Cisco SD-WAN (Viptela)

4D On-Demand SE Foundational Training Series

Training Structure
Consistency
• Opening
• 4D Engagement – Training in Context
• Trends, Challenges, Benefits, Capabilities
• Discovery, Use Cases, Buying Triggers, Insights
• High Level Design Considerations
• Cisco SD-WAN Solution/Architecture Overview
• Reinventing WAN Security
• Reinventing WAN Connectivity
• Reinventing WAN Application Services
• Reinventing WAN Operations
• Cisco SD-WAN Design Use Cases
• Demonstration of Capability
• Products
• Licensing and Software
• Caveats
• Roadmap
• What to Sell?
• Team Exercises
• Competitive © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

• Closing
Training Structure
One to Many/One-on-One Workshops
Consistency
Metrics that Matter – Pipeline and Revenue Impact
• Trends, Challenges, Benefits, Capabilities
• High Level Design Considerations
• Cisco SD-WAN Solution/Architecture Overview
• Demonstration of Capability
• Cisco vManage
• Cisco vAnalytics
• Cisco vEdge Cloud
• Cisco CloudExpress
• Complete Communications

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Digital Transformation
Requires Network Evolution

Human Scale IoT Scale (People, Devices, Things)

Physical Appliances Virtualized Services

Manual Management Automation, Zero Touch, DevOps

Centralized Enterprise and Web Apps Distributed SaaS, Mobile, & M2M Apps
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Digital Readiness Model
Framework for DNA

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Digital Business Drivers
Requirement for Dynamic Policy Changes

Traditional network management cannot Controller based networking supports

provide sufficient dynamic management dynamic policy change
• Focus has been on Day0/1 • Controller allows network to be
automation managed as a system
• CLI not built for volumes of changes in • Policy management is automated
machine real time and abstracted
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
 Cisco Digital Network Architecture
Cisco SD-WAN (Viptela) Addition
FASTER
INNOVATION
Insights &
Experiences

REDUCED COST
Principles & COMPLEXITY
Automation
& Assurance

LOWER RISK
Security &
Compliance
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
 Opportunities for Additional Learning
Other Software Defined DNA Solutions
• Software Defined Access 4D On-Demand SE Foundational Training

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
4D Engagement
Training in Context
Teaching and Learning
A Slightly Different Approach

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Leveraging
4D Technical the Foundation
Engagement
Strategy Driven No Limits, No Fear, No Rules Execution
Assess
Technical Capabilities
Defend Our
Discovery
Position
Questions
Cisco
High Level Partner Advanced
Design Services
Present
Demo Solution

Proof of Value Deploy

Support / Optimize / Measure

 4D SE Discovery
Understanding current challenges and desired benefits while identifying key capability requirements: Takeaway
-
-
Avoid leading with Cisco products, solutions and innovation Reference
Speak in terms of next generation capability requirements
- Build credibility by sharing unique and relevant insights based on your extensive exposure and experience

1 Tip
Do you understand your customer’s What to do
challenges and the benefits they are • Ask the customer what challenges they are attempting to address and what a) If the Account Manager has already obtained this information
benefits they are hoping to realize as part of a next generation refresh then treat this a more of a validation and verification exercise by
attempting to realize? starting with comments such as, “It is my understanding that…”
• Share some unique insights regarding how other customers are addressing
b) Sharing insights is not about selling or positioning our solutions at
similar issues, their overall approach and why this matters to the business this stage of the engagement, but rather about building credibility
and consensus

2
Are you gathering enough information What to do
about the current state environment • Ask the customer to provide network drawings or to white board the Tip
and future initiatives to effectively environment for you a) Review diagram details with the customer to ensure that you have a
conduct a design session follow-up? solid understanding
• Focus on the following categories:
b) Coach the customer to be more design oriented by asking what
 Layout
design priorities influenced decisions that resulted in the current
 Services Centralization
state design
 Application Footprint
c) Understanding the application environment as well as current and
 Hardware and Software Configuration
3  Scalability and Provisioning
d)
future traffic patterns is critical
Leverage the 4D WAN Discovery Pool of Questions
Are you taking a cross architectural What to do
approach in your discovery with the • Expand your line of questioning to promote cross architectural discovery Tip
customer? • Highlight interdependencies between solution decisions associated with different a) Centralized WLAN Controller deployments leveraging remote site
CAPWAP AP termination prevent application visibility for traffic
places in the network that essentially come together to provide a complete end- traversing the WAN
to-end best practices design b) Certain application optimization engines create tunnels that
interfere with intelligent path control capabilities and asymmetric

4
route handling

Did you build enough consensus and What to do

establish the appropriate level of • Reinforce that you consider yourself to represent an extended member of their Tip
credibility to get to the point of team and would like to help them develop the appropriate design to meet their a) Let the customer know that you understand that they have existing
scheduling a design session? investments that they may need to incorporate into the overall
long term needs design
• Provide examples of some of the sample artifacts you can co-develop with the b) Highlight that the Cisco team is investing time to conduct design
customers IT staff to ensure the proper documentation is prepared for sessions to ensure appropriate design and solution
presentation to the business recommendations
 4D SE Design
Co-develop a design that addresses all current and future capability requirements to execute on the delivery of business outcomes: Takeaway
-
-
Start with generic capability requirements and define key priorities before mapping back to these with Cisco specific innovation
Leverage Cisco Validated Designs, white papers and best practices rather than product marketing slides
Reference
- Do not overuse the words “It Depends” and narrow down design recommendations by putting everything into context

1 Tip
Are you leveraging documentation What to do
and information gathered during the • Leverage discovery documentation to introduce key capabilities needed to a) If the Account Manager has already obtained this information
address challenges and to ensure the realization of benefits then treat this a more of a validation and verification exercise by
discovery phase of your starting with comments such as, “It is my understanding that…”
engagement? • Do a compare and contrast of current state vs. future state design and
b) Sharing insights is not about selling or positioning our solutions at
capabilities by leveraging customer provided infrastructure documentation this stage of the engagement, but rather about building credibility
and consensus

2
Are you mapping Cisco innovation to What to do
desired capability requirements in a • List the challenges, benefits and associated capabilities to keep the customer Tip
way that solves customer relevant focused a) Review diagram details with the customer to ensure that you have a
problems and that delivers on solid understanding
• Make sure that any product, feature and innovation maps back to documented
b) Coach the customer to be more design oriented by asking what
customer desired benefits? capability requirements design priorities influenced decisions that resulted in the current
• Identify which capabilities require demonstration state design
• Check off capability requirements upon establishing consensus c) Understanding the application environment as well as current and

3 d)
future traffic patterns is critical
Leverage the 4D WAN Discovery Pool of Questions
Are you referencing PPDIOO, Top What to do
Down Network Design and Plan • Share these frameworks with the customer upfront to ensure there is consensus Tip
Build Manage models to effectively around proven design methodologies a) Top Down Network Design is regarded as the most neutral and
facilitate the design session? straight forward framework
• Hold off on the product conversation until capability requirements and logical
b) Customers may want to push you to discuss product early on in the
design considerations have been documented and agreed to conversation, so be ready to challenge by pointing back to the
• Prepare to address brownfield migration considerations model

4
c) The most common objections are related to uncertainty in terms of
migration approach
Will you be in position to provide a What to do
blueprint, reference architecture, • Co-develop a reference architecture and HLD with your customer Tip
journey map, high level design (HLD) • Document a high level journey map a) Make sure that you are documenting thing in the customer’s words
and/or any other relevant artifact(s) in b) Complete Communications offers a no cost/no obligation service to
• Leverage companies like Complete Communications to build the financial case
help the customer build a financial case leveraging advanced tools
the weeks following the design
session?
 4D SE Demo
Showcasing of solution capability to make IT real: Takeaway
-
-
Avoid canned demos that don’t map back to customer relevant desired next generation capability requirements
Must reinforce information shared during the discovery and design phases
Reference
- This step should lead to providing an opportunity for the customer staff to get a hands on experience

1
Are your demos tailored to reinforce What to do
Tip
information shared during the • Paint the vision for the specific customer you are working with
• Make a point to highlight how what is being showcased addresses customer a) Document all customer requirements on a virtual or physical
discovery and design phases? whiteboard as a point of reference
challenges and empowers the company to realize desired benefits b) Check off each priority item after demonstration of capability
realization while validating and verifying that there is group

2
consensus

Are your demos designed to be What to do

interactive and to facilitate discussion? • Continue to perform discovery and broaden the scope of design considerations Tip
while demonstrating desired capabilities a) 4D is an iterative process and should result in going deeper with
each cycle
• Validate, verify and prioritize must have capabilities
b) Customers typically want it all, but are unwilling to pay for it all,
• Determine whether the customer would like to dive deeper during a follow-up or therefore prioritize must have capabilities based on business
as part of a Proof of Value self drive experience outcome mapping
c) Most Engineers will not feel comfortable with a solution until they

