BRKRST 2558

Cisco SD-WAN as a
Managed Service
BRKRST-2558
Jean-Marc Barozet – Principal Engineer

@jbarozet
BRKRST-2558
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
BRKRST-2558 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Agenda
• SD-WAN as a Service – Introduction
• Orchestration for MSPs
• NSO, MSX
• Deploying Controllers
- Cloud or On-Prem
- Use NSO/MSX to deploy
• Device On-Boarding
- Global PnP - Bootstrap File
- Use NSO/MSX
• Deploying uCPE
• NFVIS – Use NSO/MSX to deploy
• SD-WAN Virtualized Gateways - Regions

• Key Takeaways
Introduction
Network-as-a-Service: SD-WAN Offering
2 (SP) Cloud Delivered 3 SD-WAN Gateway
Multi-tenant: Control, Management, vManage MSP DC

Orchestration With vManage, MSX vSmart - vBond
vAnalytics and MSX/NSO NFVI MSP Shared
Services
NSO
4 SaaS Cloup Apps
1 End-point flexibility Business VPN
Internet
… 3rd
Party (or)
4G/LTE IaaS VPC/VNET
X86 5
Gateways
uCPE
Transport independent
0
WAN Fabric
Connectivity and Overlay
End-to-end SD-WAN Business VPN Extension over Last Mile

with APP level SLA Middle Mile Optimization
End-to-end SD-WAN Hosted MPLS Extension
with APP level SLA Services over last mile
MPLS
MPLS
Internet MSP MPLS

Internet Backbone
Site
Site
Site 4G LTE Hosted
4G LTE Services
Cloud
Transports Managed by SD-WAN MSP Expand Business VPN service over the last mile
But some/all could also be from another SP(s) MSP may not own the transport
MSP SD-WAN Architecture Public
Internet
Shared
(MSP) Middle Mile Backbone Resources
MSP MSP
PE PE
POP POP
Inter MSP Datacenter
Regions
GW GW MPLS
Migration VPN
vControllers
MPLS INET MPLS INET

MSP Cloud
Virtual Infrastructure
Virtual Infrastructure
Legacy CPEs Virtual Infrastructure
ENCS
NFVIS
SD-WAN CPE
Appliance - VNFs uCPE
Steps in Deploying SD-WAN Fabric
Deploy Management and Deploy SD-WAN Control Fabric

Control Plane Elements Nodes Behavior
(SP Cloud or Public Cloud) (Hardware or uCPE)
1 2 3
Instantiate controllers VMs Update white-list Define/Activate policies

Add controllers to the system Attach configuration templates Cloud onRamp
Establish Controllers identities ZTP/Cloud-Init Establish security posture
Smart Account (SA) / Virtual Account (VA)
PnP Connect Portal

Virtual
Customer1
Account
MSP Smart Account Virtual

Customer2
Account
Virtual
Customer3
Account
The Service Provider centralized • A customer defined constructs

account that provides full visibility • For SD-WAN – Mapped to a Customer Overlay
and access control of Cisco Smart • Created and maintained by the Provider on the Cisco
software licenses across customers. Smart Account Manager
Global Deployment Process Overview
Device
If hosted, controllers
Cisco Config
1 instantiated by Cisco
CloudOps CloudOps
Device
Ordering Using vManage
SA/VA Controllers to org-name Provisioning
be deployed vBond File
Smart Account PnP Connect PnP

Automation Service happens
Cisco Commerce PnP

Workspace org-name Servers
vBond
If on-prem, controllers
instantiated by Devices
2 Customers, controllers (mapping S/N, vBond)
details added to PnP
Connect Power up
Customer Customer WAN Edge
Service Provider Service Provider
Orchestration
MSP Service Orchestration for Cisco SD-WAN
SP Data Center SP Data Center
7 Migration – MPLS/SD-WAN
Tenant 1 Tenant 2 Tenant 3 Instantiate
Managed Services
Accelerator (MSX)
Configuration
Network Service
Orchestrator (NSO)
Policies
1 vControllers
6 PnP Connect Portal
vBranch (ENCS) vEdge/cEdge Appliance SDN-POPs - Gateways AWS - Azure
3rd Party ASAv vEdge

VNFs FTDv Cloud
Gateways (VNF) 5 Cloud

2 uCPE 3 Appliance 4 and 3rd party VNFs
Network APIs - Transactions
• Network Service Orchestrator (NSO)

Network API
• Managed Service Accelerator (MSX)
Configure “Dry-run” and Two-phase Configuration

change preview impact all/nothing commit rollback
• Provides a two-phase commit protocol to address distributed network atomicity

• Dry-run and rollback capabilities for changes
Service Orchestration – Various Requirements
1 SD-WAN Native 2 NSO 3 MSX
OSS/BSS OSS/BSS OSS/BSS
REST REST/NETCONF UI/API
vManage SDWAN CFP NSO Managed Service Accelerator (MSX)

NSO Orchestration
REST REST
DTLS
NETCONF NETCONF vManage NETCONF vManage
NETCONF NETCONF
Cisco
ENCS vEdge cEdge ESC ENCS vEdge – cEdge Cisco ENCS vEdge
SD-WAN
NFVIS Appliance Appliance OpenStack NFVIS Appliance Router NFVIS Appliance
Appliance
Multi Domain Orchestration is also Required
OSS/BSS
UI/API
MSX
Platform
MSX Common framework for service integration, catalog, delivery and operation.
SD-WAN Branch mCPE DNA-C SP DC Cloud Meraki Umbrella

NFV NFV
NSO Architecture
• Model-driven, end-to-end
service lifecycle and customer
experience focused
• Seamless integration
with northbound tooling
• Loosely-coupled and modular
architecture leveraging open APIs
and standard protocols
• Orchestration across multi-
domain and multi-layer for
network-wide, centralized policy
and services
• Multivendor abstraction
through NEDs
• Multiple interfaces including CLI,
REST, Java Python
NEDs tame multi-vendor complexity
• Abstracts underlying
protocol and data-models
NED
Computes the • Normalizes error-handling
ordered
sequence of across vendors
device-specific
commands to go
from current to • Eliminates the device
desired state
adapter problem
• Removes complex device
logic from the service logic
Core Function Packs for Cisco NSO
vBranch Core FP
Data SDWAN Core FP

