Cisco SD-WAN Technical Training

(Hands-on Experiences)

Doan Nguyen Lam - Nguyen Tien Hoang

Cisco Systems VietNam
05-06Jun19
SD-WAN Solution Overview
Why SD-WAN and Trends ?
Connecting Users to the Data Center was the Priority

Internet

Best
Users Applications Effort

WAN
Branch/Campus

Data Center
Then the Way We Worked Changed

Devices & Things

DC/Private
Cloud

Campus & Branch Users WAN

Mobile Users
Applications Moving to Not One Cloud, But Many

Devices & Things

DC/Private Cloud

Campus & Branch Users WAN

SaaS

Mobile Users

IaaS
Legacy WAN Architecture
IaaS SaaS
• Peer-to-peer control plane
DC1 DC2 (DR)
• Lack of application visibility
• Complex Routing protocol
prorogate for all (N^2) DCI
complexity
• Localize management
• Not scalable
• Impossible to support multiple ISP1(
ISP2
(MPLS/FTTH)
transport MPLS)

• Complex Operations
• High Cost - TCO to operate the
Network
Branch1 Branch2 Branch3
 Những hạn chế của mạng WAN truyền thống
STT Yếu tố hạn chế Ảnh hưởng đến mạng/IT

Ảnh hưởng đến ứng dụng, users và IT luôn phải giám sát, review, nâng cấp
1 Thiếu Băng thông WAN thường xuyên
Bị động và ảnh hưởng dịch vụ, mở rộng kinh doanh
Không tận dụng các loại đường Hạn chế trong việc chia sẽ và tận dụng các loại đường truyền khác nhau
2
truyền hiện tại (như MPLS, Internet, LTE, Leased-line,...)
Khả năng nhận diện và Không đánh giá được chất lượng ứng dụng trên các đường truyền WAN,
3
performance của ứng dụng ảnh hưởng hiệu suất của users.
4 Bảo mật Khả năng gia tăng bảo mật tại các Branches, bảo mật cho các ứng dụng

Mở rộng kết nối trực tiếp đến
5
các ứng dụng trên Cloud
Quản trị, cấu hình local, không
6
tập trung
7 Khó mở rộng các Sites nhanh
Đánh giá chất lượng đường truyền, ứng dụng để gia tăng hiệu suất truy cập
các ứng dụng trên Cloud.
Chi phí vận hành cao, quản lý các Sites phức tạp
Thời gian & công sức quản trị, vận hành, xử lý sự cố.
Ảnh hưởng đến yêu cầu Business và khả năng linh động Sites

8 Chi phí Chi phí vận hành mạng WAN cao (đường truyền, nhân sự, thời gian, issue)
© 2 014 C isco an d/or its a ffil iates. All rig hts re served . Ci sco Syste ms 7
Evolution of the WAN
End-point flexibility:
• Physical or virtual
1 • Rich services or lite
• Branch, Agg, Cloud
USERS
SD-WAN
Cloud delivered WAN with operational
5 simplicity & analytics
Cloud Delivered Analytics
4 Application QoE
6
Cloud
… Use-Cases

WAN
L EA RN I N G
DC

DNA Center

DEVICES IaaS Apps

Policy Automation Analytics

I N T EN T C O N T EX T
SaaS
Intent- based
Network Infrastructure

vDC
THINGS
S EC U RI T Y
Transport Independent Superior security architecture –
2 WAN Fabric
3 cloud based & on-prem
Cisco Fabric Architectures
Multitenant/ Rich Highly
Cloud-Delivered Analytics Automated

USERS

SDWAN
Cloud
OnRamp
.… IoT

ACI

DC Fabric
DEVICES
APPs
SDA Fabric DC
(branch & campus)
SDWAN Fabric
IaaS

THINGS SaaS

End-to-end Context
SD-WAN Solution Overview
Cisco SD-WAN Introductions
Cisco SD-WAN Solution
Built on Intent-based Networking for the WAN

Cloud managed and Application quality

controlled fabric Control | Management | Analytics of experience

Transport Independence
Internet MPLS 4G LTE

End-point flexibility
(Physical or Virtual)
Data Center Campus Branch Public Cloud

© 20 19 Cisco and/or its affiliates . All r ights rese rved. Cisco Sys tems
Integrated Security
Cisco SD-WAN Solution
Application Secure
Visibility Traffic Per-Segment Perimeter Cloud Cloud Transport
& SLA Engineering Topologies FW/IPS/URL Path Accel Hub

Analytics
Application Policies
Routing Security Segmentation QoS Multicast Svc Insertion Survivability
Monitoring

Delivery Platform
Operations

Broadband MPLS Cellular

ZERO TOUCH ZERO TRUST

Transport Independent Fabric

Deploy branches faster at lower cost
Transport independence
Private Cloud

MPLS

3G/4G-LTE
Colocation

Branch

Internet

Leverage internet for public cloud and Public Cloud

Internet access
Secure VPN overlay for private and virtual
public cloud access

Seamless extension to the cloud enables business

policy
© 20 19 Cisco and/or itsto follow
affiliates . All r ightsworkloads
rese rved. Cisco Sys tems
Optimize the user experience
Analytics and assurance

Visibility of applications and

infrastructure across the WAN

Forecasting and “what-if” analysis

Intelligent recommendations

Cisco vAnalytics
© 20 19 Cisco and/or its affiliates . All r ights rese rved. Cisco Sys tems
Simplify migration to the cloud
Application quality of experience

Cloud Cloud
Providers Applications

Secure branch to cloud connectivity

protects data in motion
Agile workflows simplifies extending the
Data
enterprise to IaaS or SaaS Center
Secure
SD-WAN
Analytics determines the optimal path for
Fabric
the best application experience Small Office
Home Office

Campus
Branch

© 20 19 Cisco and/or its affiliates . All r ights rese rved. Cisco Sys tems IaaS/SaaS
Easier to deploy, manage and operate
Centralized cloud managed fabric

Cloud-first management and operations with a

single WAN fabric across all end-points

Simplified workflows for easier configuration,

monitoring and troubleshooting.
Advanced analytics and assurance for
application service level agreement
Cisco vManage

© 20 19 Cisco and/or its affiliates . All r ights rese rved. Cisco Sys tems
 Reduce complexity for remote sites
Single rich services branch platform

SD-WAN
Unified
Communications
Easy to deploy and manage
services on-demand

Cloud Based On-demand physical and virtual

Security form factors
B ra n ch
Best of breed trusted network
services

Application Application
hosting
© 20 19 Cisco and/or its affiliates . All r ights rese rved. Cisco Sys tems Optimization
End-point flexibility
XE-SDWAN: Expanding Impact of IBN for WAN

Broadest range of platforms and interfaces

vManage

Millions of ISR/ASR devices eligible for new

capabilities

Cloud + Virtualization + On-Prem

with Integrated security
Virtualization Cloud Platforms
ENCS AWS / Azure / Google vEdge / ISR / ASR

© 20 19 Cisco and/or its affiliates . All r ights rese rved. Cisco Sys tems
Comprehensive threat protection
Integrated security

VPN 1
Cloud
Router IPSec VPNVPN
3 2 Data Center
Tunnel
VPN 3

Cloud
VPN 4 Security

Internet MPLS
Meet industry compliance with end-to-end Corporate
segmentation Data Center
4G/LTE
Reduce attack surface with cloud and on-
prem security Small Office
Home Office
Talos threat intelligence protects all users
devices
© 20 19 Cisco and/or its affiliates . All r ights rese rved. Cisco Sys tems
Campus Branch
Gia tăng an toàn trên SD-WAN với các tính năng bảo mật
Cisco
Enterprise Firewall
Classification of +1400 layer 7 apps

Intrusion Protection System

Most widely deployed IPS engine in the
world

Cisco URL-Filtering
Security Web reputation score using 82+ web
categories

Adv. Malware Protection

With File Reputation and
Sandboxing
Cisco SD-WAN Simplified Cloud Security
Easy deployment of Cisco Umbrella

© 20 19 Cisco and/or its affiliates . All r ights rese rved. Cisco Sys tems
Hours instead of weeks and months
Cisco SD-WAN Benefits and Values