3 have personally gotten their hands dirty with the technology and
innovation
Are your demos about more than What to do
products and solution innovation? • Challenge yourself to use phrases such as you and your rather than customers Tip
and their a) Be on the look out for making general references regarding solution
benefits while conducting the demonstration
• Ensure that what you are demoing supports the customer requirements and
b) Never demo independent of discovery and design
design considerations
4
Are you providing unique and What to do
relevant insights into overall design • Demonstrate how not considering the end-to-end infrastructure could result in Tip
considerations to promote cross unexpected expenses, unplanned down time and unforeseen complications a) Look for opportunities to show how a decision in one area in the
architectural benefits when demoing network impacts another (AO, WLAN and End-to-End Security can
• Highlight opportunities that although not currently within scope would result in
impact the ability to meet desired expectations)
relevant Cisco innovation? lower operational costs and complexity b) Demonstrate opportunities for consolidation (WAN/Voice,
WAN/Compute, Management)
 4D SE Defend
Defend your position by engaging with relevancy, leading the agenda and jointly developing artifacts with your customer: Takeaway
-
-
Achieved as a result of executing on a proven engagement model
Results in leading to vs. leading with while documenting customer priorities and co-developing artifacts
Reference
- Must know the competitors and their tactics

1
Are you discussing the overall What to do
Tip
journey in terms of end-to-end • Identify relevant opportunities to discuss how routing, switching, wireless, voice,
a) When discussing cross architectural considerations continue to
network transformation? advanced threat protection and other solutions come together to deliver
highlight capabilities and not specific innovation
differentiated value b) Selecting different vendor solutions to address project based
• Highlight interoperability issues associated with nonintegrated solutions and the initiatives typically leads to unforeseen complications and Band-

2
importance of validated designs Aids

Have you co-developed and delivered What to do

documented artifacts? • Provide documented deliverables and do not rely on customer verbal consensus Tip
alone to seal the deal on solution criteria a) Do not assume that because things are going well and moving fast
that you do not need to provide relevant documentation
• Develop the necessary business case and demonstrated how the technical
b) Building the business case and financial case are critical to avoiding
solution maps back to business outcomes heavy discounts
• Ensure that the documentation you are creating can seamlessly be used by post c) Document what would happen if the customer decided to do
sales engineering teams responsible for solution delivery nothing as this is perhaps your greatest competitor

3
Have you provided your customer with What to do
the opportunity for a proof of value or • Leverage dCloud capabilities to share the solution environment with your Tip
proof of concept experience? customer for a test self drive a) Learn how to use dCloud to save and share custom configurations
on-demand
• Leverage programs such as SeedIT to get discounted hardware in the hands of
b) Make sure that you are working closely with a partner to position
your customer for a ‘Bring Your Own Branch’ experience the appropriate professional services offerings where appropriate

4
Have you identified competitive What to do
threats and determined an • Research information contained within the competitive portal: Tip
appropriate strategy to defend https://competitive.cisco.com a) Look for opportunities to show how a decision in one area in the
against them? network impacts another (AO, WLAN and End-to-End Security can
• Focus on WAN Disruptors competitive content:
impact the ability to meet desired expectations)
http://wanweapons.cisco.com/blog/category/disruptors/ b) Demonstrate opportunities for consolidation (WAN/Voice,
• Focus on risks associated with unproven solution offerings WAN/Compute, Management)
Trends, Challenges, Benefits,
Key Capabilities
 Module Objectives
Foundational Enablement
• Explain how current business and IT trends are having an impact on the evolution of
WAN design
• Describe the most common IT related WAN challenges
• Highlight the common desired benefits that are driving customers to redesign the WAN
• Set the agenda by sharing unique insights around the key technical capabilities that
must be taken into consideration to avoid unforeseen cost, complication and downtime
• Map general technical capability requirements to the desired business benefits of
Reduced Cost & Complexity and Lower Risk
• Explain the most typical and recommended SD-WAN migration approach

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Network as a Platform for
Reducing Cost and Complexity While Lowering Risk

DNA Network
Transformation
for WAN
Uncompromised &
Secure Experience
Over Any
Connection
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Common Business & IT Trends
Evolving WAN Situation
App Content
Applications are moving to the Cloud (private and public)
Rich, Dynamic, Web-Based

Internet edge is moving to the remote site

App Delivery

Cloud, SaaS, Virtualized

Business mobile devices, BYOD and Guest Access
Expected to strain both the corporate LAN (WiFi) and WAN
App Consumption

High Bandwidth Apps Mobile, Diverse Devices

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Common IT Challenges
WAN Challenges
Pressure on the WAN

Cost optimization

Poor user and application experience

Lack of visibility, control and security

Organizational structure and governance

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Common Desired Benefits
Designing and Deploying for Impact
Augment or replace premium WAN bandwidth

Reduce costs and lower operational complexity $

Ensure remote site uptime

Provide a consistent high quality experience

Prioritize and secure with granular control

Offload guest and public cloud

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
 Traditional and Legacy Architectures
Cannot Scale to Address Changing Needs
EXPENSIVE
Hardware-centric
Fixed capacity

POORLY INTEGRATED DIFFICULT TO SUPPORT

Conflicting policies Discrete device-by-device
and configurations configurations
Inflexible and static Complex management silos
Risk from accidental interactions and Require slow truck
vulnerabilities
rolls for changes

CONNECTIVITY-CENTRIC INFLEXIBLE
Fragmented, incomplete user experience Tightly controlled,
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
client server model
Not application-centric Historical vs predictive management
 SD-WAN Enterprise Grade Capabilities
Reducing Cost and Complexity for Agile IT
Separation of management, Redundant management Zero-touch provisioning in
control, data for scaling —cloud or on premises minutes, not days

Full segmentation Choice of topologies with Complete visibility from

support for fast app point-and-click single pane of glass
deployment

Comprehensive and Flexible to Fit Your Business

PHYSICAL CAPEX WITH ANNUAL
IN-HOUSE IT
SECURE ROUTERS SUBSCRIPTION
OR OR OR
VIRTUAL ENTERPRISE-BASED
SECURE ROUTERS MANAGED SERVICE AGREEMENT
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
on premises or cloud
Business Continuity
Critical Application SLAs
Single Link
Failure

Cloud Cloud
Applications Data Center All Links
Latency Failure

Static
Topologies
Internet MPLS
Corporate
CPE Device
Data Center Failure
4G/LTE
Small Office
Home Office

Campus Branch

Path MTU Bandwidth

Changes Oversubscription
Path
Brownout © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
 Cloud Ready
Considerations
IaaS SaaS Cloud
Applications

Cloud
Data Center

Data Data
Center Center

Small Office Small Office

Home Office Secure Home Office Secure
SD-WAN SD-WAN
Fabric Fabric

Branch Campus Branch Campus

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
 Advanced Requirements
Differentiated Capabilities
Cloud
Data Center Edge

VPN 1

IPSec VPN
VPN 3 2
Tunnel
VPN 3

Internet MPLS
Corporate
Data Center
4G/LTE
END-TO-END SEGMENTATION
Small Office
Home Office
UBIQUITOUS DATA PLANE

SECURITY AT INTERNET SCALE

Campus Branch

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Service Based Traffic Engineering
Service Insertion and Bandwidth Preservation
Site A Virtual Fabric Data Center
Allow UDP/5001
Deny UDP/5002
UDP/5001
UDP/5001
UDP/5002
UDP/5002 MPLS
• Wasted
Bandwidth

User App Server

Internet

Allow UDP/5001
• Firewall service is inserted into the overlay
topology
Regional DC
Deny UDP/5002

• Security policy is enforced

• Data Center WAN bandwidth is not “wasted”
VNF (Firewall)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
 Migration to Software Defined WAN
Recommended Approach

Internet
Remote Site ISP-RT

WAN New

MSP-RT
MPLS
Existing Existing
Data Center
New

Roadmap to Success

Identify Transport Services Application

Baseline Independent Delivery Policies

• Understand existing application traffic • Leverage overlay through existing • Segment traffic • Select test application as candidate for
equipment at data center for transport intelligent traffic engineering
• Determine existing QoS policy • Deploy application aware topologies
agnostic redesign • Test blackout and brownout failover
• Evaluate impact of proposed changes • Optimize routing, security, QoS, multicast,
• Replace remote site equipment or leverage scenarios
services
© 2016 insertion
Cisco and/or and survivability
its affiliates. All rights reserved. Cisco Confidential 30
overlay
 Key Foundation Takeaways
Summary
• The combination of app content, app delivery and app consumption is resulting in an
evolving WAN situation
• Challenges such as poor application experiences, increased WAN services spend and a
lack of visibility and control are making it difficult for IT to provide the business with a
platform to support faster innovation
• Most IT organizations are interested in realizing a common set of benefits such as
consistent high quality user experiences, reduced cost, simplified operations and lower
risk
• The journey to the next generation software defined WAN requires considering various
technical capabilities such as transport independence, ubiquitous data plane,
automatically secure routed endpoints, resiliency, application aware routing, cloud
readiness, simple secure network segmentation, centralized policy enforcement and
layer 4-7 flexible services insertion
• Migrating to a software defined WAN does not need to be difficult as long as one follows
the roadmap to success © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Customer Discovery, Use
Cases, Buying Triggers and
Insight Sharing
 Module Objectives
Foundational Enablement
• Ask relevant discovery questions and review potential responses to understand what
the primary motivations or challenges are that we are trying to satisfy and how these
might potentially lead to a Cisco SD-WAN solution offering at a later point during the
engagement lifecycle
• Identify challenges and opportunities present in current customer designs and
deployments
• Identify ways to set the agenda by sharing specific SD-WAN relevant customer use
cases without highlighting Cisco SD-WAN innovation, while leading to capabilities
offered by Cisco SD-WAN
• Consider customer audience and identify buying and solution relevancy triggers