Center
Public
Cloud SAE Core FP
Campus / WAN SAAS SaaS NFVO Core FP

Branch
Cloud
Edge
Internet
Commercially packaged automation
Direct Internet Access
applications for key Cisco use cases
(CVDs). Productized, TAC supported.
Core Function Packs can be customized and extended to fit your
environment and your design guidelines
SDWAN Core Function Pack Architecture
SD-WAN Core Function Pack
vBranch Core
PnP NFVO
vManage
NED NED NED
NED
NETCONF NETCONF REST
VNF VNF
Manager Manager
(ESC-Lite) (ESC)
Virtualized Infrastructure Manager Virtualized Infrastructure Manager vManage

Physical Networks (NFVIS) (OpenStack – VMWare)
Compute Platforms (ENCS, UCS, CSP) Compute Platforms (Servers)
Branch Datacenter or SDN POPs

Using NSO
OSS/BSS - Portal Using NETCONF
NETCONF
SDWAN
NSO CFP Using NSO CLI
NETCONF
VNF
Manager
(ESC)
Managed Service Accelerator (MSX)
MSX Platform
• MSX is a Cloud-Native Platform
End-to-end Service Offering

• The MSX architecture employs:
- Docker Containers MSX Optional User
OSS/BSS
Interface
- Kubernetes
- Micro-service framework
- Network Services Orchestrator (NSO) MSX
Platform Services and Orchestration Engine
- Custom Service Templates
• REST APIs
Kubernetes
• ... to deliver a rich catalog of Cloud
VIM
Managed Services
Cloud Services Virtual Branch x86 Hardware Devices
MSX Pre-Built Service Packs
SD-Branch (vBranch x86 based)
• Allows VNFs to be deployed on "universal CPE" running Cisco

NFVIS
• Rich templating capabilities provide custom service chains and
device configurations managed simply from the MSX Cloud
Cisco SD-WAN
• Speeds deployment of multi-tenant SD-WAN environments based
on Cisco Viptela technology
• Coordinates with vBranch service pack to deploy virtual vEdge on
ENCS
Managed Device
• Quickly on-board new devices with Cisco Plug-and-Play
technology
• Simply create custom templates for ANY managed service
• Rapidly deploy and manage new devices simply from the MSX Clo
Cisco SD-WAN powered by MSX
MSX provides multi-tenancy, multi-services, operational simplicity, and scale,
for many SD-WAN devices…securely from the MSX Cloud
1 MSX provides multi-tenant, multi-service, platform with secure access controls
2 MSX creates and manages SD-WAN Control Planes for 100’s of tenant
3 MSX on-boards many SD-WAN Device types for 100’s of tenants
4 MSX manages Virtual Branches (ENCS) and Cloud Gateways running SD-WAN services
5 MSX simplifies site provisioning for 100’s of tenants (templates and CSV files)
6 MSX provides simplified Self-Service config changes for the most requested SD-WAN services
1 2 3 4 5 6
MSX Multi-tenant Platform 100’s SD-WAN Controllers Many Device types x86 Virtual Branch Template Site Customer Self-Service
and Cloud Provisioning
Deploying
Controllers
Controller Tenancy – Single Tenancy
Dedicated VPN Tenancy
(No)Tenancy
TenantA
TenantA TenantB
TenantB
MPLS INET MPLS INET
VPN1 VPN1 VPN1 VPN1 VPN1 VPN1 VPN3 VPN3
VPN2 VPN2 VPN2 VPN2 VPN2 VPN4 VPN4

VPN3 VPN3 VPN3 VPN3 VPN5
Controller Tenancy – Multi-Tenant Control Plane
Multi-Tenant Control Plane
vSmart
• Multi-Tenant vManage
vManage vBond
• Data Isolation in the DB TenantA TenantA
TenantA
• Multi-Tenant vBond TenantB TenantB

TenantB
• Contains white-list for all tenants
• Single-Tenant vSmart
• Containerized vSmarts MPLS INET
• Isolation for the control-plane

• vOrchestrator / vMonitor used for
provisioning and monitoring the
deployment VPN1 VPN1 VPN1 VPN1
VPN2 VPN2 VPN2 VPN2
VPN3 VPN3 VPN3 VPN3
vManage, vBond, vSmart
• Virtual machines running on KVM,

VMware ESXi, AWS, Azure
• Separate interfaces for control and
Management Subnet / VPN 512
management vManage vSmart vBond
• Separate VPNs for control and

management
- Zone-based security WAN Subnet / VPN 0
ESXi, OpenStack, KVM, AWS, MS Azure
vManage Cluster
• There are various reasons do deploy a vManage
cluster, including:
VPN512 - High availability and redundancy for fault tolerance
- Managing greater than 2000 vEdges
VPN0
- Distributing NMS service loads
Out of Band
• The vManage cluster consists of at least three
vManage devices
• Besides the interfaces used for VPN 0 and VPN
512, a separate dedicated interface will be used
for communication between the vManage
devices.
VPN0 Tunnels
• The bandwidth between the vManage devices on
this interface should be at least 1 Gbps, and the
latency should be less than 5 ms for a small or lab
ESXi, KVM, AWS, MS Azure deployment. A 10 Gbps interface is recommended
for production.
Disaster Recovery for vManage
Arbitrator
Datacenter1 Datacenter2
MPLS
Active Cluster Standby Cluster
• Introduced in 19.2
• vManage scales horizontally using Clustering
- Add more vManage nodes to cluster in DC for Scale and local HA
• Add standby Cluster for Disaster Recovery
Controller Deployment Models
Cisco Cloud Ops SP Ops Team Enterprise IT
Deploy Deploy Deploy
vManage vManage vManage
vSmart vBond vSmart vBond vSmart vBond

Cisco SP
Cloud Cloud On-prem
Transport Colors and Control Connections
Local Color: Public Local Color: Private Local Color: Private
Controller Color: Public Controller Color: Public Controller Color: Private
Use: Public IP Use: Public IP Use: Private IP
INET MPLS MPLS

NAT NAT NAT NAT
Private IP/Port Private color
Public IP/Port Public color

Cisco Hosted Controllers over Internet
Cisco CloudOps
• Recommended mode of deployment VPC
- Spin up controllers in the cloud