Reduce End to End

Cost Security

Performances Cloud Ready Simplicity

© 20 19 Cisco and/or its affiliates . All r ights rese rved. Cisco Sys tems
SD-WAN Solution Overview
Technical
Cisco SD-WAN Solution Principals

vManage

APIs
Management/
Orchestration Plane
3rd Party
vBond Automation

vAnalytics

vSmart Controllers
Control Plane

MPLS 4G

INET
Edge Routers

Data Plane
Cloud Data Center Campus Branch CoLo
Cisco SD-WAN Solution Principals
Network Policy / Forwarding:
• Configuration Points, Control Points,
Enforcement Points, Centralize
Serosity

• Separation Control and Data Plane

• DTLS/TLS is used to establish the control
channel
• Control channel is established only with
Internet MPLS1
central controllers
MPLS2 4G/LTE • No scaling issues are with full mesh of
control plane
• Control channel does not have to follow
the data path
 Cisco SD-WAN Solution Roles and Responsibilities
Orchestration Plane Management Plane
• First point of authentication vManage • Single pane of glass for Day0, Day1
• Distributes list of vSmarts/ and Day2 operations
vManage to all Edge routers APIs • Multitenant or single-tenant
• Facilitates NAT traversal 3rd Party • Centralized provisioning,
vBond Automation troubleshooting and monitoring
• RBAC and APIs
vAnalytics
Data Plane Control Plane
vSmart Controllers
• Physical of virtual • Dissimilates control plane information
• Zero Touch Provisioning between Edges
• Establishes secure fabric 4G • Distributes data plane policies
MPLS
• Implements data plane policies • Implements control plane policies
INET
• Exports performance statistics Edge Routers

Cloud Data Center Campus Branch CoLo

Most Comprehensive SD-WAN Solution in the Market

Cisco SD-WAN Edge Devices

Branch Services SD-WAN

ISR 1000 ISR 4000 ASR 1000 vEdge 100 vEdge 1000 vEdge 2000

• Up to 1 Gbps • Up to 10 Gbps
• Up to 100 Mbps
• 8 ports (WAN/LAN) • Modular 1/10GB Ports
• Up to 200 Mbps • Up to 6 Gbps • Up to 20 Gbps • 5 ports (WAN/LAN)
• Next-gen connectivity • Modular • High-performance • 4G LTE & Wireless vEdge 5000
• Performance • Integrated service service w/hardware
flexibility containers assist
• Compute with UCS E • Hardware & software
redundancy • Up to 20 Gbps
• Modular 1/10GB Ports

Virtualization Private / Public Cloud

ENCS 5100 ENCS 5400

• Up to 250Mbps • 250Mbps – 2GB

Control Plan Security
Zero-Trust Security Principles
Control Elements

▪ Strong authentication
- PKI certificates, 2048bit keys
▪ Highly encrypted tunnels
- DTLS/TLS AES256
- White-list model
X.509 Certificate

DTLS/TLS
▪ Ubiquitous Deployment
Control Tunnel - Automatic NAT mitigation
Secure Bring-up With Approval
▪ Cisco generates overlay with unique Organization Name.
▪ Add devices chassis and serial numbers stored in the customer portal.
▪ Customer import ".viptela: 256bit hash file to the controller
▪ Validate each device

Per-device control on TPM identity trust

• Valid - (Zero Touch Provisioning) – TPM identity is automatically trusted
• Invalid - (One Touch Provisioning) – TPM identity is not automatically trusted. Requires administrator validation.
• Staging – TPM identity is automatically trusted for control, but not for data. Requires administrator validation.
Secure Control Channel: Control Elements
Valid certificate
serial numbers
DTLS/TLS
Control Tunnel
▪ Certificates are exchanged and mutual
vBond authentication takes place

▪ vBond validates vSmart Controller and

vManage certificate serial numbers against
authorized white-list

▪ vSmart Controller and vManage validate

vBond Orchestrator certificate
vSmart vManage
organization name against locally
configured one

▪ DTLS/TLS secure connection is established

Org Name Org Name
Config Config
Secure Control Channel: Edge Routers
Valid Edge ▪ Certificates are exchanged and mutual authentication
Edge
serial and takes place between vBond and Edge
IP addr chassis ID - Over encrypted tunnel
vSmart vManage
vBond
▪ vBond validates Edge Router serial number and chassis
ID against authorized Edge white-list
vSmart
vManage

▪ Edge Router validates vBond certificate organization

name against locally configured one

▪ Provisional DTLS/TLS tunnel is established between

vBond and Edge

Provisional ▪ vBond returns to Edge a list of vSmart Controllers and

DTLS/TLS Control vManage
Tunnel

▪ vBond notifies vSmart and vManage of Edge Router

Edge
public IP address
Router

▪ Provisional DTLS/TLS tunnel between vBond and Edge is

terminated
Org Name
Config
Secure Control Channel: Edge Routers
Valid Edge Valid Edge
serial and serial and
chassis ID chassis ID
▪ Certificates are exchanged and mutual authentication
vSmart vManage takes place between vSmart, vManage and Edge
- Over encrypted tunnel

▪ vSmart and vManage validate Edge Router serial number

vBond and chassis ID against authorized Edge white-list

▪ Edge Router validates vSmart and vManage certificate

organization name against locally configured one

▪ Permanent DTLS/TLS tunnel between vSmart, vManage

and Edge is established

Edge
Router

Permanent
DTLS/TLS Control
Org Name Tunnel
Config
 Establish Cloud Edge Router Identity
config
system
Certificate system-ip system ip
Authority site-id xxx
vManage organization-name “org name”
vbond xx.xx.xx.xx

If do not have DHCP you need to configure the IP address

vpn 0
dns 8.8.8.8 primary
dns 8.8.4.4 secondary
interface ge0/0
Signed ip address xx.xx.xx.xx/xx
no shutdown
vSmart vBond !
ip route 0.0.0.0/0 xx.xx.xx.xx
commit

request vedge-cloud activate chassis-number uuid token otp

Edge Cloud

Note: UUID and vManage issued certificate serial number

are used to authenticate Edge Cloud post-OTP
Data Plan Security
Edge VPNs and Security Zoning
Trust Zone

Untrusted Zone

IF, IF,
Sub-IF Sub-IF
MPLS
Service Transport
(VPNn) (VPN0)
IF, IF,
Sub-IF Sub-IF Internet

Out-of-band Management
(VPN512) • VPNs are isolated from each other, each VPN has its
own forwarding table
IF
• Reachability within VPN is automatically advertised
by the OMP
Edge VPNs and Security Zoning

OMP OMP

VPN 10 VPN 0 VPN 10

INET

MPLS
VPN 20 VPN 0 VPN 20
 Centralized Encryption Key Distribution
▪ Each Edge advertises its local IPsec encryption keys as vSmart ▪ Can be rapidly rotated
OMP TLOC attributes Controllers
▪ Symmetric encryption keys used asymmetrically
▪ Encryption keys are per-transport

OMP OMP
Update Update
Local
Local
Transport1

Edge-A Edge-B
Transport2

Remote
Remote

▪ Each Edge advertises its own AES256 IPSec encryption key in control plane updates
▪ IPSec encryption keys are distributed by the vSmart Controllers to all Edges part of a given virtual topology
▪ IPSec encryption keys are frequently rotated (default 24h), new keys are advertised in control plane
updates
End to End Security
vSmart
▪ Each Edge advertises its local
Controllers
IPsec encryption key

IPSec security Update Update IPSec security

associations associations

Edge Edge
Router Transports
Transports
Transports Router

Remote
Local IPSec AES256-GCM
ESPv3
Remote Local

Site 1 Site 2
Traffic Encrypted
with Key 2 ▪ Symmetric encryption IPsec AES256-GCM
ESPv3, AES256-CBC is used for multicast
Control Plane Traffic Encrypted
with Key 1 ▪ Traffic Encryption and Authentication Header
DTLS/TLS
▪ Tunnel Liveliness Detection (BFD)
▪ Anti-Replay Protection
▪ Rekey 24 hours
DDoS Protection for Edge Routers
vBond

