss < 2%
§ Other applications will follow jitter < 10ms
fabric routing across all vSmart Controllers
paths

1 Internet
Path
vEdge1 vEdge2
Path 2 MPLS
App A

4G LTE
Path
3
Path1: 10ms, 0% loss, 5ms latency IPSec Tunnel
Path2: 200ms, 3% loss, 10ms latency
Path3: 140ms, 1% loss, 10ms latency
© 2016 Cisco and/or its affiliates. All rights reserved.
Control Plane 30
 SD-WAN Solution Components
Overview

© 2017 Cisco and/or its affiliates. All rights reserved. 31

 Cisco vEdge Routers Portfolio Positioning
Branch/SOHO/SMB Branch/Campus Campus/Data Center Campus/Data Center NFV, vCPE IaaS & Cloud
(100Mb) (1Gb) (10Gb) (20Gb+) (N x cores) Interconnect
(N x cores)

vEdge Cloud on
vEdge 100 family vEdge 1000 vEdge 2000 vEdge 5000 Greybox or vEdge Cloud
Whitebox

© 2016 Cisco and/or its affiliates. All rights reserved. 32

 Scalability Considerations
Orchestration/Control/Management Plane
Orchestration Plane Management Plane Control Plane
(vBond) (Multi-tenant or Dedicated) (Containers or VMs)
(vManage) (vSmart)

Horizontal Scale Out Model

2000 vEdges per vBond 2700 vEdges per vManage 2700 vEdges per vSmart
Redundancy Add 1-2 vBonds Redundancy Add 1-2 vSmarts
Horizontal Scale out Model
Horizontal Scale out Model in cluster mode (same DC) Horizontal Scale out Model

4G/LTE Internet

MPLS

Data Center Campus Branch Home Office

© 2016 Cisco and/or its affiliates. All rights reserved. 33
SD-WAN Pricing Model
Subscription and Perpetual Elements
1. Subscription license (1YR, 3YR and 5YR) for Cisco SD-WAN software charged per CPE.
This cost is dependent on two factors:
• Service bandwidth
• Features

2. Perpetual cost of Cisco SD-WAN CPE element.

Subscription
Perpetual cost of cost of Cisco
Cisco SD-WAN Operational cost
software of Cisco SD-
SD-WAN CPE (Includes SD- WAN solution
hardware WAN controller
+ CPE software)

© 2016 Cisco and/or its affiliates. All rights reserved. 34

License Tier Features
License Tiers
Plus Pro Enterprise
SD WAN SD WAN SD WAN Analytics
controllers controllers controllers
Dynamic Dynamic
Hub Routing Routing

Hub Spoke Spoke Hub Spoke Spoke

AAR
AAR AAR

Internet Local Internet Local MPLS Internet

MPLS MPLS
breakout E2E breakout
E2E
Segmentation SaaS onRamp
Segmentation

Spoke Spoke Spoke Spoke Spoke Spoke

Spoke Spoke Spoke

Dynamic Routing Dynamic Routing

• Routing: Static • Routing: Dynamic routing (OSPF/BGP) • Segmentation: Unlimited

• Topology: Hub-n-spoke only • Topology: Mesh topology • Internet/Cloud: Cloud onRamp for
• Internet/Cloud: NAT, Split tunnel • Internet/Cloud: Cloud onRamp for IaaS SaaS
• Policy: Local ACL only, Data policy • Policy: Control policy • Analytics: vAnalytics platform
• QoS • Segmentation: 5 VPNs (1+4)
• SLA: Application aware routing (5 tuple • SLA: Application aware routing (DPI)
only) • Multicast
• Visibility : DPI for visibility only
© 2016 Cisco and/or its affiliates. All rights reserved. 35
 Key Takeaways
• Cisco is the market and technology leader in SD-WAN, combining the
flexibility of Viptela, Meraki, and ISR IOS-XE
• Cisco’s SD-WAN solution (Viptela) is both a cloud and on-prem
(hardware) based solution, offering unmatched capabilities
• Cisco will merge the Viptela and IOS-XE capabilities into a common
ISR 4K-based platform and DNA Center, but the complimentary
Viptela core products are here to stay in foreseeable future
Thank you.