- Ease of deployment – Cisco orchestrated
- No On-Prem design considerations
- Easy to scale and to deliver redundancy /
1:1 NAT
HA Public IPs
• Provide the INET reachability via MPLS PE

router to internet
Control Plane
- Leak Controller Public IPs in MPLS
Data Plane
- Do not make it all the way down to the MPLS INET
branch router itself
• Control Plane Establishment to Controllers
over MPLS and DT PE to Internet
On-Prem Controllers Hybrid Deployment
• Controllers can support hybrid Private /
Public transport connections
Private
A B C • Private transport using private IPs for
IP/Port
DMZ (NAT
communication. Prefix advertised in
1:1)
DMZ (NAT 1:1)
private domain
A B C
• Public transport using public IPs,
generally assigned by provider
2
• Multi-homed WAN Edge capable of
INET MPLS supporting both models concurrently
1 4 3
1 vBond Communication 3 MPLS Edge -> Controller Session
2 vBond Controller List 4 Internet Edge -> Controller Session
The ETSI NFV Reference Architecture
MANO
OSS/BSS NFV + = NFVI

Orchestrator
Hardware Software
EM 1 EM 2 EM 3 VNF-M
VNF
(VNF
Manager
Managers)
VNF 1 VNF 2 VNF 3
• NFVI - Network Function Virtualization

NFVI Infrastructure is the totality of all hardware
and software components that build the
Virtual
Compute
Virtual Storage Virtual Network platform in which VNFs are deployed
Virtualized
Virtualization Layer Infrastructure • VIM - Virtualized Infrastructure Manager
Manager Controls and manages the NFVI compute,
Hardware Resources
storage, and network resources. VIM is the
Compute Storage Network
NFVI software platform
Cisco NSO NFVO Cisco ESC Cisco VIM
Cisco NFV Solution Architecture
North Bound APIs
NFVO, Resource Orchestration & VNF Service Orchestration
NSO – Network Services Orchestrator enabled by Tail-f
Virtual Network Functions (Cisco and 3rd Party) VNF Manager
CSR ASAv Ultra MSX Video XRv vWSA 3rd Party Cisco ESC
Virtual Infrastructure VIM

Infrastructure Management
Monitoring and Assurance
Unified Management
API Virtual Compute Virtual Storage Virtual Network Red Hat OSP
(RHEL) (Ceph) (OVS, VPP, SR-IOV)
Cisco VIM
Lifecycle Manager
Infrastructure Abstraction with RHEL, KVM/Qemu, Host Packages, vSwitches
GUI
Cisco Physical Infrastructure
Optional Network VIM
Compute (UCS/3rd P) Network (N9k/NCS5k) Storage (UCS) (Cisco ACI / Cisco VTS)
Cisco NFVI
CVIM – POD Types
Full POD Hyper-Converged POD Micro POD Edge POD
Inter-
location
Network
• Typical Use – Latency • Typical Use – Latency

sensitive applications sensitive applications
at Edge locations at Edge locations that Central Storage
• Scales up to 19 don’t require local Cluster
nodes, with a max of persistent storage
• Typical Use – Core network • Typical Use – Multi-access Edge 16 compute-only • Scales up to 19
VNFs and applications in Central Computing in Regional DCs nodes nodes, with a max of
DCs • Scales up to 64 nodes, with a 16 compute-only
• Scales up to 128 nodes, with a max of 15 hyper-converged ...
nodes
max of 25 storage nodes nodes
Using NSO SDWAN Core Function Pack
SD-WAN Core
vBranch Core
PnP NFVO
NED
NETCONF
1 2
Add ESC to NSO VNF
Manager Spin Up
Device Tree (ESC)
Controllers
Virtualized Infrastructure Manager
(OpenStack – VMWare)
Compute Platforms (Servers)
Datacenter or SDN POPs

SD-WAN Core Function Pack Building Blocks
VNFD VNF Description
catalog Catalog – VNFs, Platforms
NDU vNIC / networks mapping – Service

Chaining Definition
device ENCS and vManage definitions
Create Provider and Assign a Catalog and vManage to be

provider-infra
added as part of provider infrastructure
sdwan-site Create uCPE with vEdgeCloud and additional VNFs

(including 3rd party)
Add ESC to Device Tree
<config xmlns="http://tail-f.com/ns/config/1.0">
<devices xmlns="http://tail-f.com/ns/ncs">
<device>
<name>esc1</name>
<address>10.60.23.200</address>
<port>830</port>
<authgroup>esc-auth</authgroup>
Using NETCONF <device-type>
Payload used <netconf>
</netconf>
</device-type>
<state>
<admin-state>unlocked</admin-state>
</state>
</device>
</devices>
</config>
Create the Provider with root-cert
<provider-infrastructure xmlns="http://com/cisco/corefpcommon">
<provider>ProviderA</provider>
<ca-cert xmlns="http://com/cisco/nso/corefp/sdwan/vedge">-----BEGIN CERTIFICATE-----
MIIDijCCAnKgAwIBAgIBATANBgkqhkiG9w0BAQUFADB5MQswCQYDVQQGEwJVUzEL
[SNIP]
pHYqJD27D4KBakKzDX94fLBQ97Br9XmHrWRatglsUc9Njta1Zr/zNvVJYP7qOg==
-----END CERTIFICATE-----</ca-cert>
<catalog xmlns="http://cisco.com/ns/branch-infra-common">Gold</catalog>
<catalog xmlns="http://com/cisco/corefpcommoncatalog">CatalogEsc</catalog>
<vbond-ipaddress xmlns="http://com/cisco/nso/corefp/sdwan">172.23.80.43</vbond-ipaddress>
<vbond-port xmlns="http://com/cisco/nso/corefp/sdwan">12345</vbond-port>
<alias xmlns="http://com/cisco/nso/corefp/sdwan/vedge">ADT Labs Paris</alias>
</provider-infrastructure>
</config>
NDU – Mapping Controllers vNIC / Network
<ndus xmlns="http://com/cisco/nso/corefp/sdwan">
<name>sdwan_ESC_vController_ndu</name>
<network>
vControllers NDU <name>flat-provider-network</name>
</network>
private <network>
<name>private</name>
</network>
<nic>
<id>0</id> eth0 – vpn512
<network>flat-provider-network</network>
</nic>
flat-provider-network <nic>
<id>1</id> ge0/0 – vpn0
<network>private</network>
</nic>
</ndus>
</config>
Spin up vManage, vBond, vSmart one by one
<sdwan-site xmlns="http://com/cisco/nso/corefp/sdwan">
<site-name>vmanage-site</site-name>
<provider>ProviderA</provider>
<infrastructure>
<type>esc</type>
<esc> <vController>
<name>esc1</name> <personality>vManage</personality>
</esc> <system-ip>10.10.10.4</system-ip>
</infrastructure> <site-id>720</site-id>
<member-vnfs> </vController>
<vnf>esc-vmanage123</vnf> <ndu>
<type>vController</type> <ndu-id>sdwan_ESC_vController_ndu</ndu-id>
<username>admin</username> <management>0</management>
<password>admin</password> </ndu>
<deployment>vManageDeployment</deployment> </member-vnfs>
<vnfd>vManage</vnfd> </sdwan-site>
<vdu>vManage</vdu> </config>
<ip>172.23.80.40</ip>
<mask>255.255.255.0</mask>
<gtw>172.23.80.1</gtw>
<host-name>iamvmanage</host-name>
<day-0>
<cfg-file>vmanage_day0_template.cfg</cfg-file>
</day-0>
Controllers Provisioning
Value added services provided by
Network Service Orchestrator (NSO) sdwan
Viptela callback
activity
Define SDWAN Service on
Core FP 1
(SDWAN) OpenStack Virtual device infra
External System
2
6 • 1) Define SDWAN Service payload
3
7
CA
• 2) vManage instantiated with day-0 file and added to the device tree
4
• 3) vBond instantiated with day-0 file and added to vManage
5 • 4) vSmart instantiated with day-0 file and added to vManage
• 5) Root cert applied and CSRs generated for all controllers