Authenticated
Sources

vSmart vManage

CPU
Implicitly SD-WAN IPSec
Trusted
Sources Control Plane Policing:
Edge ▪ 300pps per flow
▪ 5,000pps

Packet
Explicitly Forwarding
Defined
Sources
Cloud Security

Deny except:
Unknown 1. Return packets matching flow entry (DIA enabled)
Sources 2. DHCP, DNS, ICMP

Other * Can manually enable :SSH, NETCONF, NTP, OSPF, BGP, STUN
DDoS Protection for Controllers
vBond

Authenticated
Sources

vSmart vManage
CPU
Edge
Control Plane Policing:
▪ 500pps per flow
▪ 10,000pps
vManage
Packet
Forwarding
Unknown vSmart
Sources Note: vBond control plane policing is the
same as Edge
Other

Deny except:
DHCP, DNS, ICMP, NETCONF

* Can manually enable :SSH, NTP, STUN, HTTPS (vManage)

Questions
Overlay Management Protocol
(OMP)
Cisco SD-WAN Terminology
• Transport Side – Controller or Edge Interface connected to the underlay/WAN network
• Always VPN 0
• Traffic typically tunneled/encrypted, unless split-tunneling is used

• Service Side – Edge interface attaching to the LAN

• VPN 1-510 (511/512 Reserved)
• Traffic forwarded as is from original source

• TLOC – Collection of entities making up a transport side connection

• System-IP: IPv4 Address (non-routed identifier)
• Color: Interface identifier on local Edge
• Private TLOC: IP Address on interface sitting on inside of NAT
• Public TLOC: IP Address on interface sitting on outside of NAT
• Private/Public can be the same if connection is not subject to NAT

• vRoute – Routes learnt/connected on Service Side

• vRoute tagged with attributes as it is picked up by OMP
Cisco SD-WAN Terminology
• OMP – Overlay Management Protocol
• Dynamic Routing Protocol managing the Overlay domain
• Integrated mechanism for distribution Routing, Encryption and Policies
• Site-ID – Identifies the Source Location of an advertised prefix
• Configured on every Edge
• Does not have to be unique, but then assumes same location
• Required configuration for OMP and TLOC to be brought up

• System-IP – Unique identifier of an OMP Endpoint

• 32 Bit dot decimal notation (an IPv4 Address)
• Logically a VPN 0 Loopback Interface, referred to as “system”
• The system interface is the termination point for OMP

• Organization-Name – Defines the OU to match in the Certificate Auth Process

• OU carried in both directions for authentication b/t control and Edge nodes
• Can be set to anything as long as it’s consistent across the Viptela SEN domain
Network-wide Control Plane
Cisco SD-WAN Traditional

Network Control Plane

Data Plane + Local Control Plane Integrated Control and Data Plane
O(n) Control Complexity O(n^2) Control Complexity
High Scale Limited Scale
 Overlay Management Protocol (OMP)
vSmart • TCP based extensible control plane protocol
• Runs between WAN Edge routers and vSmart
controllers and between the vSmart controllers
- Inside TLS/DTLS connections

• Leverages address families to advertise

reachability for TLOCs, unicast/multicast
vSmart vSmart
destinations (statically/dynamically learnt service
side routes), service routes (L4-L7), BFD up/down
stats (TE node) and Cloud onRamp for SaaS
probe stats (gateway)
- Uses attributes
• Distributes IPSec encryption keys, and data and
WAN Edge WAN Edge
app-aware policies (embedded NETCONF)
Note: WAN Edge routers need not connect to all vSmart Controllers
Overlay Routing: TLOC Routes

• Routes connecting locations to physical

networks
vSmart
• Advertised to vSmart controllers
• Most prominent attributes:
-
OMP Update
Site-ID
MPLS INET - System IP
- Color
- Encap-SPI
TLOCs - Encap-Authentication
Edge - Encap-Encryption
- Public IP
- Public Port
Connected - Private IP
- Private Port
Static - BFD-Status
- Tag
Dynamic (OSPF/BGP) - Preference
- Weight
 Transport Locators Advertisement
TLOCs vSmart
vSmarts advertise TLOCs to
Edges in OMP TLOC routes

SD-WAN Fabric
TLOCs advertised to vSmarts
with TLOCs as
Edge
in OMP TLOC routes
tunnel endpoints

IPSec
IPSec
Local TLOCs
IPSec (System IP, Color, Encap
MPLS INET
Pub IP/Port, Priv IP/Port)
Edge Edge

BFD for quality

and liveliness
detection
Edge Edge
Transport Locator (TLOC) OMP IPSec Tunnel

Flexible Data Plane

Bidirectional Forwarding Detection (BFD)

Edge • Path liveliness and quality measurement

detection protocol
- Up/Down, loss/latency/jitter, IPSec
tunnel MTU
• Runs between all Edge and Edge Cloud
routers in the topology
- Inside IPSec tunnels
Edge Edge - Automatically invoked after each IPSec
tunnel establishment
- Cannot be disabled

• Uses hello (up/down) interval, poll (app-

aware) interval and multiplier for
Edge Edge detection
- Fully customizable per-Edge, per-color
Overlay Routing: OMP Routes

• Routes learnt from local service side

vSmart
• Advertised to vSmart controllers
• Most prominent attributes:
- TLOC
-
MPLS INET
Site-ID
OMP Update
- Label
- VPN-ID
Edge - Tag
- Preference
- Originator System IP
Connected - Origin Protocol
Service - Origin Metric
Static
Side
Dynamic (OSPF/BGP)
 Overlay Routing
• Uniform control plane protocol

Dynamic (OSPF/BGP)
Dynamic (OSPF/BGP) • OMP learns and translates
Static
Static routing information across the
Connected overlay
-
Connected
OMP routes, TLOC routes,
Site2 network service routes
Site1 vSmart - Unicast and multicast address
Overlay families
Management - IPv4 and IPv6 (future)
Protocol
Site3 • Distribution of data-plane
Site4 security parameters and
Connected policies
Connected
Static
Static
• Implementation of control
Dynamic (OSPF/BGP)
Dynamic (OSPF/BGP)
(routing) and VPN membership
policies
Overlay Routing: Network Service Routes

vSmart • Routes for advertised network

services, i.e. Firewall, IDS, IPS,
generic
MPLS INET • Advertised to vSmart controllers
OMP Update
• Most prominent attributes:
- VPN-ID
Edge
- Service-ID
- Label
- Originator System IP
Network - TLOC

Service
Firewall
TLOCs, Colors Site-IDs and System IP
• TLOC Color used as static identifier for:
• TLOC Interface on Edge device
• Underlay network attachment
• The specific color used is categorized as Private or Public
• Private Colors [mpls, private1-6, metro-ethernet]
• All other colors are public [red, blue,…, public-ethernet,…]
• Private vs Public color is highly significant

• Color setting applies to:

• Edge to Edge Communication
• Edge to Controller Communication
Transport Locators Colors
Color Identify an individual WAN transport tunnel by assigning it a color. The color
is one of the TLOC parameters associated with the tunnel. On a Edge router, you
can configure only one tunnel interface that has the color default.

The Private Colors : metro-ethernet, mpls, and private1, private2 private3

private4 private5 private6
They use private addresses to connect to the remote side Edge router in a private
network. You can use these colors in a public network provided that there is no
NAT device between the local and remote Edge routers.