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
4D Framework Takeaway
Reference
Discovery – Business Focus ak t hro u
gh

Bre 4D
Q. Do you consider security to be a strategic corporate objective?
A. Absolutely, we are very serious about security and compliance
Q. Do you have specific compliance or regulatory mandates related to data protection?
A. Yes.
Q. Are increased cost and complexity associated with implementing solutions focused on lowering risk preventing you from taking
advantage of trends such as IoT/IoE or Cloud that could potentially help you to innovate faster?
A. Perhaps. We absolutely want to provide differentiated customer and workforce experiences and do recognize the benefits
associated with capitalizing on these trends, but haven’t quite figured out how to do that. Security is obviously one of the major
concerns.
Q. Fast IT is a hot topic. Do you believe that your IT organization is agile enough and fast enough in terms of addressing your
business needs?
A. I understand the network is complex and IT may require additional tools and resources to get the job done.
We have considered moving some things to the cloud and outsourcing certain aspects of IT.
Q. Have you experienced any outages as a result of IT human error that impacted your business negatively?
A. Yes. There have been cases where human error caused us to be down and this resulted in a loss of revenue. We have a firm policy
with IT on change windows.
Q. What keeps you up at night and how can IT help?
A. Staying ahead of the competition while providing differentiated and unprecedented value to our stakeholders. We are looking at IT
to leverage analytics to help us gain insights into trends and behaviors. We must provide a differentiated experience at every
touchpoint. Simplifying overall internal and external operations is key and perhaps IT can find ways to leverage automation to make a
greater impact in this area. Customer privacy is critical and we rely on IT to ensure that we stay out of the news.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
4D Framework Takeaway
Reference
Discovery – Technical Focus ak t hro u
gh

Bre 4D
Q. Have you categorized locations by function, user communities or size?
A. No
Q. What is the average size of each site in terms of number of devices or users?
A. 200
Q. What SP WAN offerings do you have in place?
A. AT&T and Sprint
Q. Do you own and manage the edge hardware or was this included as part of the service provider offering?
A. Domestic – Leased/International – Owned
Q. If leveraging MPLS does your service provider offering support QoS and Multicast?
A. Yes, QoS
Q. What is the average bandwidth provisioned at each site?
A. 5Mbps
Q. If leveraging routers and not switches to terminate the WAN, are the majority of your handoffs from the provider Ethernet, T1
or multilinked bundled T1s?
A. Ethernet / Fiber
Q. When do your WAN contracts terminate?
A. 2016 first quarter
Q. Have you looked into enhanced service offering through the same provider or different providers at a similar or lower cost?
A. Yes
Q. Do you have distributed or centralized infrastructure?
A. 70/30 Centralized/Distributed. Most of our work is based in a© 2016
custom application
Cisco and/or hosted
its affiliates. All rights at our
reserved. Cisco data center.
Confidential 36 While file and
print services, RDP and authentication is done at each site
4D Framework Takeaway
Reference
Discovery – Technical Focus Continued ak t hro u
gh

Q. Is there a goal to centralize? Bre 4D

A. Possibility but no specific goal set yet.
Q. What is the overall motivation to centralize or decentralize services?
A. Cost and performance of custom applications
Q. Do you have a compute footprint at each location or has all of compute been consolidated in the Data Center?
A. Footprint at each location, but working to centralize all workloads and interested in adding a secondary DC in the next
year.
Q. How do you handle web security/content filtering for your distributed environment?
A. All web security / filtering flows back to our data center through our central firewall
Q. What do you leverage for Web Security?
A. Palo Alto Networks firewall
Q. Are you happy with the solution that is in place?
A. Yes
Q. Do you have centralized Internet in one or more Data Centers or is Internet distributed throughout all of the various
locations?
A. Centralized in our data center
Q. Do you have any redundancy in place at the WAN edge in terms of hardware with redundant power supplies, redundant
circuits, redundant providers, redundant routers or 3G/4G backup?
A. At our data center, redundant power and circuits/routers.
Q. What is the impact of a WAN outage?
A. Data center: Extremely costly. Each site: expensive
Q. Is the impact of a WAN outage site specific? © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37

A. Yes
4D Framework Takeaway
Reference
Discovery – Technical Focus Continued ak t hro u
gh

Bre 4D
Q. How much does downtime for critical sites cost your organization?
A. $1,000 to $20,000 per hour depending on size of site
Q. How frequently do you experience downtime and what is the primary cause?
A. Very infrequent 1-2 times per month. MPLS routing issues or network ‘blip/bounce’
Q. What applications must stay up no matter what?
A. Email, custom application (ABC)
Q. What types of applications are being leveraged out at your remote locations?
A. Email, custom application (ABC), RDP, HTTP
Q. Have you experienced any complaints with respect to application performance at your remote sites?
A. Yes
Q. Are you considering cloud based productivity applications?
A. Yes, Office 365
Q. Do you have any initiatives around VDI?
A. No
Q. What types of devices are at the edge of your network terminating the WAN?
A. Cisco routers, various models
Q. Does the provisioned bandwidth meet your current and future needs?
A. No
Q. Are your remote location users complaining about performance?
A. Yes
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
4D Framework Takeaway
Reference
Discovery – Technical Focus Continued ak t hro u
gh

Bre 4D
Q. Have you configured QoS on edge devices?
A. Yes
Q. Are you leveraging any type of WAN Optimization technologies to optimize application performance?
A. No
Q. Have you extended your WAN by deploying routers at employee sites leveraging VPN? What is your teleworker strategy?
A. No. They connect using a VPN client on their workstations
Q. How frequently are you adding new locations?
A. 10 locations a year
Q. How long does it take to provision the WAN and internal network for a remote site?
A. One to two months
Q. What is the process to get a remote site up and running? 
A. C-level approval, requesting through provider, then depending on physical location, provider may need to contact local
carrier to negotiate link, cost and install times
Q. Do you currently segment any traffic within the remote site that would also benefit from being segmented across the WAN
to address security and compliance considerations?
A. Yes, Point of Sale equipment
Q. Would you benefit from being able to seamlessly advertise layer 4-7 services such as Internet Connectivity out of any
location to reduce overhead on your Data Center WAN circuit?
A. Perhaps, but security is a major concern.
Q. Do you have disparate transport connectivity terminating to multiple regional PoPs worldwide?
A. No. We have AT&T and Sprint in most locations. There are a© 2016
fewCisco
locations where
and/or its affiliates. All rights services
reserved. Cisco were
Confidentialunavailable
39 so we use
Internet VPN.
4D Framework
Customer Current Design Plan ak t hro u
gh

Bre 4D

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Vertical Use Case Considerations
At-A-Glance
All Verticals

RETAIL FINANCIAL HEALTHCARE MANUFACTURING

HOSPITALITY TRANSPORT GOV TECH

Support and Operations Considerations

24x7x365 Global Distribution Training and

Support and RMA Certification© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
 Vertical Use Case Considerations
Retail and Healthcare
Retail
• Segment POS traffic for PCI compliance and Network Security
• Increase bandwidth 10x and reduced cost 50%
• Enable in store services like Guest Wireless, Digital Signage, and IoT
• Eliminate downtime caused by network outages

Healthcare
• Migrate to cloud-based healthcare (EMR/EHR) applications
• Ensure 100% network uptime of patient and administrative services
• Transition to Hybrid WAN for Active/Active utilization and application based path selection
• Achieve zero-touch IT capability while migrating the clinic footprint to the cloud
• Rapidly enable services like guest WiFi, and cloud-based VoIP and medicinal dispensing

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
 Vertical Use Case Considerations
Manufacturing and Banking
Manufacturing
• Introduce End-to-End Segmentation to address compartmentalized LOBs and dozens of
isolated segments
• Secure controlled business partner access through the extranet

Banking
• Provision more bandwidth at a lower cost resulting from a diverse pool of active-active
capacity
• Define application policies for optimal quality of experience and application aware routing
to enabled in branch services such as Digital Signage, and Virtual Expert HD Video
• Rollout application aware topologies leveraging a zero-compromise secure fabric and
ubiquitous encryption to address differences between ATM machine communications and
branch-to-branch VoIP or Video
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
Customer Requirements
Buying and Solution Relevancy Triggers

Security and Compliance are critical areas of focus and

require us to have the appropriate Segmentation, Policing,
Security Operations Access Controls and Visibility from end-to-end
I want to Simplify Deployments and Automate
Policy Enforcement to ensure a Consistent and
Network Manager Seamless Application Experience
I need to Replace or Augment existing
Infrastructure and WAN Services to Lower
Network Manager Costs and Maximize Investments

I want to Centralized
Policy Enforcement and
Assurance to Accelerate Time to Resolution to
Network Operations Address Problems on the network Dynamically
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
Insight Sharing Tip 1 Takeaway
Reference
Key Differences in Consumption Models

On-Premise Solutions Cloud Delivered Solutions

• Large Upfront Investment • Subscription model

• Upfront CapEx (buying, deploying • No HW, Maintenance, Back-up
and maintenance) and recovery costs
• Agility: Longer time to new • Agility: Availability to new
versions features
• Scale: New servers required • Instant scale
• Limited access • Easy access