ESC
• 6) Manually sign the certificates with the certificate server
OpenStack • 7) Install the signed certificates using install-certificate action
Add vManage Device into the Device Tree
<devices xmlns="http://tail-f.com/ns/ncs">

<device>
<name>vmanage-1</name>
<address>10.60.23.133</address>
<port>8443</port>
<authgroup>vmanage-auth</authgroup>
<device-type>
<generic>
<ned-id xmlns:viptela-vmanage-id="http://tail-f.com/ned/viptela-vmanage-id">viptela-vmanage-id:viptela-vmanage</ned-id>
</generic>
</device-type>
<connect-timeout>30</connect-timeout>
<read-timeout>30</read-timeout>
<write-timeout>30</write-timeout>
<trace>raw</trace>
<ned-settings>
<viptela-vmanage xmlns="http://tail-f.com/ned/viptela-vmanage/meta">
<connection>
<ssl>
<accept-any/>
</ssl>
<api-base-url>/dataservice</api-base-url>
</connection>
</viptela-vmanage>
</ned-settings>
<state>
<admin-state>unlocked</admin-state>
</state>
</device>
BRKRST-2558 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Plug and Play Connect Portal
https://software.cisco.com/#module/pnp Smart Account (SA) Virtual Account (VA)
Click here to add On-

Prem Controllers
Single Tenant Mode
Pick Single or Multi

Tenant Mode
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
MSX creates and manages SD-WAN Control
Planes for 100’s of tenants
Tenant1
MSX Dashboard vManage
vSmart
vBond
Tenant2
vManage
vSmart
vBond
Tenant1
• MSX creates SD-WAN control plane VMs for each tenant Tenant3
• MSX provides single-sign-on and RBAC for each tenant vManage
• MSX provides SD-WAN OSS/BSS interface for each tenant vSmart
vBond
Launch vManage for a specific Tenant
Simply with a single click from MSX
MSX Tenants are simply mapped to Viptela Controllers:
vManage, vSmart, vBond
MSX can cross launch to the

vManage for a Viptela tenant with a
simple click of a button 
Attach to an existing SD-WAN Control Plane
Tenant1 SD-WAN service up and
running, bring Tenant1 under MSX mgt
Tenant1
vManage
vSmart
vBond
Attach an existing SD-

WAN customer to MSX
using a simple workflow
On-Boarding
Hardware Devices
Plug and Play Connect Portal
https://software.cisco.com/#module/pnp Smart Account (SA) Virtual Account (VA)
Click here to manually

add devices
On Boarding using Global PnP - Overview
MSX NSO • vManage REST API
Device added to PnP:
• Device Template Configuration – Pushed to vManage 0 • Ordering process
1 • Instructs vManage to attach templates to selected • Manually
devices
• Instructs vManage to deploy device configurations
PnP
MPLS INET Servers
5
3
The router contacts a DHCP server and

2 receives its IP address from the server.
Resolves devicehelper.cisco.com
Using Bootstrap Config
• Supported on SD-WAN XE only
• DHCP is not enabled on CE to PE link

(MPLS transport)
• Upon bootup, SD-WAN XE router will
search bootflash: or usbflash: for
filename:
- ciscosdwan.cfg (ISR1k, ISR4k, ASR1k)
INET MPLS
- ciscosdwan_cloud_init.cfg (ASR1002X)
#cloud-boothook
system
personality vedge
device-model vedge-C1111-8PLTEEA
host-name SITE1_ISR1K
system-ip
site-id 501
10.10.10.10
• Config file (which includes basic
interface configuration, Root CA,
organization-name "CustomerXYZ - 12345"
console-baud-rate 9600
vbond 64.1.1.2 port 12346
!
!
! Organization Name, vBond information,
interface GigabitEthernet0/0/0
no shutdown etc.) is fed into the PnP process
ip address 192.168.10.10 255.255.255.0
exit
• Router has all required information to