The Public colors: default, 3g, lte, biz-internet, public-internet, custom1,

custom2, custom3, red, green, blue, gold, silver, bronze. They using in public
network with NAT

Default Color: default (Public color)

TLOCs, Colors, Site-IDs and Carriers
• If Site-IDs are identical and colors public:
• Use Private information
• Carrier setting is final influencer to decide on Private/Public IP/Port
• Use if two endpoints are using private colors and you need session between them
to be established between their Public IP/Port

vpn 0 vpn 0
interface ge0/0 interface ge0/0
tunnel-interface IPsec Tunnel / BFD Session tunnel-interface
carrier carrier2 carrier carrier4
color mpls color mpls
 Transport Locators Colors
Public
T3 T4 T1 T2

Public
T1 T3 T1 T3

T2 T4 T2 T4
Edge Edge Edge Edge
Private
Public
T1, T3 – Public Color T2, T4 – Private Color
T1, T3 – Public Color T2, T4 – Public Color

T1 T3 T2 T4
T1 T3 T2 T4

T1 T4 T2 T3
T1 T4 T2 T3
Color restrict
Color - Control plane tag used for IPSec tunnel establishment logic will prevent attempt to establish IPSec tunnel
to TLOCs with different color
Cisco SD-WAN Topology SITE-ID

• Unique per-site numeric identifier

used in policy application
Site 1 Site 2

R11 R12 R21 R22 Site6

10.1.0.11 10.1.0.12 10.2.0.21 10.2.0.22
vManage

vbond61

vsmart66
100.65.0.0/16 MPLS 100.64.0.0/16 INET
vsmart67

TLOC

• Transport attachment point and next hop route

R41
attribute.
R31
10.3.0.31 10.4.0.41 • Comprises of “system-ip”, “color” and “encap”
R51 R52
10.5.0.51 10.5.0.52

SYSTEM-IP COLOR

• Unique
Site 3 identifierper-device. Site 4 Site 5 • Each tunnel interface is assigned a “color”
• Router-id for BGP, OSPF
 Fabric Operation
Fabric Walk-Through

OMP Update:
vSmart ▪ Reachability – IP Subnets, TLOCs
OMP
▪ Security – Encryption Keys
DTLS/TLS Tunnel
▪ Policy – Data/App-route Policies
IPSec Tunnel
OMP OMP
BFD Update Update
Policies
OMP OMP
Update Update

Edge1 Edge2
T1
Transport1 T3
T3 T4 TLOCs TLOCs T1 T2
T4
T2
VPN1 VPN2 Transport2 VPN1 VPN2
BGP, OSPF, BGP, OSPF,
Connected, Connected,
Static A B C D Static

Subnets Subnets
NAT Traversal Combinations

Side A Side B IPSec Tunnel Status

Public Public

Full Cone Full Cone

Full Cone Port/Address Restricted

Port/Address Restricted Port/Address Restricted

Public Symmetric

Full Cone Symmetric

Symmetric Port/Address Restricted

Symmetric Symmetric

Direct IPSec Tunnel No Direct IPSec Tunnel (traffic traverses hub) Mostly Encountered
NAT Traversal – Dual Sided Full Cone
vBond
NAT Detection

IP1’ IP2’ • vBond discovers post-NAT public IP

Port1 Port2 and communicates back to Edges
vSmart - STUN Server

• Edges notify vSmart of their post-NAT

public IP address
NAT Filter: NAT Filter:
Any source IP/Port Any source IP/Port • NAT devices enforce no filter
IP1’ Full Full IP2’ - Full-cone NAT
Port1 Cone Cone Port2

IP1 IP2’ IP1’ IP2

Port1 Port2 Port1 Port2
Edge1 Edge2

Successful IPSec connection

NAT Traversal – Full Cone and Symmetric
vBond
NAT Detection
• vBond discovers post-NAT public IP and
IP1’ IP2’
communicates back to vEdges
Port1 Port2
- STUN Server
vSmart • vEdges notify vSmart of their post-NAT
public IP address
NAT Filter: • Symmetric NAT devices enforce filter
NAT Filter: Only from vBond - Only allows traffic from vBond
Any source IP/Port From IP1’/Port1 • vEdge behind symmetric NAT reaches
IP1’ Full IP2’ out to remote vEdge
-
Symmetric
Port1 Cone Port2 NAT entry created with filter to allow
remote vEdge return traffic
- Remote vEdge will learnt new symmetric
IP1 IP2’ IP1’ IP2 NAT source port (data plane learning)
Port1 Port2 Port1 Port2
Edge1 Edge2

Successful IPSec connection

Questions
Zero Touch Provisioning (ZTP)
Plug-n-Play vEdge Secure Bring-up (Zero Trust)
Zero Touch Provisioning
Plug-n-Play vEdge Secure Bring-up (Zero Trust)

Administrator Installer
ZTP/PNP Identity Trust
Server

vEdge List vEdge Configuration Network Power

(White-List) Template

vManage
DHCP /
Static IP

TPM

Edge
Identity
vSmart vBond (X.509)
Zero Touch Provisioning – vEdge / cEdge
ZTP /PnP Control and Policy
Server Elements

3 5
Full Registration and
1 Configuration

Assumption: 4
▪ DHCP on Transport Side (WAN)
▪ DNS to resolve ztp.viptela.com* ▪ Authentication
▪ DNS to resolve devicehelper.cisco.com*
▪ Push the configuration
* Factory default config ▪ Enforce the version
Edge
Provisioning – Cloud Edge

vManage Control and Policy

Elements

1 Cloud-Init

VM
NSO 3
Provisioning
(vBranch FP) Tool
5
Full Registration and
2
Configuration

4
Assumption:
▪ DHCP on Transport Side (WAN)
▪ DNS to resolve vBond IP
Edge Cloud
* Factory default config
Automatic IP Detection (Auto IP) for vEdge
ZTP.VIPTELA.COM

Edge PE

ARP Request : send from PE looking for mac access

Sender: souse IP/mac (PE)

ZTP Using DHCP

ZTP (Auto IP)

vEdge is programmed to use the following public DNS Server
DNS Servers to resolve ztp.viptela.com

Google
8.8.8.8, 8.8.4.4
OpenDNS
208.67.222.222, 208.67.220.220
Level 3 Public DNS Server Addresses
209.244.0.3, 209.244.0.4, 4.2.2.1, 4.2.2.2,
4.2.2.3, 4.2.2.4
ZTP Support for Static IP
#cloud-boothook
system
personality vedge
device-model vedge-C1111-8PLTEEA
host-name SITE1_ISR1K
system-ip
site-id
10.10.10.10
501
organization-name "CustomerXYZ - 12345"
• Supported on SD-WAN XE only
console-baud-rate 9600
vbond 64.1.1.2 port 12346
!
• Useful in situations where ZTP is a
!
!
requirement, but DHCP is not enabled on CE
interface GigabitEthernet0/0/0
no shutdown
ip address 192.168.10.10 255.255.255.0
to PE link (whether MPLS or Internet)
• Upon bootup, SD-WAN XE router will search
exit
!
ip route 0.0.0.0 0.0.0.0 192.168.10.1

bootflash: or usbflash: for filename

ciscoSD-WAN.cfg
• Config file (which includes basic interface
configuration, Root CA, Organization Name,
vBond information, etc.) is fed into the PnP
process
• Router continues normal ZTP process
Templates Configuration
Device and Feature Template
Device and Feature Template
Datacenter Remote_Type_A Remote_Type_B Remote_Type_C
- System - System - System - System
- Logging - Logging - Logging - Logging
- NTP - NTP - NTP - NTP
- AAA - AAA - AAA - AAA
- OMP - OMP - OMP - OMP
- BFD - BFD - BFD - BFD
- Security - Security - Security - Security

- Transport VPN 0 - Transport VPN 0 - Transport VPN 0 - Transport VPN 0

- VPN Interface - VPN Interface - VPN Interface - VPN Interface
- VPN Interface - VPN Interface

- Services VPN 1 - Services VPN 1 - Services VPN 1 - Services VPN 1

- VPN Interface - VPN Interface - VPN Interface - VPN Interface

- Services VPN 2 - Services VPN 2 - Services VPN 2

- VPN Interface - VPN Interface - VPN Interface
Template-Based Configurations

• Templates are attached to

provisioned vEdge routers
• Variables are used for rapid bulk
configuration rollout with unique per-
device settings
• Local configuration changes are not
allowed
- Prevents configuration drift
Granular Policies
Centralized Control over Fabric Behavior

• Centralized data, control and

application aware routing policies
• Defined on vManage, enforced on
vSmart controllers (control policies)
or vEdge routers (data and
application aware routing policies)
• Individual site, collection of sites or
the entire fabric policy scope
Single Pane of Glass Operations
vManage GUI