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
Insight Sharing Tip 2 Takeaway
Reference
Cloud Solution Key Considerations
Not all Cloud Delivered solutions are equal
Key Considerations:
• Security
• Communication
• Access
• Traffic Flows
• Is my PII data going to the cloud?
• Does this solution break compliance?
• Controller Unavailability

• Recovery

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
Insight Sharing Tip 3 Takeaway
Reference
Day 0 – 2 Operational Considerations
Day-0 Day-1 Day-2
• Planning • Secure & Zero-touch • User & Application
• Staging & Zero-Trust Activations Visibility
• Pre-Provisioning • Deployment Scale • Centralized Monitoring
• Automation • Policy Compliance • Software Upgrades
• Self-healing
• Troubleshooting

Intuitive UI APIs Partner Integrations MSP Integrations

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
SD-WAN
Business Case
• Substitute lower cost links or devices for higher cost
•
Cost •
Lower cost of management, troubleshooting
Leverage Complete Communications for financial analysis

• Focus on how automation and policy abstraction empower the

Agility organization to innovate faster while transforming the customer and
workforce experience

• Provide quantifiable metrics associated with expedited mean time to

Focus detection, mean time to innocence and mean time to repair

• Quantify frequency and cost associated with outages

Performance •
•
Reduce number of outages affecting user performance
Improve application performance

• Application relevant topologies

Security • Segmented virtual WANs and security service chains
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
Lead to Quantifiable ROI
Current State vs. Future State
50% Lower Cost
• Circuit costs •
•
Reduced CapEx & OpEx
Simplified Management
• Time to enable new services • Rapid troubleshooting

• Bandwidth
• Security and Compliance
10X More Bandwidth
• Change Control • No capacity restraints
• No Choke points
• Instantly add bandwidth anytime, anywhere based on
application requirements

5X Cloud Performance
• Cloud Aware architectures and SLA-based traffic
steering deliver blazing performance for applications
like O365, AWS, SFDC, and more

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
Complete Communications Discovery
Partner to Develop the Financial Case
Current MPLS Spend vs. Dual Internet ($ per Month)

$62,065
$39,910 Savings/Month
x 12 Months
-64% = $479K Savings per Year

$22,155

Current WAN Spend Proposed IWAN Spend_x000d_Dual Int

Combined for Ent SLA

Demo the Complete Communications Dashboard – http://cs.co/demodna

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
 Key Foundation Takeaways
Summary
• Ask relevant discovery questions and review potential responses to understand what
the primary motivations or challenges are that we are trying to satisfy and how these
might potentially lead to a Cisco SD-WAN solution offering at a later point during the
engagement lifecycle
• Identify challenges and opportunities present in current customer designs and
deployments
• Identify ways to set the agenda by sharing specific SD-WAN relevant customer use
cases without highlighting Cisco SD-WAN innovation, while leading to capabilities
offered by Cisco SD-WAN
• Consider customer audience and identify buying and solution relevancy triggers

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
High Level
Design Considerations
 Module Objectives
Foundational Enablement
• Review traditional WAN topologies and their constraints
• Explain the advantages and disadvantages of traditional WAN designs
• Highlight various WAN capabilities that introduce increased complexity
• Describe the 4 design and deploy for impact focus areas for reinventing the WAN and
delivering a next generation business driven WAN infrastructure
• Describe the 4 primary technical pillars and sample capabilities that align to the 4 focus
areas for reinventing the WAN

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
Common WAN Topologies
Design and Deployment Considerations
Design Challenges with Growing Needs and New Innovation

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
Common WAN Topologies
Growing Complexity - Scale, Policy, Segmentation
Complexity Grows with Scale and Changing Business Requirements

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56
Network Transformation
The Era of Digital Transformation
Hardware Centric Software Driven

Manual Automated

Closed Programmable

Reactive Predictive

Network Intent Business Intent

CLOUD & ON-PREM AUTOMATION & SCALE SECURITY & COMPLIANCE ASSURANCE & ANALYTICS
Hosted, delivered, managed Speed, flexible, zero-touch, Segmentation, Users, applications, devices
policy driven threat mitigation
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57
Business Driven WAN Infrastructure
Design and Deploy for Impact Objectives

Analytics
Application Traffic Per-Segment Secure Cloud Path Cloud Accel Transport
SLA Engineering Topologies Perimeter (IaaS) (SaaS) Hub

APPLICATION POLICIES

Monitoring
Routing Security Segmentation QoS Multicast Svc Insertion Survivability

SERVICES DELIVERY PLATFORM

Operations Broadband MPLS Cellular

ZERO TOUCH ZERO TRUST

TRANSPORT© 2016
INDEPENDENT FABRIC
Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58
Reinventing the WAN
The 4 Focus Areas
• Secure Elastic Connectivity

• Cloud First
Secure Application
• Application Quality of Experience Elastic Applications
QoE
Connectivity Services
• Agile Operations

Cloud Agile
Connectivity Operations
First Operations

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59
Reinventing the WAN
The 4 Supporting Technical Pillars
• Security

• Connectivity

• Application services
Security Applications
Application
• Operations Services

Connectivity
Connectivity Operations

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60
Reinventing the WAN
Security
Embedded Security Secure Bring-up

Security Applications
Application
Centralized Device
Services Scalable Data-Plane
Encryption
Auth-DB

Connectivity
Connectivity Operations

Authenticated/Encrypted
Control Plane
Automatic Key Rollover

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61
Reinventing the WAN
Connectivity
Provider/Transport
Hybrid WAN Agnostic
LTE
LTE

INTERNET
INTERNET

MPLS
MPLS
Security Applications
Application
Services

Dynamic Per-VPN
Segmentation/VPNs
Connectivity
Connectivity Operations Topologies

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 62
Reinventing the WAN
Application Services
Deep Packet Inspection Central Orchestration

Transport SLA Monitoring Application Layer

LTE
Security Applications
Application Analytics
Services
INTERNET

MPLS

Connectivity
Connectivity Operations Cloud Services
Application-Aware Integration
Routing

SEN Overlay

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 63
Reinventing the WAN
Operations
Centralized Operations Centralized
Distributed Execution Policy Orchestration

Template-based Security Applications

Application Zero Touch Provisioning
Configurations Services

Programmatic APIs Connectivity

Connectivity Operations
Open Object Model
NetConf Ad-Hoc
Adds/Moves/Changes

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 64
 Key Foundation Takeaways
Summary
• Recognize traditional WAN topologies and their constraints
• Explain the advantages and disadvantages of traditional WAN designs
• Highlight various WAN capabilities that introduce increased complexity
• Describe the 4 design and deploy for impact focus areas for reinventing the WAN and
delivering a next generation business driven WAN infrastructure
• Describe the 4 primary technical pillars and sample capabilities that align to the 4 focus
areas for reinventing the WAN

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 65
Cisco SD-WAN
Solution and Architecture Overview
 Module Objectives
Foundational Enablement
• Explain and whiteboard the fundamental components that make up the Cisco SD-WAN
solution
• Explain and whiteboard the role associated with each Cisco SD-WAN component
including the devices that make up the secure extensible network fabric
• Explain the roles of various types of policies
• Explain and whiteboard basic example of fabric operation

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 68
Cisco SD-WAN
Platform for Digital Transformation
Cloud Delivered Analytics Automation Virtualization

USERS

Cloud IoT
SDWAN
OnRamp
.… Edge Computing

DC

DEVICES
Cisco SD-WAN IaaS
APPLICATIONS

Fabric
SaaS

THINGS
SECURE SCALE OPEN vDC

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 69
 Cisco SD-WAN Architecture
The Power of Abstraction
vManage

APIs Management Plane

3rd Party
vAnalytics
Automation

vBond
Control Plane
Orchestration Plane vSmart Controllers

MPLS 4G

INET
vEdge Routers

Data Plane
Cloud Data Center Campus Branch SOHO
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 70
Cisco SD-WAN Solution Elements
Orchestration Plane
Orchestration Plane

vManage
Cisco vBond

APIs
• Orchestrates connectivity
3rd Party
vAnalytics between management, control
Automation
and data plane
vBond • First point of authentication
• Requires public IP Address
vSmart Controllers
• Facilitates NAT traversal
• All other components need to
MPLS 4G
know the vBond IP or DNS
INET information
vEdge Routers
• Authorizes all control
connections (white-list model)
• Distributes list of vSmarts to
Cloud Data Center Campus Branch SOHO all vEdges
•
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 71
Cisco SD-WAN Solution Elements
Management Plane
Management Plane
vManage
Cisco vManage
APIs
• Single pane of glass for Day0,
3 Party
rd
Day1 and Day2 operations
vAnalytics
Automation
• Real time alerting
vBond • Centralized provisioning
• Configuration standardization
vSmart Controllers • Simplicity of deploying
• Simplicity of change
MPLS 4G • Supports
• REST API
INET
vEdge Routers • CLI
• Syslog
• SNMP
• NETCONF
Cloud Data Center Campus Branch SOHO
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 72
Cisco SD-WAN Solution Elements
Control Plane
Control Plane

vManage
Cisco vSmart

APIs
• Centralized brain of the solution
3rd Party
vAnalytics • Facilitates fabric discovery
Automation
• Establishes OMP peering with all
vBond vEdges
• Implements control plane policies,
vSmart Controllers
such as service chaining, traffic
engineering and per VPN topology
MPLS 4G • Dramatically reduces complexity of
INET the entire network
vEdge Routers • Distributes connectivity information
between vEdge
• Orchestrates secure data plane
Cloud Data Center Campus Branch SOHO
connectivity between vEdges
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 73
Cisco SD-WAN Solution Elements
Data Plane Data Plane
Physical/Virtual

vManage Cisco vEdge

APIs • WAN edge router

3rd Party • Provides secure data plane with
vAnalytics remote vEdge routers
Automation
• Establishes secure control plane
vBond with vSmart controllers (OMP)
vSmart Controllers • Implements data plane and
application aware routing policies
4G
• Exports performance statistics
MPLS
• Leverages traditional routing
INET
vEdge Routers protocols like OSPF, BGP and
VRRP
• Support Zero Touch Deployment
Cloud Data Center Campus Branch SOHO • Physical or Virtual form factor
© 2016 Cisco and/or its affiliates. All rights reserved. (100Mb,
Cisco Confidential 1Gb,
74 10Gb)
Overlay Management Protocol (OMP)
Unified Control Plane
vSmart
• Runs on top of TCP, extensible control plane
protocol
• Runs between vEdge routers and vSmart
controllers and between the vSmart
controllers
- Inside TLS/DTLS connections
vSmart vSmart • Advertises control plane context