!
ip route 0.0.0.0 0.0.0.0 192.168.10.1
connect to vBond
https://sdwan-
docs.cisco.com/Product_Documentation/Getting_Started/Hardware_and_
Software_Installation/On-Site_Bootstrap_Process_for_SD-WAN_Devices
Notes on CLI Template
• Always create a Device Template (even a basic one) and apply to the device UUID
you want to deploy
• CLI Templates:
• CLI Templates can be attached to vEdge/cEdge routers
• Variables are used for rapid bulk configuration rollout with unique per-device settings
• Local configuration changes are not allowed
• For cEdge
• vEdge like CLI style with documentation for comparable cEdge configuration
• IOS-XE CLI Template support coming (March CY20)
cEdge Configuration – vManage Interfaces
Intent Driven
Workflow vManage
Intent Driven
Policy, Workflows, NW Design Templates
CFS Yang
Device / Feature Templates CLI templates
NEW – 20.1
CFS Yang Models Device Yang
CLI templates
(supports IOSd Yang CLI templates)
Translation
IOS-XE Yang Models
Using NSO – Create Device Template
<sdwan-template xmlns="http://com/cisco/nso/corefp/sdwan/template">
<id>nso-vedge-branch</id>
<provider>Provider-Customer1</provider>
<tenant>SingleTenant</tenant>
• Create a Device Template <description>vEdge Branch</description>
<configuration>system
host-name {{HOSTNAME}}
• Pushed to vManage using system-ip
site-id
{{SYSTEM_IP}}
{{SITE_ID}}
vManage NED (REST API) admin-tech-on-failure
no route-consistency-check
sp-organization-name "{{SPORGNAME}}"
organization-name "{{ORGNAME}}"
vbond 10.60.23.134
aaa
auth-order local radius tacacs
usergroup basic
task system read write
task interface read write
!
usergroup netadmin
!
[SNIP]
</configuration>
<alias>nso-vedge-branch</alias>
</sdwan-template>
NSO – Attach Device Template
<sdwan-apply-template xmlns="http://com/cisco/nso/corefp/sdwan/template">
<id>vEdgeParis</id>
<provider>Provider-Customer1</provider>
<tenant>SingleTenant</tenant>
• Attach Device Template to a <uuid>01ee8315-415d-5030-b58b-ef3db0a63fef</uuid>
device using its UUID <template>nso-vedge-branch</template>
<variables>
<name>HOSTNAME</name>
• Pushed to vManage using <value>vEdgeParis</value>
</variables>
vManage NED (REST API) <variables>
<name>SYSTEM_IP</name>
<value>10.0.0.91</value>
</variables>
<variables>
<name>SITE_ID</name>
<value>9</value>
</variables>
<variables>
<name>ORGNAME</name>
<value>ADT Labs Paris</value>
</variables>
<variables>
<name>SPORGNAME</name>
<value>ADT Labs Paris</value>
</variables>
</sdwan-apply-template>
MSX - on-board SD-WAN devices
Physical and virtual
MSX Dashboard
• On-board SD-WAN physical devices
• On-board SD-WAN VNFs in virtual branches
• On-board SD-WAN VNFs in the Cloud
• Manage licenses, images, secure mgt tunnels
• Register devices with correct SD-WAN

Control Plane for each tenant
SD-WAN Controllers
• Simple CSV file provisioning
Small Office Small Office

Cloud Campus Data Center
or Branch or Branch Gateway
vEdge 100 ENCS 5000 vEdge VNF ISR 1K vEdge 1000

vEdge 1000 (x86 vBranch) CSR-1000 VNF ISR 4K vEdge 2000
ISRv VNF ASR 1K vEdge 5000
© 2020
ISR 4K
Cisco and/or its affiliates. All rights reserved. Cisco Public 62
MSX provides simple site provisioning using
SD-WAN templates and CSV Files
MSX provisions SD-WAN Templates
ENCS 5000
for 100’s of tenants and sites in minutes (x86 vBranch)
Small Office
MSX Dashboard vEdge VNF
or Branch
vEdge VNF
Cloud CSR-1000 VNF
Gateway
ISR 1K
ISR 4K
Campus ASR 1K
vEdge 1000
vEdge 2000
vEdge 5000
MSX CSV template provisioning Data Center ISR 4K
Minutes
MSX simplifies instead of
multi-tenant weeks provisioning
SD-WAN and monthsfrom the Cloud
MSX Device Templates ”Blueprints”
• New - Store device templates in MSX inventory and

push them to vManage
• Template re-use across tenants
• Pull a vManage template into MSX and then push it as a
new template into another vManage
Migrating Legacy Site to SD-WAN
Managed SD-WAN
Device Edge
Migrate
MPLS VPN SD-WAN Fabric
Running Running
IOS-XE IOS-XE SD-WAN
MSX Workflow Driven

Migrating Legacy Site to SD-WAN
Without Global PnP
Build Device Reboot

Bootstrap Config
and download to
IOS-XE router flash IOS-XE IOS-XE SD-WAN
Legacy CPE running #cloud-boothook

system Upon bootup, SD-WAN
IOS-XE, connected to XE router will search
personality vedge
device-model vedge-C1111-8PLTEEA
host-name SITE1_ISR1K
MPLS Service system-ip

site-id
10.10.10.10
501
organization-name "CustomerXYZ - 12345"
bootflash: or usbflash:
console-baud-rate 9600
vbond 64.1.1.2 port 12346 for filename
ciscosdwan.cfg (case
!
!
!
interface GigabitEthernet0/0/0
no shutdown
ip address 192.168.10.10 255.255.255.0
sensitive) or
exit
! ciscosdwan_cloud_init.
cfg (ASR1002X)
ip route 0.0.0.0 0.0.0.0 192.168.10.1
ciscosdwan.cfg (ISR1k, ISR4k, ASR1k)

ciscosdwan_cloud_init.cfg (ASR1002X)
Deploying uCPE
Deploying Universal CPE (uCPE)
VNFs
LB Hypervisor
Server
Router Firewall Wan Opt Load Balancer
Physical Branch Virtual Branch

Advantages of Virtualized offering
• Flexibility • Service Agility
• Less Devices, more VNFs • Efficient Resource Utilization
• Quick rollout time • Opex savings
Cisco’s Virtualization is available for both Traditional Routing as well as SD-WAN routing
Network Services on Any Platform
Cisco’s Virtualization stack
NSO | MSX Centralized Orchestration and

Management
Consistent, trusted network

services across all the
Virtual WAN Virtual Wireless
platforms
Virtual Router
(ISRv,CSR,vEdge)
Virtual Firewall Optimization LAN Controller Third-Party Virtual network functions (VNFs)
(ASAv, NGFWv) (vWAAS) (vWLC) VNFs
Hardware and software