• Intuitive GUI driven operations

- Management, monitoring and
troubleshooting
• Cloud Delivered
- Private, hosted or managed
• Single or Multi-tenant
• Role-based Access Control
• Clustered for scale and high
availability
• REST APIs based
Troubleshooting and Verification
Transparent Operations
vManage Programmatic Access
REST API Documentation
/apidocs

• API Documentation built-in – https://vmanage-url/apidocs

• Test calls can be executed directly from doc page

• API programming documented at:

https://docs.viptela.com/Product_Documentation/Command_Reference/vManage_REST_APIs/vManage_REST_APIs_Ov
erview/Using_the_vManage_REST_APIs
 Self Recovery

Failed
2 Upgrade 1 vManage

Attach Template
Active Software A Rollback
Available Software B
Activate 3
Available Software C Connectivity
2 Lost
1 Available Software D

Rollback

3
vEdge Router vEdge Router
Application Quality of
Experience
Application Visibility
Deep Packet Inspection
Over 3000+ application

App 1
App 2

Secure App 3,000

SD-WAN
Fabric vEdge Router

✓ App Firewall
✓ Traffic prioritization
✓ Transport selection
Tunnel Liveliness Detection
IPSec security
IPSec security
associations
associations

Transports
Transports
Transports
vEdge vEdge

IPSec
Site 1 Site 2

▪ BFD packets are bi-directionally echoed

- No BFD neighbors across the tunnels

▪ IPSec Security Associations stay up as long as BFD periodic

messages succeed IPSec Tunnel
- No idle SA timeout BFD
 Application Performances and AAR
▪ By default, without any local or centralized
data policies,
- Cisco SDWAN performs flow-based load
vSmart
sharing across all transports available between Controllers
the vEdge routers
▪ With Policies: App Aware Routing Policy
- Enforce SLA compliant path for applications of App A path must have
interest
latency <150ms and loss <2%
- Other applications will follow active/active
behavior across all paths

INET

Path 2
App A MPLS

INET
Path1: 10ms, 0% loss, 2ms jitter
Path2: 200ms, 3% loss 5ms jitter
Path3: 140ms, 1% loss 3ms jitter
Optimal Throughput
Application Security and Service Insertion
Conformance and Compliance
▪ Single-touch centralized vSmart
security policy Controllers
- Access Control List
App
- Application Firewalling Policies

ACL / Transports
Transports ACL /
App App

Transports

User Site Data Center Server

vEdge vEdge

▪ Strong security posture

- Regionalized stateful network
Regional DC/Colo services
vEdge
▪ Multiple network services
- Service chaining

Network Service
Nodes Data traffic
Control Plane
Optimal Secure Cloud Application Experience
Balanced Approach Between Cost and User Experience
▪ Geographically regionalized vSmart ▪ Local secure cloud
secure cloud application Controllers application access
access App
Policies

Transports
Transports

Transports

User Site Data Center Server

vEdge vEdge

Regional DC/Colo
vEdge

Regional DC/Colo
Firewall

Internet

Cloud
Applications
 Common Data Plane Communication

Per-Session Loadsharing Per-Session Weighted Application Pinning Application Aware Routing

Active/Active Active/Active Active/Standby SLA Compliant

MPLS INET MPLS INET MPLS INET MPLS INET

SLA SLA

Default Device Policy Policy

Configurable Enforced Enforced

Ultimate Control over Application Traffic Forwarding

 vEdge Router Device QoS Overview
Data Policy
vManage Classification of application traffic into QoS
forwarding classes (queues)

Ingress Interface Egress Interface

QoS forwarding QoS
classes Scheduler
FC Q
In FC Q Out
FC Q

Policing Map into FCs Policing Shaping Bandwidth %

Buffer %
Scheduling Priority
Rewrite inner DSCP Map into Rewrite outer DSCP Drop
Egress Queue
vAnalytics
Cisco SD-WAN vAnalytics
How Cisco does it
• Baseline / Trending
Increasing bandwidth • Anomaly Detection
• Comparisons
could take up to vAnalytics
• Cause – and – Effect
• Capacity Planning

90 days
• Real-time visibility
• Historical Visibility
vManage • Troubleshooting Tools
Licensing • Capacity Utilization
Part of Enterprise License • Network Utilization
vAnalytics – Customer Data
Data Transfer and Storage
• Client authenticated and data securely
vAnalytics transmitted from vManage to vAnalytics
Clusters Data Lake
• Data storage isolation between customers
• No PII (Personal Identifiable Information) is
collected
Data Correlation and Algorithms
• Only management data (stats, flows)
information collected
• All algorithms visualization done on a per-
customer basis
• IP Addresses collected for provider look-ups
• Peer benchmarking (future use cases) only
on a group basis. No individual customer
data used
vAnalytics Main Dashboard
Network Availability App vQoE

Carrier
App Bandwidth
Performance

Tunnel
App Anomalies
Performance
Application Forecasting
Circuit Forecasting
Cloud onRamp for SaaS / IaaS
Shifts in Enterprise Workloads

Public/Hybrid Cloud Cloud Applications

IaaS SaaS

Traditional On-Premise Data Centers

Cloud onRamp for SaaS Quality Probing

• DNS resolution for the configured

DNS Server(s) Cloud onRamp SaaS applications
• Periodic quality probes toward the
Loss/ configured Cloud onRamp SaaS
Latency
applications
Best !
Performing ISP1 ISP2 • vQoE score is determined based on
loss and latency reported by the
quality probes
IF IF
• Edge router determines best
performing DIA circuit toward Cloud
VPN0 onRamp SaaS applications based
DNS Query on vQoE scores
Edge Router Quality Probe
(remote site)
Cloud onRamp for SaaS

Loss/ Loss/ ISP2

Latency Latency
Regional Regional
! Hub
! Hub

ISP1 ISP1

SD-WAN SD-WAN
ISP2 Fabric MPLS Fabric
Data Center Data Center
Remote Site Remote Site

Internet DIA Hybrid DIA

Application Quality Probing
Cloud onRamp for IaaS – Attached Compute

• Virtual WAN Edge routers are instantiated in

Compute Compute Amazon VPCs or Microsoft Azure VNETs
VPC/VNET VPC/VNET - Posted in marketplace
- Use Cloud-Init for ZTP/PnP

Cloud
• One Virtual WAN Edge router per
Data Center VPC/VNET
- No multicast support, can’t form VRRP
- No router redundancy
SD-WAN
• Virtual WAN Edge routers join the fabric, all
Fabric
Campus fabric services are extended to the IaaS
Remote Site instances, e.g. multipathing, segmentation
and QoS
- For multipathing, can combine AWS Direct
Connect or Azure ExpressRoute with direct
Branch internet connectivity
Cloud onRamp for IaaS - AWS
Standard IPSec + BGP
(2x) SD-WAN • VGW for host VPCs
VPC
BGP <-> OMP
AZ1
• Gateway VPC per-region
- Multiple for scale
VPC

AZ2
VGW
• Standard based IPSec
AZ1 INET - Connectivity redundancy
Host VPC WAN Edge

MPLS
• BGP across IPSec tunnels for route
AZ2 Direct advertisement
VPC WAN Edge Connect - Active/active forwarding
AZ1 - BGP into OMP redistribution
Gateway VPC
Advertise default route to host
VGW VPCs
AZ2
• Optional Direct Connect
Host VPC

AWS Region
vManage
Cloud onRamp for IaaS - Azure
Standard IPSec + BGP
(2x) SD-WAN • VPN GW for host VNETs
VNET
BGP <-> OMP
AS1
• VNET Gateway per-region
- Multiple for scale
VNET
VPN
AS2 GW • Standard based IPSec
INET - Connectivity redundancy
Host VNET WAN Edge

AS
MPLS
• BGP across IPSec tunnels for route
Express advertisement
-
VNET WAN Edge Route Active/active forwarding
GW
AS1 - BGP into OMP redistribution
VNET Gateway
Advertise default route to host
VPN
GW VNETs
AS2
• Optional Express Route
Host VNET

Azure Region
vManage
Cloud onRamp for IaaS Dashboard
• Centralized provisioning
wizard on vManage
• No need to operate
marketplace
Questions
Direct Internet Access and
Branch Security
SD-WAN – Branch Security
I need to protect my sensitive
data (card holder data, patient
data) against data breaches
before during and after a
transaction.
I need to protect my company
against liability and prevent
guest users from disrupting my
network when browsing the
internet via guest wi-fi.
I want to reduce expenses and
provide better user experience
for cloud apps. If I open up my
branch office to the internet I
increase the attack surface and
I need to protect my network.
I want to leverage the local
internet path for all internet
traffic; I need to protect
myself against potential
threats coming into my
network.