VS
vEdge vEdge

Note: vEdge routers need no control connections amongst them © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 75
 Fabric Operation
Fabric Walk-Through
OMP Update:
vSmart  Reachability – IP Subnets, TLOCs
OMP
 Security – Encryption Keys
DTLS/TLS Tunnel
 Policy – Data/App-route Policies
IPSec Tunnel
OMP OMP
BFD Update Update
Policies
OMP OMP
Update Update

vEdge vEdge
Transport1
TLOCs TLOCs

VPN1 VPN2 Transport2 VPN1 VPN2

BGP, OSPF, BGP, OSPF,
Connected, Connected,
Static A B C D Static

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Subnets Subnets
76
Policy Driven WAN Infrastructure
Policy Augmented Dynamic Routing
1 vManage GUI – Policy Orchestration

App-Route Policy: Data Policy:

Control Policy:
App-Aware SLA-based Extensive Policy-based
Routing and Services
Routing Routing and Services

Combine and Apply per Site

2 vSmart controller – Policy

Enforcement/Advertisement
Execute Control Policy
Advertise AAR/Data Policies to Sites

3
vEdge
WAN Execute AAR and Data Policy as received
router Dynamic Routing and Policies Combine to
dictate behavior

Access Layer

Branch/DC
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 77
Operations
Simplicity and Visibility

Single Pane Of Glass Operations Rich Analytics

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 78
 Key Foundation Takeaways
Summary
• Power of abstraction provides network agility
• Automated provisioning accelerates time to market and reduces costs
• Automatic and adaptive configuration preserves a consistent application
experience
• Insight into application health
• Simplified operations

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 79
Cisco SD-WAN Capabilities
Reinventing WAN Security
Module Objectives
Foundational Enablement
• Explain and whiteboard the zero-trust philosophy of the Cisco SD-WAN fabric
• Explain and whiteboard the principles behind securing application traffic leveraging
strong encryption and segmentation
• Explain and whiteboard how Cisco SD-WAN fabric expands security through integration
with L4-L7 network services
• Explain and whiteboard options for Cloud Security
• Explain and whiteboard the self-defending nature of the embedded Cisco SD-WAN
fabric security

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 82
vEdge Router
Identity and Trust
Embedded Device Identity Dynamic Device Identity

TMP
Chip

Identity
Cert
Identity
Cert

Root Chain Root Chain

vEdge Controller Trust © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vEdge Cloud Controller
83
Trust
Controllers
Identity and Trust
Remote Controller Trust Local Controller Identity

Root Chain Identity

vBond Cert
vSmart

vManage

Root Chain Root Chain

vEdge Trust vEdge Cloud Trust

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 84
Zero Trust Model
Certificate-Based Trust
Signed
Administrator • Bi-directional certificate-based trust between all
Defined
vEdge List
Controllers elements
- Public or Enterprise PKI
vManage • White-list of valid vEdges and controllers
- Certificate serial number as unique identification

vBond vSmart

vEdge
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 85
DDoS Infrastructure Protection
vEdge Routers
vBond
Authenticated
TLS
Sources / DT
LS
(Control)
vSmart vManage

Authenticated CPU
Sources SD-WAN IPSec
(Data) Control Plane Policing:
vEdge  300pps per flow
 5,000pps
/ GRE
IPSec Packet
Explicitly Forwarding
Defined
Sources
Cloud Security
Any Deny except:
1. Return packets matching flow entry (DIA enabled)
Unknown 2. DHCP, DNS, ICMP
Sources
* Can manually enable: SSH, NETCONF, NTP, OSPF, BGP, STUN
Other © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 86
DDoS Infrastructure Protection
Controllers
vBond

Authenticated T LS /
Sources DTLS
(Control)
vSmart vManage
CPU

Authenticated TLS / DTLS

Control Plane Policing:
Sources
 500pps per flow
(Data)  10,000pps
vEdge

Packet
Any Forwarding
Unknown
Sources Note: vBond control plane policing is
Other the same as vEdge

Deny except:
DHCP, DNS, ICMP, NETCONF

* Can manually enable: SSH, NTP, STUN, HTTPS (vManage)

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
87
 Data Plane Privacy
Traffic Encryption vSmart
Controllers
 Each vEdge advertises its local  Keys are rotated frequently
IPsec encryption keys through OMP
 Encryption key is per-transport

OMP OMP
Update Update
Local Keys Local Keys

Transport1

TLOCs TLOCs

vEdge Transport2 vEdge

Remote Keys Remote Keys

Traffic Encrypted with

AES256-GCM
Traffic Encrypted with
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 88
Control Plane
Data Plane Integrity
Man-in-the-Middle and Replay Attack Mitigation
vSmart
 vBond discovers vEdge public IP Controllers  vEdge pre-computes AH hash based
address, even if traverses NAT on the post NAT public IP
 vBond communicates public IP to  Packet integrity (+IP headers) is
the vEdge preserved across NAT
OMP OMP
Update Update

Transport1

vEdge Transport2 vEdge

IP UDP ESP Data

Network 20 8 36 …
Address
Translation Encrypted AES256-GCM
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 89
Control Plane
Authenticated
Cisco SD-WAN VPNs
vEdge Router Security Zones

IF, IF,
Sub-IF Sub-IF
MPLS
Service Transport
(VPNn) (VPN0)
IF, IF,
Sub-IF Sub-IF
INET

Management
(VPN512)
• VPNs are isolated from each other, each
VPN has its own forwarding table
IF • Reachability within VPN is advertised by
the OMP
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 90
 Secure Segmentation
End-to-End Segmentation
VPN 1
Interface VPN1 SD-WAN VPN1 Interface
IPSec VPN 2
VLAN VPN2 Tunnel VPN2 VLAN
VPN 3
Ingress Egress
vEdge vEdge

IP UDP ESP VPN Data

20 8 36 4 …

• Segment connectivity across fabric w/o • Labels are used to identify VPN for
reliance on underlay transport destination route lookup
• vEdge routers maintain per-VPN routing • Interfaces and sub-interfaces (802.1Q tags)
table are mapped into VPNs
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 91
Application Traffic Security
Local Secure Perimeter
In-Line Firewall Fabric Firewall

vSmart

vEdge

Data Policy

Firewall
vEdge

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 92
 Application Traffic Security
Regional Secure Perimeter
Service Insertion
Policy Protected
Firewalls Data Compute Resources
IDS/IPS/DLP Center
Small Office
Home Office

Secure Data
Center
SD-WAN
Fabric Firewalls
Branch IDS/IPS/DLP Cloud
Data Center

Regional
Service Secure
Advertisement Perimeter
Campus
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 93
Cloud Security
SaaS and Internet Security

GRE Tunnel DNS Query

POP1 POP2

ISP1 ISP1

ISP2 ISP2

Remote Site Client Remote Site

• Eliminates backhaul of traffic destined to Internet and cloud applications

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 94
Key Foundation Takeaways
Summary
• Explain and whiteboard the zero-trust philosophy of the Cisco SD-WAN fabric
• Explain and whiteboard the principles behind securing application traffic leveraging
strong encryption and segmentation
• Explain and whiteboard how Cisco SD-WAN fabric expands security through integration
with L4-L7 network services
• Explain and whiteboard options for Cloud Security
• Explain and whiteboard the self-defending nature of the embedded Cisco SD-WAN
fabric security

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 95
Cisco SD-WAN Capabilities
Reinventing WAN Connectivity
Module Objectives
Foundational Enablement
• Explain and whiteboard the logic behind establishing Cisco SD-WAN fabric
• Explain and whiteboard different traffic forwarding patterns across the Cisco SD-WAN
fabric
• Explain and whiteboard the principle behind per-VPN topology
• Explain and whiteboard service insertion capabilities of the Cisco SD-WAN fabric
• Explain and whiteboard resiliency and high-availability features of the Cisco SD-WAN
fabric

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 98
Cisco SD-WAN Architecture
The Power of Abstraction
vManage

APIs Management Plane

3rd Party
vAnalytics
Automation

vBond
Control Plane
vSmart Controllers

MPLS 4G

INET
vEdge Routers

Data Plane
Cloud Data Center Campus Branch SOHO
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 99
Transport Independent Fabric
Transport Locators Advertisement
vSmarts advertise TLOCs
vSmart to all vEdges*
(Default)