Network Functions Virtualization Infrastructure Software (NFVIS) independence
Virtualization layer (Hypervisor)
Cisco ISR 4K + Enterprise Network Cisco® Freedom of choice

UCS® E-Series Compute System (ENCS) CSP 5000 Series Hardware platform
NFVIS Software Stack
NFVIS
PnP Agent
• PnP Agent must automatically configure WAN Interface
• Must download platform Profile
PnP Console/ Local Device
NSO DNA-C
Server SSH
Lifecycle Management (ESC Lite) Web Portal
• Provide Northbound interface for Management/Orchestration

• Provide System level information
• Provide VNF management - Create, Modify, Delete
• Provide interface with onboard LAN switch NFVIS
CLI NETCONF REST
• Performance Monitoring of VNF’s
CLI/WebUI Agent PnP Health

Orchestratio
n (VM
Host
HTTPS
RBAC
• Interface to configure onboard switch Client Monitoring
Lifecycle)
Management
• Provide Cisco® CLI wrapper
• Agnostic to switch vendor selected
Virtualization Layer – Hypervisor and vSwitch
Server Monitoring Agent
• Agent to interact with Orchestration system
• Web GUI Interface for Management and Configuration Interface Platform
Drivers Linux Drivers
Drivers, Firmware, and Agents

• NIC and interface drivers
• Optional Crypto support
SD-WAN Core
vBranch Core
PnP NFVO
NED vManage
NED
NETCONF
1 REST
VNF
Add ENCS/NFVIS to Manager
(ESC-Lite) 2
NSO Device Tree
(NFVIS)
Spin Up VMs,
including vEdgeCloud
Compute Platforms (ENCS, UCS, CSP) or ISRv for SD-WAN
Branch
Networks and Service Chaining Definition
GE 0/0 GE 0/1
SRIOV-1 SRIOV-2 SRIOV-1 SRIOV-2
wan-br
Management port
192.168.1.1
wan-net wan-net2
mgmt-br
cEdge
service-net
int-mgmt-net
FW
lan-net
lan-br
SRIOV-1 SRIOV-2 SRIOV-3 SRIOV-4 SRIOV-5 SRIOV-6
SWITCH
NSO - Network Deployment Unit (NDU)
Mapping vNIC / Network
ndus sdwan_NFVIS_vEdge_ndu {
network int-mgmt-net;
network lan-net;
network service-net {
bridge service-br;
}
network wan-net; sdwan_NFVIS_vEdge_ndu
eth0 – vpn512 nic 0 {
network wan-net; wan-net
} ge0/0
eth/0
ge0/0 nic 1 {
network wan-net; ge0/1
service-net
}
ge0/1 nic 2 {
network service-net;
}
ge0/2 – vpn511 nic 3 {
network int-mgmt-net;
}
}
NSO vEdge day0 configuration – Example
vpn 0
interface ge0/0 This is NIC1 in NDU
ip address ${IP}
!
no shutdown
!
ip route 0.0.0.0/0 ${GW}
!
vpn 512
interface eth0 This is NIC0 in NDU
ip dhcp-client
no shutdown
!
!
vpn 511
interface ge0/2 This is NIC3 in NDU - used
ip address ${NICID_3_IP_ADDRESS}/${NICID_3_CIDR_PREFIX} for NFVIS VM monitoring
no shutdown
!
./cpe-day0/cfg/vedge_day0_template.cfg
NSO SD-WAN Site
1
sdwan-site Paris {
provider ProviderA;
location { 2
name Paris;
member-vnfs vEdgeCloudParis {
}
type vEdge-cloud;
infrastructure {
username admin;
type nfvis;
password admin; 3
nfvis {
ip 10.60.23.14; member-vnfs asav1 {
nfvis-serial FGL214280GD;
mask 255.255.255.0; type generic;
shared-branch-office;
gtw 10.60.23.254; deployment ASA-Unmanaged;
branch-office UCPE1;
day-0 { vnfd vBranch-ASA-1.0;
device-on-boarding pnp-unmanaged;
cfg-file vedge_day0_template.cfg;
vdu ASA;
nfvis-device-name UCPE1;
} username admin;
}
vedge-cloud { password admin;
}
system-ip 10.8.0.83; sec-password admin;
site-id 10; ip 192.168.1.2;
} mask 255.255.255.0;
ndu { gtw 192.168.1.254;
ndu-id sdwan_NFVIS_vEdge_ndu; ndu {
} ndu-id sdwan_NFVIS_asa_ndu;
} }
} }
}
NSO - On Boarding ENCS/NFVIS
NSO with the vBranch
Function Pack
With Zero Touch Provisioning
Network Service Orchestrator (NSO) Network Service Orchestrator (NSO)
PnP 3 Core FP (vBranch)
• 1) ENCS boots and creates basic n/w

infrastructure
2 4 • 2) NFVIS registration to NSO using PnP
– IP + serial + model + capabilities
• 3) NFVIS registered to NSO

• 4) NSO connects to branch NFVIS
PnP VNFM WAN Edge
(NETCONF)
1
• 5) ENCS/NFVIS on-boarded in NSO
NFVIS 5
vEdge Cloud Provisioning / Activation
NSO with the SDWAN
Function Pack
vManage Control and Policy

Network Service Orchestrator (NSO) 2 Elements
Core FP Core FP Get the unclaimed vEdge Cloud

(vBranch) (SDWAN-SITE)
router list from vManage. Get
Bootstrap Configuration file (cloud-init
Define SDWAN Service on config file) which contains cloud-
1 ENCS (VNF and Chaining) config (bootstraps) and cloud-
boothook (day0) sections
5
7
3 Full Registration and
Configuration
6
4
VNFs instantiated and loaded with WAN Edge
Bootstrap Configuration cloud-init file.
Chaining of VNFs occurred if Virtual Networks
requested. (ENCS)
Loading 3rd VNF
NSO with the vBranch
Function Pack
XMP PAYLOAD
Network Service Orchestrator (NSO)
VNF Definitions
NETWORK Definitions Core FP (vBranch)
1) NSO registers VNF to NFVIS
2) NFVIS pulls VNF images / local preparation