Compliance Guest Access Direct Cloud Access Direct Internet Access

App Aware Firewall App Aware Firewall

IPsec VPN IPsec VPN
Attack surface IPS IPS
App Aware Firewall Attack surface App Aware Firewall Attack surface Attack surface
URL Filtering URL Filtering Risk
IPS exposure URL Filtering exposure exposure exposure
Risk
AMP/TG AMP/TG
Umbrella (SIG) Umbrella (SIG)
Platform Support & Management

Embedded Security Cloud Security

Security Ent FW – App Aware Advanced Malware Protection(AMP)
Umbrella
IPS URL Filter

vManage Provisioning Policy

Cloud or On-
Prem Reporting Monitoring Troubleshooting

Edge ISR 4/1K ENCS w/ISRv

vManage CSR
Branch
Router
Edge
Flexibility ASR1K vEdge

Target Timeline: Q4CY2018 Nov 18 1HCY19 Firewall only

Intrusion Prevention(IPS)

• Snort IPS is the most widely deployed

engine in the world
• Backed by global threat intelligence
(TALOS) signatures updated
automatically
• Signature whitelist support
• Real-time traffic analysis
• PCI compliance IPS

On-site Services

© 2018 Cis co and/or its affiliates . All rights reserved . Cisco Systems
 URL Filtering Requests for “risky” domain requests

• Enforce acceptable use controls

URL inspection
• Block based on web reputation score

• Create custom black and white lists Block/Allow based on Categories,

Reputation
• Customizable end-user notifications

• 82+ web categories and dynamic updates

White/Black lists of custom URLs

© 2018 Cis co and/or its affiliates . All rights reserved . Cisco Systems
App-aware Firewall SaaS

Internet
• Application visibility and granular control
by category or individual application
Inspect policy allows
• 1400+ applications classified only return traffic to be Outside Zone
allowed and drops any
• Prevent lateral movements of threats new connections
(e.g. printing service should not create
new connections to employee network)
Edge Device
• PCI compliance

Inside IoT
Users Zone Zone Devices

Service-VPN 1 Service-VPN 2

© 2018 Cis co and/or its affiliates . All rights reserved . Cisco Systems
 Roadmap
Advanced Malware 1HCY19
Protection(AMP)
AMP

• Integration with AMP

• File reputation Internet Check Signature
• File retrospection
• Integration with ThreatGrid
• File analysis
• Backed with valuable threat Check file
intelligence(TALOS)
Malware Sandbox

ThreatGrid
© 2018 Cis co and/or its affiliates . All rights reserved . Cisco Systems
Cisco Umbrella Cisco Umbrella
DNS-layer Enforcement
Safe Blocked
• Leading security efficacy for malware, requests requests
phishing, and unacceptable requests by
blocking based on DNS requests

• Supports DNScrypt

• Local domain-bypass option Users and Devices

© 2018 Cis co and/or its affiliates . All rights reserved . Cisco Systems
Manage and Monitor by vManage
Security Profiles
Customer Persona Security Profile Platform requirements

Customer looking at FW + Umbrella vEdge, cEdge (4GB RAM), ENCS.

compliance and deliver security
through Cloud

Customer looking to do DIA FW + IPS + URLF (Cloud Lookup cEdge, ENCS.

with medium security posture only) + AMP 8GB Bootflash and 8GB
Memory

Customer looking to do DIA FW + IPS + URLF (On-box DB + cEdge, ENCS.

with high security posture Cloud Lookup) + AMP (File 16GB Bootflash and 16GB
hashing) + ThreatGrid Memory

ISR1K 8GB RAM to be launched soon

End to End Segmentation
Edge VPNs and Security Zoning
Trust Zone

Untrusted Zone

IF, IF,
Sub-IF Sub-IF
MPLS
Service Transport
(VPNn) (VPN0)
IF, IF,
Sub-IF Sub-IF Internet

Out-of-band Management
(VPN512) • VPNs are isolated from each other, each VPN has its
own forwarding table
IF
• Reachability within VPN is automatically advertised
by the OMP
 End to End Segmentation
Interface
▪ Isolated virtual private networks across any VPN 1
IPSec
transport Tunnel
VLAN VPN 2
▪ VPN mapping is based on physical vEdge Router VPN 3
interface, 802.1Q VLAN tag or a mix of both
Prefix
Site 1
IF

IF
Transports
Transports
VPN 1 Use Cases
IF
▪ Security Zoning
VPN 2 802.1q

IF ▪ Compliance
VPN 3
▪ Guest WiFi
802.1q Data Center
▪ Multi-Tenancy
Site 2 ▪ Extranet

IP UDP ESP VPN Data

▪ VPN isolation is carried over all transports
20 8 36 1,2,3 … - https://tools.ietf.org/html/rfc4023
Application Aware Topologies

Full-Mesh Hub-and-Spoke
• Each VPN can have it’s own topology
- Full-mesh, hub-and-spoke, partial-mesh,
point-to-point, etc…
VPN1 VPN2 • VPN topology can be influenced by
leveraging control policies
- Filtering TLOCs or modifying next-hop
TLOC attribute for routes

Partial Mesh Point-to-Point • Applications can benefit from shortest

path, e.g. voice takes full-mesh toplogy
• Security compliance can benefit from
controlled connectivity topology, e.g.
VPN3 VPN4
PCI data takes hub-and-spoke topology
Services Chaining
 Single Service Insertion

Policy • vEdge router with connected L4-L7 service

vSmart Advertisement* makes advertisement
- Service route OMP address family
- Service VPN label
Traffic Path Service
Control Plane Advertisement • Service is advertised in specific VPN

FW
• Service can be L3 routed or L2 bridged
VPN1 • Service can be singly or dually connected
VPN1 (Firewall trust zones) to the advertising vEdge
• Control or data policies are used to insert the
VPN1 service node into the matching traffic forwarding
Regional
Data path
Hub
Center - Match on 6-tuple of DPI signature
MPLS INET - Applied on ingress/egress vEdge

Remote 4G
Office
* For data policy only. Control policy enforced on vSmart.
 Multiple Services Chaining
vSmart
Policy
Advertisement*
Traffic Path • vEdge routers with connected L4-L7 service make
Control Plane Service advertisement
Advertisement - Service route OMP address family
- Services VPN labels
FW IDS
• Services are advertised in specific VPN
• Services can be L3 routed or L2 bridged
VPN1
• Services can be singly or dually connected to the
VPN1 advertising vEdges
VPN1
Regional
• Control or data policies are used to insert the
Hub Data service nodes into the matching traffic forwarding
Center path
MPLS INET
- Match on 6-tuple of DPI signature
4G - Applied on ingress/egress/service vEdge
Remote
Office
* For data policy only. Control policy enforced on vSmart.
Questions
SD-WAN Controllers Component,
Design & Deployment
vManage, vSmart, vBond
Controller Deployment Models
vManage

Recommended Control and Management

Elements

vSmart vBond

Deployed by Cisco Deployed by Customer

Cisco Private
Cloud Cloud
Cloud-Delivered On-Prem
AWS, MS-Azure KVM, ESXi
Controller Tenancy
Single Tenant Multi Tenant
vManage vBond vManage vBond

1 1 1 2 3 1 2 3

VM VM VM VM

VM/ VM/
Container Container
1 1 2 3

vSmart vSmart vSmart vSmart

Limit: 200+ tenant and 10000 vEdge’s

Up to 30,000s vEdge’s
(customer’s less than 60 sites)

AWS, MS-Azure, KVM, ESXi

Controllers Redundant Deployment
• Controllers are distributed across multiple
Public Cloud private data centers
Region A Region B • Active-active, vManage is cold-standby

Data Center A Data Center B

Export Import

• Controllers are distributed across multiple

public cloud regions Export Import

• Active-active, vManage is cold-standby

Cloud Controllers Connection
vBond vSmart vManage
vBond vSmart vManage

Cloud
Cloud Network
Network

Edge

Public IP Address TLS/DTLS Control Connection

On-Prem Controllers Connections
vBond vSmart vManage
vBond vSmart vManage

DMZ
DMZ
DC Perimeter
DC Perimeter Core Firewall
Core Firewall
CE
CE

MPLS INET
MPLS INET
vEdge

Public IP Address TLS/DTLS Control Connection

Cisco / SP Hosted Controller
Services Provider
Hosted Controller

• All controller component should

connect via VPN0.