Full Mesh
SD-WAN Fabric TLOCs advertised to vSmarts
(Default)

vEdge

Local TLOCs
(System IP, Color, Encap)

vEdge vEdge

vEdge vEdge
* Can be influenced by the control policies

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 100
Transport Locator (TLOC) OMP IPSec Tunnel
 Transport Independent Fabric
Transport Locators Colors
T3 T4 T1 T2 T3 T4
Public T1 T2

Public
T1 T3 T1 DMZ T3

T2 T4 T2 T4
vEdge vEdge vEdge vEdge
Private
Private
T1, T3 – Public Color T2, T4 – Private Color
T1, T3 – Public Color T2, T4 – Private Color

T1 T3 T2 T4 T1 T3 T2 T4

T1 T4 T2 T3 T1 T4 T2 T3

Color restrict will prevent attempt to establish IPSec tunnel to TLOCs Color - Control plane tag used for IPSec tunnel
101 establishment logic
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

with different color

Transport Independent Fabric
NAT Traversal
Full-Cone NAT Symmetric NAT
vBond vSmart vBond vSmart

NAT Detection OMP NAT Detection OMP

IP1’ IP1’ IP1’ IP1’

Port1 Port1 Port1’ Port1’

IP1’ IP1’ Symmetric

NAT Port1’ NAT
Port1
(accept only traffic
IP1’ from vBond) IP1’
Port1 Port1’

IP1 IP2 IP1 IP2

Port1 Port2 Port1 Port2
vEdge1 vEdge2 vEdge1 vEdge2
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 102
WAN Communication
Traffic Forwarding
Per-Session Loadsharing Per-Session Weighted Application Pinning Application Aware Routing
Active/Active Active/Active Active/Standby SLA Compliant

SLA SLA

Hierarchical Multihop Fabric Single-hop Fabric

Core

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 103
Application Aware Topologies
Arbitrary VPN Topologies
Full-Mesh Hub-and-Spoke Partial Mesh Point-to-Point

VPN1 VPN2 VPN3 VPN4

Unified Security Regional Partner

Communications Compliance Services Connectivity

• Leverage control policies to influence per-VPN topology

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 104
 L4-L7 Service Insertion
Regional Secure Perimeter
• Can chain numerous L4-L7 services
vSmart

Policy L4-L7 Service

Advertisement* Advertisement

FW

VPN1
Regional VPN1
Hub
Data
Center
VPN1 MPLS INET

Remote 4G Control Plane

Office
Traffic Path
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 105

* For data policy only. Control policy enforced on vSmart.

 Streaming Content Distribution
Multicast Traffic
 vEdges interoperate with IGMP v1/v2 and  vEdge Replicators replicate multicast
PIM on the service side stream to receivers
 vEdges advertise receiver multicast groups  Multicast is encapsulated in point-to-
using OMP point tunnels
vSmart Controllers
OMP
Update
IGMP/PIM OMP
Update
SD-WAN
OMP Sender
Update Fabric
Receiver Branch OMP
Update
Data
IGMP/PIM
Center
RP

Receiver Branch
Replicators
© 2016 Cisco and/or its affiliates. All rights reserved. Control
Cisco ConfidentialPlane106 Multicast Stream
High Availability and Redundancy
Connectivity Assurance
Site Redundancy Transport Redundancy
MPLS INET MPLS INET

VRRP OSPF/ OSPF/

BGP BGP

Network/Headend Redundancy Control Redundancy

vSmart Controllers

Control
MPLS
Data
Center
Data MPLS
INET
Site
INET
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 107
Key Foundation Takeaways
Summary
• Explain and whiteboard the logic behind establishing Cisco SD-WAN fabric
• Explain and whiteboard different traffic forwarding patterns across the Cisco SD-WAN
fabric
• Explain and whiteboard the principle behind per-VPN topology
• Explain and whiteboard service insertion capabilities of the Cisco SD-WAN fabric
• Explain and whiteboard resiliency and high-availability features of the Cisco SD-WAN
fabric

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 108
Cisco SD-WAN Capabilities
Reinventing WAN Application Services
Module Objectives
Foundational Enablement
• Explain and whiteboard application recognition functions of the Cisco SD-WAN fabric
• Explain and whiteboard the delivery of application quality of experience and
differentiated services across Cisco SD-WAN fabric
• Explain and whiteboard Cloud onRamp functionality for SaaS applications and IaaS
environments

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 111
 Embedded Application Recognition
Deep Packet Inspection
Deep Packet Inspection Engine
Cloud Data
Center
App 1
App 2

App 3,000
vEdge Router

MPLS INET Data

Center
3G/4G Primary Use Cases:
- Application Visibility
Small Office
Home Office - Application Firewall
Campus - Traffic Prioritization
Branch - Transport Selection
- Analytics
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 112
 Transport SLA Monitoring
Path Quality Detection
App-Route Multiplier (n)

Poll Interval Poll Interval Poll Interval (ms)

vEdge Router

Hello Interval (ms) BFD Probe

• Each vEdge router generates BFD • Poll interval determines the average
packet every “hello” interval for path path quality measurement (loss,
quality (and liveliness) detection latency, jitter)
• BFD packets are generated for each • App-route multiplier determines the
transport individually. Timers can be average path quality measurement
adjustment for quicker detection. across the poll intervals
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 113
 Critical Applications SLA
Application Aware Routing
vManage
 Enforce SLA compliant path App Aware Routing Policy
App A path must have:
for applications of interest latency < 150ms
loss < 2%
 Other applications will follow jitter < 10ms
fabric routing across all vSmart Controllers
paths

1 Internet
Path
vEdge1 vEdge2
Path 2 MPLS
App A

4G LTE
Path
3
Path1: 10ms, 0% loss, 5ms latency IPSec Tunnel
Path2: 200ms, 3% loss, 10ms latency © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 114
Path3: 140ms, 1% loss, 10ms latency Control Plane
 Optimal Network Utilization for App Traffic
Path MTU Discovery
 Automatic and proactive Network Path  Automatic MSS adjust for TCP traffic
MTU Discovery leveraging BFD protocol - Can also be manually configured
 Support for Host Path MTU Discovery  IP ICMP Unreachable (type 3, code 4)

Transport1

vEdge Transport2 vEdge

Network Path IPSec Tunnel

MTU Discovery

Host Path
MTU Discovery
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 115
Differentiated Services
Quality of Service
Traffic Flow
vEdge Router
Copy inner TOS/DSCP bits
into outer header
Q0
Q1

Ingress Interface

Egress Interface
Voice Q2
Q3
Business
Q4
IPSec
Best Effort Q5
Q6
Q7

Traffic Queue Scheduling

Classification Mapping
Queue 0 is strict
116 priority
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
 Application Optimization
TCP Performance Optimization
Optimized
TCP Connections TCP Connections (Cubic) TCP Connections

SD-WAN
Fabric
Users vEdge vEdge Servers
High Latency Path

• High latency path between users and • Selective acknowledgements prevents

servers, i.e. geo-distances unnecessary retransmit of the successfully
• vEdge routers terminate TCP sessions and received segments
provide local acknowledgements to prevent • Hosts using old TCP/IP stacks will see the
TCP windowing from reacting most benefit
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 117
Cloud onRamp for SaaS
SaaS Optimization

Loss/ Loss/ ISP2

Latency Latency
Regional Regional
! Hub
! Hub

ISP1 ISP1

SD-WAN SD-WAN
ISP2 Fabric MPLS Fabric
Data Center Data Center
Remote Site Remote Site

Application Quality
© 2016 Cisco Probing
and/or its affiliates. All rights reserved. Cisco Confidential 118
Cloud onRamp for IaaS
IaaS
Compute
VPCs/VNETs
Compute Compute BGP BGP BGP
VPC/VNET VPC/VNET

Gateway
VPC/VNET

Cloud Cloud
Data Center Data Center

SD-WAN SD-WAN
Fabric Fabric
Campus Campus
Remote Site Remote Site

Branch Branch
IPSec Tunnel
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 119
Key Foundation Takeaways
Summary
• Explain and whiteboard application recognition functions of the Cisco SD-WAN fabric
• Explain and whiteboard the delivery of application quality of experience and
differentiated services across Cisco SD-WAN fabric
• Explain and whiteboard Cloud onRamp functionality for SaaS applications and IaaS
environments

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 120
Cisco SD-WAN Capabilities
Reinventing WAN Operations
Module Objectives
Foundational Enablement
• Explain single pane of glass operation of Cisco SD-WAN fabric
• Explain and whiteboard the different tenancy models of Cisco SD-WAN fabric
• Explain application performance and visibility capabilities
• Explain configuration templates and policies operation
• Explain available troubleshooting and verification tools
• Explain and whiteboard the self-healing nature of Cisco SD-WAN fabric

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 123
Single Pane of Glass Operations
vManage GUI
• Intuitive GUI driven operations
- Management, monitoring and
troubleshooting
• Cloud Delivered
- Private, hosted or managed
• Single or Multi-tenant
• Role-based Access Control
• Clustered for scale and high
availability
• REST APIs based
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 124
Centralized Operations
Multi-Tenancy A+B
A B
Dedicated VPN
Tenancy Tenancy