5) NFVIS notifies NSO VNF is active
3) NSO instructs NFVIS to deploy NWs/VNF
4) NFVIS deploys VNF, load day 0 config and sets

up local VNF monitoring
VNF
PnP VNFM
NFVIS VM loaded
Note: VNFs are loaded in parallel
ENCS
MSX - On Boarding ENCS/NFVIS
With Zero Touch Provisioning
Cisco Plug and Play Connect
Massive savings in OPEX and Logistics!
No need for Device pre-staging
No Day-1 configs required for Devices
Simply ship clean devices to sites
MSX Platform Redirected to

2
MSX PnP Server
Call Home 1
Internet
“devicehelper.cisco.com”
uCPE Managed uCPEs Device is

Service Chain Applied 3 shipped with
no pre-staged
config
Examples of
MSX vBranch
Service Templates
• Dual WAN Links
• Protected with a Firewall
• Add a Linux Server
Virtualized
Gateways
Multi-Region Overlay
Shared
(MSP) Middle Mile Backbone Resources
Public
Internet
MSP MSP
PE PE
POP POP
GW GW MPLS
VPN
MPLS INET MPLS INET

Legacy CPEs
• Support Regional Meshing for optimal connectivity

ENCS
NFVIS
SD-WAN CPE • Support remote region connectivity through Gateways

Appliance - VNFs uCPE
• Provide Redundant Gateway Connectivity
SDN-POPs – Hosting Virtualized Gateways
• Rack of servers running a VIM, usually OpenStack

• Virtualized Gateways per customer overlay PE PE
• Orchestration/automation from MSX/NSO

Customer1 Customer2 CustomerN
Overlay Overlay Overlay
vEdgeCloud Virtual Infrastructure

CSR1000v SD-WAN
Physical Infrastructure
SD-WAN Core Function Pack
vBranch Core
PnP NFVO
NED
NETCONF
Spin Up
ESC in NSO VNF
Manager vEdgeCloud/CSR1000v
Device Tree (ESC)
Optionally 3rd Party VNF
like Firewall
(OpenStack – VMWare)
Compute Platforms (Servers)
Datacenter or SDN POPs

SD-WAN Site
2
<member-vnfs>
1 <vnf>esc-cedge</vnf>
<type>vedge-CSR-1000v</type>
<deployment>cEdgeESCDeployment</deployment>
<vnfd>cEdge-Openstack</vnfd>
<config xmlns="http://tail-f.com/ns/config/1.0"> <vdu>cEdge-Openstack</vdu>
<sdwan-site xmlns="http://com/cisco/nso/corefp/sdwan"> <username>admin</username>
<site-name>pdx-58</site-name> <password>admin</password>
<provider>ProviderA</provider> <ip>10.195.72.195</ip>
<tenant>SingleTenant</tenant> <mask>255.255.255.0</mask>
<infrastructure> <gtw>10.195.72.1</gtw>
<type>esc</type> <day-0>
<esc> <cfg-file>cedgeCSR_day0_template.cfg</cfg-file>
<name>esc1</name> </day-0>
<vim-tenant>sd-wan</vim-tenant> <vedge-CSR-1000v>
</esc> <system-ip>25.25.23.17</system-ip>
</infrastructure> <site-id>6599</site-id>
</vedge-CSR-1000v>
<ndu>
<ndu-id>sdwan_ESC_cEdge</ndu-id>
<management>0</management>
</ndu>
</member-vnfs>
Multi-Region Overlay
Definitions and Dependencies
• Site-ID assignment allowing for Site identification – 32 bits
Continent Country Site number

X YYY ZZZZ
1-7 1-999 1-9999
Europe France Site
Example
5 046 1000
• No “Region” parameter available
• Using Site-Id to introduce Region Number
OMP Route Types and Prominent Attributes
vSmart
TLOC Routes
OMP Routes MPLS INET
Site-ID
TLOC System-IP
Label Encap-Auth
VPN-ID vEdge Public IP/Port
Tag
Preference Private IP/Port
Origin Tag
Connected Preference
Protocol Service Weight
Origin Metric Static
Side
Dynamic (OSPF/BGP)
Control Policy Case Study
Reachability Information Distribution Requirements
US EMEA APAC
Inbound TLOC Advertisement Inbound TLOC Advertisement Inbound TLOC Advertisement
US Region – All Colors EMEA Region – All Colors APAC Region – All Colors
US Gateways – All Colors EMEA Gateways – All Colors APAC Gateways – All Colors
EMEA Gateways– All Colors US Gateways – All Colors EMEA Gateways – All Colors
APAC Gateway – All Colors APAC Gateways – All Colors US Gateways – All Colors
Outbound TLOC Advertisement Outbound TLOC Advertisements Outbound TLOC Advertisement

US Gateways – All Colors EMEA Gateways – All Colors APAC Gateways – All Colors
Inbound vRoute Advertisement Inbound vRoute Advertisement Inbound vRoute Advertisement

US Region – Original NH EMEA Region – Original NH APAC Region – Original NH
EMEA Region – EU GW NH US Region – US GW NH EMEA Region – EU GW NH
APAC Region – APAC GW NH APAC Region – APAC GW NH US Regions – US GW NH
Outbound vRoute Advertisement Outbound vRoute Advertisement Outbound vRoute Advertisement