Remote DC
vEdge INET vEdge

MPLS
On-Prem Controller
On-Premise
Controller

• All controller component should connect

via VPN0.

Remote DC
vEdge INET vEdge

MPLS L3 Switch
or Router
How to Deployed
On-Premise Controllers
Requirements On-Premise Controller
1. Production Two (2) Servers (refer to sizing guide)

2. Five (5) Controllers (Server1: VM, VS1, VB1. Server2: VS2, VB2)

3. FQDN for vBond (abc.vbond.com)

4. Organization Name (Cisco SD-WAN Champion or Account Team)

5. Five (5) Public IP address

6. Download Image and install control component (Refer to step by step guide)

7. Configure basic configuration and settings (Refer to the controller basic configuration)

8. Request for the Certificate and approve by Cisco Team (Cisco SD-WAN Champion or Account Team)

9. Configure the Tunnel Interfaces (Refer to the controller tunnel configuration)

10. Verity the configuration (show control connection)

11. Upload the Edge licenses file (viptela_serial_file.viptela)

Document On-Prem Controller
Step by step bring-up of controllers:
https://docs.viptela.com/Product_Documentation/Getting_Started/04Viptela_Overlay_Network_Bringup

Server Hardware recommendations for Viptela controllers:

https://docs.viptela.com/Product_Documentation/Getting_Started/Hardware_and_Software_Installation/Se
rver_Hardware_Recommendations

Firewall ports need to be considered for Viptela deployments:

https://docs.viptela.com/Product_Documentation/Getting_Started/04Viptela_Overlay_Network_Bringup/01
Bringup_Sequence_of_Events/Firewall_Ports_for_Viptela_Deployments

Software installation and update:

https://docs.viptela.com/Product_Documentation/Getting_Started/Hardware_and_Software_Installation/So
ftware_Installation_and_Upgrade
Firewalls Ports – DTLS
vManage – IP1
UDP
Core0 - 12346
Core1 - 12446 UDP
vBond – IP1 vSmart – IP1 Core2 - 12546 Core0 - 12346

vBond – IP2 vSmart – IP2 Core3 - 12646 Core1 - 12446

Core4 - 12746 Core2 - 12546
*FQDN Core5 - 12846 Core3 - 12646
Core6 - 12946 Core4 - 12746
Core7 – 13046 Core5 - 12846
vBond orchestrators do not support Core6 - 12946
UDP UDP UDP
multiple cores. vBond orchestrators 12346 UDP Core7 – 13046
always use DTLS tunnels to establish
control connections with other The vManage NMSs and vSmart control lers can run on
Viptela devices, so they always use a virt ual machine (VM) with up to eight virtual CPUs
(vCPUs). The vCPUs are designated as Core0 through
UDP. The UDP port is 12346 Core7.
Each core is allocated separate base ports for control
Firewall connect ions

Red signifies primary protocol or first port used

UDP • vBond IP’s are not Elastic, its recommended to permit
UDP/12346 to/from any from the vEdge.
12346
Edge 12366 Edge • vEdge’s can port hop to establish a connection, its
12386 recommended to permit all 5 UDP ports inbound to
12406 all vEdges
12426

Firewall ports need to be considered for Viptela deployments:

https://docs.viptela.com/Product_Documentation/Getting_Started/04Viptela_Overlay_Network_Bringup/01Bringup_Sequence_of_Events/Firewall_Ports_for_Viptela_Deployments
Firewalls Ports – TLS
vManage – IP1
TCP
Core0 - 23456 TCP
Core1 - 23556 Core0 - 23456
vBond – IP1 vSmart – IP1 Core2 - 23656 Core1 - 23556
vBond – IP2 vSmart – IP2 Core3 - 23756 Core2 - 23656
Core4 - 23856 Core3 - 23756
*FQDN Core5 - 23956 Core4 - 23856
Core6 - 24056 Core5 - 23956
Core7 – 24156 Core6 - 24056
vBond orchestrators do not support
multiple cores. vBond orchestrators
UDP UDP TCP Core7 – 24156
12346 TCP
always use DTLS tunnels to establish
control connections with other
Viptela devices, so they always use
UDP. The UDP port is 12346

Firewall

Red signifies primary protocol or first port used

UDP
• vBond IP’s are not Elastic, its recommended to permit
UDP/12346 to/from any from the vEdge.
12346
Edge 12366 Edge • vEdge’s can port hop to establish a connection, its
12386
12406 recommended to permit all 5 UDP ports inbound to
12426 all vEdges

Firewall ports need to be considered for Viptela deployments:

https://docs.viptela.com/Product_Documentation/Getting_Started/04Viptela_Overlay_Network_Bringup/01Bringup_Sequence_of_Events/Firewall_Ports_for_Viptela_Deployments
Administrative Ports Used by vManage NMS
High Availability & Redundancy
 Control Redundancy - vManage
vManage
Cluster
Management Plane
▪ vManage servers form a cluster for redundancy and
Data Plane
Cloud Data high availability
Center
▪ All servers in the cluster act as active/active nodes
- All members of the cluster must be in the same DC /
metro area

▪ For geo-redundancy, vManage servers operate in

active/standby mode
- Not clustered
MPLS INET - Database replication between sites is needed
Data
3G/4G Center ▪ Loss of all vManage servers has no impact on fabric
operation
Small Office - No policy changes
Home Office - No stats collection
Campus
Branch
 Control Redundancy – vSmart & vBond
vSmart
Controllers ▪ vSmart controllers exchange OMP messages between
Control Plane themselves and they have identical view of the SD-WAN
Data Plane fabric
Cloud Data
Center
▪ vEdge routers connect to up to three vSmart controllers
for redundancy
▪ Single vSmart controller failure has no impact, as long as
there is another vSmart controller vEdge routers are
registered with

MPLS INET ▪ If all vSmart controllers fail or become unreachable,

Data vEdge routers will continue operating on a last known
3G/4G Center good state for a configurable amount of time (GR timer)
- No updates to reachability
Small Office - No IPSec rekey
Home Office - No policy changes propagation
Campus
Branch
High Availability and Scale
5400
vBond vSmart Con* vManage
1500 1500 1500 2000 2000 2000
Con Con Con 5400 5400 Dev Dev Dev
Con* Con*
x6 x18
x20

FQDN Networked Cluster

Hash
DNS 2 permanent connection
Hash
per-transport
1 transient connection 1 permanent connection

vEdge * 8 Core with 17.1 code

High Availability and Scale – Data Plane
250/1500/6000 250/1500/6000 250/1500/6000
Tunnels Tunnels Tunnels

# Tunnels

100Mbps ~250 Tunnels

Equal Cost (x16)
500Mbps ~ 600 Tunnels

T1 T2 Tn 1Gbps ~ 1500 Tunnels

ECMP 2.5Gbps > ~ 6000 Tunnels

WAN Edge High Availability Scenarios
WAN WAN
Edge A S A S

OSPF/BGP
WAN Edge WAN Edge VRRP Grp 1 Edge
A B A B
VRRP Grp 2
VLAN 1
Service
Site Router Site Router VLAN 2
Side

Host Host Host

MPLS Internet
MPLS Internet MPLS Internet

Transport
WAN WAN WAN WAN
Side
WAN WAN
Edge Edge Edge Edge Edge Edge
A B A B A B
 Transport Redundancy – TLOC Extension