VPN1 MPLS 4G VPN2

VPN1 MPLS 4G VPN1
VPN2 VPN2 INET
VPN3 INET VPNn
Tenant VPN2 VPN1 Tenant
Tenant VPN1 VPN1 Tenant
VPN2 VPN2 A B
A VPNn VPNn B
A Tenant Tenant
Tenant Tenant B A
B A A+B B A+B

Enterprise
Tenancy

VPN1 MPLS 4G VPN1

VPN2 VPN2
VPN3 INET VPNn

Tenant VPN1 VPN1 Tenant

VPN2 VPN2
A VPNn VPNn B
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 125
Tenant Tenant Control Plane
B A
Zero Touch Provisioning
Plug-n-Play vEdge Secure Bring-up (Zero Trust)
Administrator Installer
ZTP
Identity Trust
Server

vEdge List vEdge Configuration Network Power

(White-List) Template

vManage
DHCP

TPM

vEdge
Identity
vSmart vBond (X.509)

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 126
Application and Performance Visibility
Deep Packet Inspection

• Embedded Deep Packet Inspection

engine
• Application and flow level visibility
for the fabric and individual vEdge
routers
• Centralized statistics and
performance
• Export flow level data (IPFIX) to
external collector

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 127
Template-Based Configurations
Centralized Device Configuration Enforcement
• Templates are attached to provisioned
vEdge routers
• Variables are used for rapid bulk
configuration rollout with unique per-
device settings
• Local configuration changes are not
allowed
- Prevents configuration drift

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 128
Granular Policies
Centralized Control over Fabric Behavior

• Centralized data, control and

application aware routing policies
• Defined on vManage, enforced on
vSmart controllers (control policies)
or vEdge routers (data and
application aware routing policies)
• Individual site, collection of sites or
the entire fabric policy scope

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 129
Troubleshooting and Verification
Transparent Operations

• Embedded tools for data plane

connectivity verification
• Control plane health verification
• Real-time GUI based
troubleshooting
• Full command line interface and
Linux shell for expert level
troubleshooting
• Alarms for triggered events

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 130
Self-Healing
Software Upgrade and Configuration Change
Failed
2 Upgrade 1 vManage

Attach Template
Active Software A Rollback
Available Software B
Activate 3 Connectivity
Available Software C 2 Lost
1 Available Software D

Rollback

3
vEdge Router vEdge Router

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 131
Key Foundation Takeaways
Summary
• Explain single pane of glass operation of Cisco SD-WAN fabric
• Explain and whiteboard the different tenancy models of Cisco SD-WAN fabric
• Explain application performance and visibility capabilities
• Explain configuration templates and policies operation
• Explain available troubleshooting and verification tools
• Explain and whiteboard the self-healing nature of Cisco SD-WAN fabric

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 132
Cisco SD-WAN
Design and Deployment Models
 Module Objectives
Foundational Enablement
• Understand the most common Viptela SD-WAN design and deployment models
• Reference existing customer deployment for small, medium and large enterprises

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 135
Cisco SD-WAN Control Plane Deployment
Viptela hosted Controllers / Public Cloud
Region 1 Region 2

optional/
standby
Private IPs Private IPs vManage
1:1 NAT 1:1 NAT
Public IPs Public IPs

Control Plane on Public Internet Only

Internet
Most commonly deployed model

Supports data plane on other transports

(mpls, leased line, etc)

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 136
Cisco SD-WAN Control Plane Deployment
Hybrid Cloud Controller Deployment
DC/Region 1 DC/Region 2

No NAT optional/
standby
Public IPs Public IPs vManage
DMZ
FW BGP
BGP DMZ Control Plane on MPLS and Internet
FW
Public IPs are assigned to the
controllers

No NAT is used
MPLS Internet
For security compliance FW/DMZ on
Internet facing side

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 137
 Cisco SD-WAN Control Plane Deployment
Hybrid Cloud Controller Deployment
DC/Region 1 DC/Region 2

optional/
standby
Private IPs Private IPs vManage
NAT
+
DMZ/FW NAT
BGP + Control on MPLS and Internet.
DMZ/FW
Private IPs on the controllers.
BGP Public IP Public IP
No NAT NAT Public IPs are not exposed on MPLS

NAT/FW facing the internet

MPLS Internet

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 138

* vBond must have Public IP or sit behind 1:1 NAT

Cisco SD-WAN Control Plane Deployment
Public Cloud Controller Deployment
DC/Region 1 DC/Region 2
vpn512 vpn512

Internet
vEdge Cloud co-exist with the controllers

vEdge participate in the overlay

Traffic between the controllers and NMS

DC systems in the DC goes on the overlay
TACACS/RADUIUS
Syslog Server tunnels securely
SNMP Server
NMS Tools
etc
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 139
Cisco SD-WAN Site Deployment
Gateway/DC Site Deployment
DC/Gateway Site
Identify Gateway/DC Sites providing connectivity
BGP/OSPF between SD-WAN and legacy sites

Legacy sites talk to each other directly

SD-WAN sites talk to each other directly

OMP Legacy router/connectivity is dropped in the

SD-WAN DC/Gateway sites once migration is complete
Internet Overlay MPLS

Legacy/MPLS Sites

SD-WAN Sites
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 140
Cisco SD-WAN Site Deployment
Remote Site Designs

Internet/ MPLS Internet MPLS

Internet Internet MPLS
MPLS

MPLS
1234567 Up to 7 Transport Interfaces
Internet

Static, VRRP, OSPF, BGP

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 141
Small Enterprise: 100 Site Example
vManage
ZTP/Central Done on Viptela Seemly Migration No impact to
Monitoring/Syslog/ HP NNM
Config/Policy/SW Connectivity Active-Active (Brownfield) traffic: Migrated
Viptela cFlow Riverbed
Upgrade to Non-migrated
Stealcentral

App-Routing/Circuit Single Video Works over

Done on Viptela Segmentation Encryption Done on Viptela
Selection VPN Conferencing Viptela -Excellent

Split-tunnel – Full Mesh for

SECURE Centralized QoS- Done on Viptela Zsclaer Branch AWS, SFDC,
CONTROL PLANE Internet Exit VPN Topology IAAS and SAAS
Queue mapping Controller DC Internet as Partial Mesh for o365, OneDrive
backup SOHO

Primary DC Back-up DC

Data Center Data Center

DC Core DC Core

DC
(Dual MPLS, Dual Broadband)

Large
(Single MPLS, Single Broadband w/vEdge 2K)

Medium
(Single MPLS, Single Broadband w/vEdge1K)

vEdge Router
AT&T Viptela SEN
Switch MPLS

Sprint
Internet SECURE
MPLS DATA PLANE

Large Medium Medium

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 142
Americas
 Medium Enterprise: 300+ Site Example
vManage
ZTP/Central Done on Seemly Migration No impact to
Monitoring/Syslog/ HP NNM
Config/Policy/SW Viptela Connectivity Active-Active (Brownfield) traffic: Migrated to
Viptela cFlow Riverbed
Upgrade Non-migrated
Stealcentral

App-Routing/Circuit Done on Centralized QoS- Done on Viptela

Segmentation 6 VPNs Encryption Done on Viptela
Selection Viptela Queue mapping Controller

Split-tunnel – Zsclaer
SECURE Traffic Symmetry Done on Division based AWS, Skype for
Internet Exit No Zscaler for o365 VPN Topology IAAS and SAAS
CONTROL PLANE across regions Viptela Mesh Business, o365
DC Internet as backup

North America DC North America DC North America DC

Data Center Data Center

Data Center
DC Core DC Core DC Core

DC
(Dual MPLS, Dual Broadband)

Medium
(Single MPLS, Single Broadband w/vEdge1K)

vEdge Router Verizon

Internet Viptela SEN
MPLS
Switch

SECURE
DATA PLANE

Multi-Tenant GP INV KRC Multi-Tenant GP INV KRC

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 143
Americas Asia Europe
Large Enterprise: Global Distribution
Viptela
ZTP/Central Monitoring/
Connectivity Active-Active
Config/Policy Syslog/NetFlow

App-Routing/PfR/ Multiple Built-in/

Available Segmentation Encryption
Service Chain VPNs No key-mgmt
SECURE
CONTROL PLANE

North America DCs APAC DC Europe DC

Data Center Data Center

Data Center
DC Core DC Core DC Core

Ethernet Exit
(DSL/Cable/LTE/MPLS)

vEdge Router Verizon Viptela SEN

LTE
Backup MPLS
Switch
Internet SECURE
WiFi APs DATA PLANE

Field Field Field

Stores Offices Distribution Centers Stores Offices GS Stores Offices
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 144
Americas Asia Europe
 Key Foundation Takeaways
Summary
• SD-WAN provides greater flexibility in design options and meeting customer
requirements
• SD-WAN solution fits small to medium to large enterprises
• Provides visibility, monitoring, provisioning from single pane of glass (vManage)
• It makes sense to reach out to a TME for this type of design until more comprehensive
documentation is available

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 145
Demonstration of Capability
 Module Objectives
Foundational Enablement
• Know where to go and how to access dCloud Viptela demo capabilities
• Stay focused and develop a custom story guide taking into consideration the target
audience, desired outcome and story to tell while demonstrating the Viptela solution
capabilities
• Leverage a top down approach rather than a bottoms up approach to showcase how
Viptela maps to customer discovery output and relevant capability requirements
• Avoid a product or solution focused transfer of information (TOI) while demoing
• Showcase additional capabilities when required to address most common solution
related questions that come up while demoing
• Avoid getting into or staying in the weeds