US Region – US GW NH EMEA Region – EU GW NH APAC Region– APAC GW NH
For Your
Control Policy - Lists Reference
policy
lists
policy
site-list US_branch_sites
lists
site-id 60010000-60018999
tloc-list US_gateway_tlocs
!
tloc 1.1.1.1 color mpls encap ipsec preference 100
site-list US_gateway_sites
tloc 1.1.1.1 color biz-internet encap ipsec preference 100
site-id 60019000-60019999
!
site-list EMEA_branch_sites
!
site-id 50010000-50338999
tloc-list EMEA_gateway_tlocs
site-id 50340000-59999999
!
site-list EMEA_gateway_sites
site-id 50339000-50339999
!
!
tloc-list APAC_gateway_tlocs
site-list APAC_branch_sites
site-id 30010000-30668999
site-id 30670000-39999999
!
site-list APAC_gateway_sites
!
site-id 30669000-30669999
!
!
!
!
!
For Your
Control Policy – TLOC - Applied to US Sites Reference
policy
• Policy Logic control-policy US_DOMAIN
sequence 10
Sequence 10: Advertise US Branch TLOCs match tloc
Sequence 20: Advertise US GW TLOCs !
action accept
Sequence 30: Advertise EMEA GW TLOCs !
!
Sequence 40: Advertise APAC GW TLOCs sequence 20
TLOC match tloc
Default: Drop … (accept)
sequence 30
match tloc
… (accept)
sequence 40
match tloc
site-list APAC_gateway_sites
!
… (accept)
For Your
Control Policy – Routes - Applied to US Sites Reference
sequence 50 sequence 90
match route
• Policy Logic site-list US_branch_sites
match route
site-list APAC_branch_sites
! !
Sequence 50: Advertise US Branch action accept action accept
routes ! set
tloc-list APAC_gateway_tlocs
Sequence 60: Advertise US GW sequence 60 !
match route !
routes site-list US_gateway_sites !
… (accept)
Sequence 70: Advertise EMEA sequence 100
Branch routes w/ NH of EMEA GW sequence 70 match route
match route site-list APAC_gateway_sites
Sequence 80: Advertise EMEA GW site-list EMEA_branch_sites !
! action accept
routes action accept !
set !
Sequence 90: Advertise APAC tloc-list EMEA_gateway_tlocs
Branch routes w/ NH of APAC GW ! default-action accept
!
Sequence 100: Advertise APAC GW !
sequence 80
Routes match route ROUTES
… (accept)
For Your
Control Policy – Applying on vSmart Reference
apply-policy
control-policy US_DOMAIN out
Apply policy on vSmart !
Advertisements OUT control-policy US_DOMAIN out
!
!
Centralized
Policies
Centralized Policies Support
NSO | MSX Centralized

Policy
REST API
MPLS INET • vManage NED (REST API)

NETCONF • Centralized Configuration –
Pushed to vManage
• Instructs vManage to deploy
policy to vSmarts
Policies pushed to vSmart

using NETCONF
Deploying Policies using NSO SDWAN Core FP
SDWAN
NSO CFP Centralized
vManage Policy
NED
REST API
MPLS INET • vManage NED (REST API)

NETCONF • Centralized Configuration –
Pushed to vManage
• Instructs vManage to deploy
policy to vSmarts
Policies pushed to vSmart

using NETCONF
Using MSX
Simply with two clicks from MSX Cloud
User can change User can change

Application Policies path preference
User guard rails

prevent errors
Key Takeaways
Complete your
online session
survey • Please complete your session survey
after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live t-shirt.
• All surveys can be taken in the Cisco Events
Mobile App or by logging in to the Content
Catalog on ciscolive.com/emea.
Cisco Live sessions will be available for viewing on

demand after the event at ciscolive.com.
Continue your education
Demos in the
Walk-In Labs
Cisco Showcase
Meet the Engineer

Related sessions
1:1 meetings
Thank you

BRKRST 2558

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

BRKRST 2558

Încărcat de

Drepturi de autor:

Formate disponibile

Cisco SD-WAN as a

Jean-Marc Barozet – Principal Engineer

• SD-WAN Virtualized Gateways - Regions

2 (SP) Cloud Delivered 3 SD-WAN Gateway

Multi-tenant: Control, Management, vManage MSP DC

4 SaaS Cloup Apps

1 End-point flexibility Business VPN

End-to-end SD-WAN Business VPN Extension over Last Mile

Internet MSP MPLS

MPLS INET MPLS INET

Deploy Management and Deploy SD-WAN Control Fabric

Instantiate controllers VMs Update white-list Define/Activate policies

PnP Connect Portal

MSP Smart Account Virtual

The Service Provider centralized • A customer defined constructs

Smart Account PnP Connect PnP

Cisco Commerce PnP

vBranch (ENCS) vEdge/cEdge Appliance SDN-POPs - Gateways AWS - Azure

3rd Party ASAv vEdge

Gateways (VNF) 5 Cloud

• Network Service Orchestrator (NSO)

Configure “Dry-run” and Two-phase Configuration

• Provides a two-phase commit protocol to address distributed network atomicity

1 SD-WAN Native 2 NSO 3 MSX

OSS/BSS OSS/BSS OSS/BSS

REST REST/NETCONF UI/API

vManage SDWAN CFP NSO Managed Service Accelerator (MSX)

SD-WAN Branch mCPE DNA-C SP DC Cloud Meraki Umbrella

Data SDWAN Core FP

Campus / WAN SAAS SaaS NFVO Core FP

NETCONF NETCONF REST

Virtualized Infrastructure Manager Virtualized Infrastructure Manager vManage

Compute Platforms (ENCS, UCS, CSP) Compute Platforms (Servers)

Branch Datacenter or SDN POPs

OSS/BSS - Portal Using NETCONF

End-to-end Service Offering

Cloud Services Virtual Branch x86 Hardware Devices

• Allows VNFs to be deployed on "universal CPE" running Cisco

1 MSX provides multi-tenant, multi-service, platform with secure access controls

3 MSX on-boards many SD-WAN Device types for 100’s of tenants

MPLS INET MPLS INET

VPN1 VPN1 VPN1 VPN1 VPN1 VPN1 VPN3 VPN3

VPN2 VPN2 VPN2 VPN2 VPN2 VPN4 VPN4

• Multi-Tenant vBond TenantB TenantB

• Isolation for the control-plane

VPN2 VPN2 VPN2 VPN2

VPN3 VPN3 VPN3 VPN3

• Virtual machines running on KVM,

management vManage vSmart vBond

• Separate VPNs for control and

ESXi, OpenStack, KVM, AWS, MS Azure

Active Cluster Standby Cluster

Deploy Deploy Deploy

vManage vManage vManage

vSmart vBond vSmart vBond vSmart vBond

INET MPLS MPLS

Private IP/Port Private color

Public IP/Port Public color

- Spin up controllers in the cloud

• Provide the INET reachability via MPLS PE

1 vBond Communication 3 MPLS Edge -> Controller Session

2 vBond Controller List 4 Internet Edge -> Controller Session

OSS/BSS NFV + = NFVI