• Edge routers are connected only to their

respective transports
• Edge routers build IPSec tunnels across directly
MPLS INE T
connected transport and across the transport
connected to the neighboring Edge router
• Neighboring Edge router acts as an underlay router for
tunnels initiated from the other Edge

• If one of the Edge routers fails, second Edge

vEdge-A Edge-B router takes over forwarding the traffic in and out
of site
• Only transport connected to the remaining Edge router
can be used

Site Network
 TLOC Extension Configuration
Advertise 2.2.18.0/30
to the MPLS. Next
hop 2.2.16.3
VE120-A VE120-B
INT MPLS
vpn 0 vpn 0
dns 8.8.4.4 secondary dns 8.8.4.4 secondary
dns 8.8.8.8 primary dns 8.8.8.8 primary
! !
interface ge0/1 interface ge0/1
mtu 1504 mtu 1504
no shutdown no shutdown
! !
interface ge0/1.2 interface ge0/1.1
ip address 2.2.18.6/30 ip address 2.2.18.2/30
tloc-extension ge0/0 tloc-extension ge0/0
! !
no shutdown ge0/0 no shutdown
ge0/0
! 2.2.15.3/24 2.2.16.3/24 !
interface ge0/1.1 ge0/1.1 ge0/1.1
interface ge0/1.2
ip address 2.2.18.1/30 2.2.18.1/30 2.2.18.2/30 ip address 2.2.18.5/30
tunnel-interface tunnel-interface
encapsulation ipsec encapsulation ipsec
color mpls restricted color gold
…… ge0/1.2 ge0/1.2
……
no shutdown 2.2.18.6/30 2.2.18.5/30 no shutdown
! VE120-A VE120-B !
ip route 0.0.0.0/0 2.2.15.1 ip route 0.0.0.0/0 2.2.16.1
ip route 0.0.0.0/0 2.2.18.2 ip route 0.0.0.0/0 2.2.18.6
Questions
Policy Framework
Policy Framework
vManage

Centralized Control Policy

(Fabric Routing)
Local Control Policy
Centralized Data Policy
(OSPF/BGP)
(Fabric Data Plane) Centralized Localized
Centralized App-Aware Policy Policies Policies Local Data Policy
(Application SLA) (QoS/Mirror/ACL)

VPN Membership
(Fabric Routing+Segmentation)

Centralized Data Policy Centralized App-Aware Policy

vSmart (Fabric Data Plane) (Application SLA) WAN
Edge
 Policy Distribution
Data Policy Control Policy
App Aware Routing Policy VPN Membership Policy Local Policies

vManage vManage vManage

NETCO NF/YANG NETCO NF/YANG NETCONF/YANG

vSmart vSmart vSmart vSmart vSmart vSmart

OMP OMP

Edge Edge Edge

Cisco SD-WAN Policy Architecture
• Suite of Policies to address different functional domains

Data Policy:
Extensive Policy-based Routing
Control Policy: and Services
Routing and Services
App-Route Policy:
VPN 1

WAN
App-Aware SLA-based Routing
VPN 2

VPN 1
WAN

VPN 2

• Control Policies are applied at vSmart: Tailors routing information advertised to Edge endpoints

• App-Route Policies are applied at Edge: SLA-driven path selection for applications

• Data Policies are applied at Edge: Extensive Policy driven routing

Topology – Full Mesh
1 2
• Full mesh SD-WAN tunnels between
WAN Edge nodes
• (N-1)¹ tunnel scale
• Double tunnel scale in case of dual
N 3
T1 T2 transports
• High tunnel capacity WAN Edge

5 4
Data Plane Complexity is O(n^2)
¹ Assumes single WAN Edge per-site
Topology – Centralized Hub and Spoke

1 M
• SD-WAN tunnels only between spoke WAN
Edge nodes and headend WAN Edge nodes
• M tunnel scale at spoke WAN Edge
• N¹ tunnel scale at hub WAN Edge
T1 T2 • Doubled tunnel scale in case of dual
transports
• High tunnel capacity WAN Edge at the hub
• Low tunnel capacity WAN Edge at the spoke

1 2 3 N

Data Plane Complexity is O(n)

¹ Assumes single WAN Edge per-site
Topology – Regional Mesh
Region 1 Region 2
1 1 • Full mesh inter-region tunnels
2 2 • Full mesh intra-region tunnels
N T1
T1 T1
N • (N-1)¹ tunnel scale for intra-region
T2 T2 WAN Edge
5 5
3 T2 3 • 2*(M-1)² tunnel scale for border
4 4 WAN Edge
1 2 • Doubled tunnel scale in case of dual
N 3 transports
T1 T2 • Low tunnel capacity WAN Edge
5 4

¹ Assumes single WAN Edge per-site

Border WAN Edge
Region M ² Assumes dual border WAN Edges per-region
Control Policies
Overlay Management Protocol Routing Policies

• Control policies are applied and executed on vSmart to influence routing in the Overlay domain

• Control policies filter or manipulate OMP Routing information to:

• Enable services
• Influence path selection
• Control Policies controls the following services:
• Service Chaining
• Traffic Engineering
• Extranet VPNs
• Service and Path affinity
• Arbitrary VPN Topologies
• and more …
• The Control Policy is one of the centralized and powerful tools in the Cisco SD-WAN toolbox
Control Policy
Interconnecting Dis-contiguous Data Planes

• Problem:
Overlay with a dis-contiguous data plane and endpoints need to communicate end-to-end
App-Route Policies
Centralized Policy for enabling SLA-driven routing on Edge endpoints
• App-route policies:
• Applied on vSmart
• Advertised to and executed on Edge
• Monitors SLAs for active overlay paths to direct Applications along qualified paths

• Allows for the use of L3/L4 keys or DPI Signatures for application identification

• Delivers a fully distributed SLA-driven routing mechanism

App-Aware Routing Policies
SLA-Driven Routing / Performance Routing

4G/LTE

DPI POLICY SLA

MPLS

mpls
#
VPN 1
public-internet Broadband
VPN 2
lte
Data Policies
Policy-driven Routing and Service Enablement
• Data policies:
• Applied on vSmart
• Advertised to and executed on Edge
• A Data policy acts on an entire VPN and is not interface-specific

• Data Policies are used to enable the following functions and services:
• Application Pinning
• NAT/DIA
• Classification, Policing and Marking
• and more …
• The Data Policy is a very powerful tool for any type of data plane centered traffic management
Questions
Pre-Sale Guideline
DNA Licenses Offering
Cisco SD-WAN Solution pricing
Cloud Management
Cisco vManage*

License for
Hardware License
desired
price features
Bandwidth

Annual Software Subscription cost

Các bước triển khai
1. SD-WAN Centralized Management
Cloud Management On-prem Management
Cisco vManage* Cisco vManage

Any routing Platform: Any routing Platform:

ISR, ASR, ENCS, vEdge ISR, ASR, ENCS, vEdge

* vManage will continue to be available on-prem

Các bước triển khai
2. Thiết bị kết nối SD-WAN tại các Sites
Branch virtualization Public Cloud
ENCS 5100 ENCS 5400

• Up to 250Mbps • 250Mbps – 2GB

SD-WAN Branch Services

vEdge 100 vEdge 1000 vEdge 2000 ISR 1000 ISR 4000 ASR 1000

• 100 Mbps • Up to 1 Gbps • 10 Gbps

• 4G LTE & Wireless • Fixed • Modular • 200 Mbps • Up to 6 Gbps • 2.5-200Gbps
• Next-gen • Modular • High-performance
connectivity service w/hardware
• Integrated service
• Performance containers assist
flexibility
• Compute with UCS E • Hardware & software
redundancy
 DNA Licenses Offering

Enterprise Agreement (EA) Eligible

DNA Premier
DNA Advantage Single
SKU
3/5 Year Subscription

DNA Essentials Single

SKU
3/5 Year Subscription
WAN Optimization
Single 3/5 Year Subscription
SKU
Analytics

DNA Advantage DNA Advantage

DNA Essentials DNA Essentials DNA Essentials

Centralized WAN management with basic security SD-WAN with advanced security, segmentation Network and application assurance using real-
and hybrid WAN connectivity and optimization for cloud connectivity time analytics and WAN optimization
Questions