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 148
Setting the Competitive Agenda
Demo Relevant and Diverse Use Cases

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 149
 Key Foundation Takeaways
Summary
• The dCloud Viptela demo is available and readily accessible
• We all have a part to play in contributing to demo innovation and should consider the
target audience, desired outcome and story that we need to tell while leveraging the
demo platform
• There is a big difference demoing using a top down vs. bottom up approach
• It is preferred to show more when asked specific questions and not to show more or get
into the weeds for the sake of showing off what we perceive to be important details
• It is possible to answer questions in depth while demoing and to pull oneself out of the
weeds

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 150
Products
Module Objectives
Foundational Enablement

• Describe key characteristics of Cisco SD-WAN orchestration, management, control and

data plane elements
• Describe Cisco SD-WAN portfolio of physical and virtual vEdge routers
• Describe key components of the Cisco SD-WAN vEdge routers
• Describe delivery methods for Cisco SD-WAN controllers

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 153
 Solution Elements
Orchestration, Control, Data and Management Planes
Data Plane
Orchestration Plane Control Plane Management Plane
Physical/Virtual

Cisco vBond Cisco vSmart Cisco vEdge Cisco vManage

• Orchestrates control and • Facilitates fabric discovery • WAN edge router • Single pane of glass for
management plane • Dissimilates control plane • Provides secure data plane Day0, Day1 and Day2
information between vEdges with remote vEdge routers operations
• First point of authentication
(white-list model) • Distributes data plane and app- • Establishes secure control • Centralized provisioning
• Distributes list of vSmarts/ aware routing policies to the plane with vSmart controllers • Policies and Templates
vManage to all vEdge routers vEdge routers (OMP) • Troubleshooting and
• Facilitates NAT traversal • Implements control plane • Implements data plane Monitoring
policies, such as service policies • Software upgrades
• Requires public IP Address
chaining, multi-topology and • Exports performance statistics •
[could sit behind 1:1 NAT] GUI with RBAC
multi-hop
• Highly resilient • Leverages traditional routing • Programmatic interfaces
• Dramatically reduces control protocols like OSPF, BGP and (REST, NETCONF)
plane complexity VRRP • NMS interfaces (SNMP,
• Highly resilient • Support Zero Touch Syslog, IPFIX)
Deployment
• Physical or Virtual form factor
(100Mb, 1Gb, 10Gb)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 154
 Cisco vEdge Routers
Portfolio Positioning
Branch/SOHO/SMB Branch/Campus Campus/Data Center Campus/Data Center NFV, vCPE IaaS & Cloud
(100Mb) (1Gb) (10Gb) (20Gb+) (N x cores) Interconnect
(N x cores)

vEdge Cloud on
vEdge 100 family vEdge 1000 vEdge 2000 vEdge 5000 Greybox or vEdge Cloud
Whitebox

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 155
vEdge-100 Routers
Small Office, Home Office Edge
vEdge 100m vEdge 100mw

vEdge 100

100 Mbps AES-256 100 Mbps AES-256 100 Mbps AES-256

5x 1000Base-T 1RU 1RU
TPM chip 5x 1000Base-T 5x 1000Base-T
Security, QoS 1x POE port 1x POE port
External AC PS 2G/3G/4G LTE 2G/3G/4G LTE
Kensington lock Internal AC PS 802.11a/b/g/n/ac
Fan-less 1x USB-3.0 Internal AC PS
9” x 1.75” x 5.5” TPM Board-ID 1x USB-3.0
GPS Kensington lock TPM Board-ID
Low power fan Kensington lock
GPS Low power fan
GPS

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 156
vEdge-1000 and vEdge-2000 Routers
Campus and Data Center Edge
vEdge 1000 vEdge 2000

1 Gbps AES-256 10 Gbps AES-256

1RU, standard rack mountable 1RU, standard rack mountable
8x GE SFP (10/100/1000) 4x Fixed GE SFP (10/100/1000)
TPM chip 2 Pluggable Interface Modules
3G/4G via USB (or) Ethernet 8 x 1GE SFP (10/100/1000)
Security, QoS 2 x 10GE SFP+
Dual Power supplies (external) TPM chip
Low power consumption 3G/4G via USB (or) Ethernet
Security, QoS
Dual power supplies (internal)
Redundant fans

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 157
vEdge 5000
Campus and Data Center Edge

Platform Capabilities:

• 4 Network Interface Modules

(NIM) slots

• Variety of NIM options

- 8 x 1G
- 4 x 10G
- 2 x 40G

• Feature parity with Cisco vEdge

2000 platform

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 158
vEdge Cloud Virtual Routers
Virtualized Branch or Cloud
On-Premise Hosted

vEdge Cloud vEdge Cloud vEdge Cloud vEdge Cloud vEdge Cloud vEdge Cloud

ESXi or KVM AWS or Azure

VM Throughput: VM
Physical Server 2x vCPU 500Mb/s
4x vCPU 1Gb/s
8x vCPU 1.5Gb/s
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 159
Controllers
Cloud or On-Premise Delivered
On-Premise Hosted
vBond* vManage vSmart vSmart vBond vManage vSmart vSmart

ESXi or KVM AWS or Azure

VM VM

Physical Server vContainer vContainer

* Can be deployed as physical vEdge appliance © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 160
Key Foundation Takeaways
Summary
• Describe key characteristics of Cisco SD-WAN orchestration, management, control and
data plane elements
• Describe Cisco SD-WAN portfolio of physical and virtual vEdge routers
• Describe key components of the Cisco SD-WAN vEdge routers
• Describe delivery methods for Cisco SD-WAN controllers

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 161
Licensing and Software
Module Objectives
Foundational Enablement
• Explain Cisco SD-WAN subscription license model
• Explain feature license tiers
• Explain bandwidth licensing
• Explain Cisco vEdge router pricing

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 164
Pricing Model
Subscription and Perpetual Elements
1. Subscription* license (1YR, 3YR and 5YR) for Cisco SD-WAN software charged per CPE. This cost is
dependent on two factors:
• Service bandwidth
• Features

2. Perpetual cost of Cisco SD-WAN CPE** element.

Perpetual cost of Subscription cost of

Cisco Cisco SD-WAN Operational cost of
software (Includes SD- Cisco SD-WAN
SD-WAN CPE WAN controller + CPE solution
hardware software)

*Note: Subscription cost of Viptela software includes cost of SD-WAN controllers, 24x7x365 Cisco SD-WAN support, next day hardware
replacement for Cisco SD-WAN CPE, software upgrades on all components and the cost of hosting the Cisco SD-WAN controllers in the
Cisco SD-WAN cloud.

**Note: CPE can be Cisco SD-WAN owned or in the case of Virtual CPE customer owned. Cost here implies Cisco SD-WAN
CPE only.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 165
Features
License Tiers
Plus Pro Enterprise
SD WAN SD WAN SD WAN Analytics
controllers controllers controllers
Dynamic Dynamic
Hub Routing Routing

Hub Spoke Spoke Hub Spoke Spoke

AAR
AAR AAR

Internet Local Internet Local MPLS Internet

MPLS MPLS
breakout E2E breakout
E2E
Segmentation SaaS onRamp
Segmentation

Spoke Spoke Spoke Spoke Spoke Spoke

Spoke Spoke Spoke

Dynamic Routing Dynamic Routing

• Routing: Static • Routing: Dynamic routing (OSPF/BGP) • Segmentation: Unlimited

• Topology: Hub-n-spoke only • Topology: Mesh topology • Internet/Cloud: Cloud onRamp for SaaS
• Internet/Cloud: NAT, Split tunnel • Internet/Cloud: Cloud onRamp for IaaS • Analytics: vAnalytics platform
• Policy: Local ACL only, Data policy • Policy: Control policy
• QoS • Segmentation: 5 VPNs (1+4)
• SLA: Application aware routing (5 tuple only) • SLA: Application aware routing (DPI)
• Visibility : DPI for visibility only • Multicast © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 166
Bandwidth
License Tiers
• Bandwidth entitlement on vEdge is the sum of
peak bandwidth (either upstream or
downstream) across all WAN circuits
MPLS Internet 3G/4G/LTE
- Higher of downstream or upstream bandwidth is
counted toward the license
Example: If Circuit1 is 50Mb symmetric, Circuit2 is
100Mb down / 20Mb up, and
Circuit 1 Circuit 2 Circuit 3 Circuit3 is 200Mb down / 50M up, total bandwidth
counted toward the license is 50+100+200=350Mb

• Bandwidth entitlement also includes

TLOC - Split tunnel (Direct Internet Access)
extension
- Traffic offloaded to 3rd party cloud services using
GRE or IPSec tunneling

• TLOC extension interface bandwidth is not

Branch
included in bandwidth entitlement

Note: Entitlement assumes the peak bandwidth usage 95% of the time.
This accommodates traffic bursts that might happen. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 167
Cisco vEdge Router Pricing
Cost of Hardware

vEdge 100M vEdge 100WM

vEdge 100b vEdge 1000 vEdge 2000
(LTE) (WiFi + LTE)
4 x 1 Gbps SFP, 2
Pluggable Interface
5x 5x 5x
8x GE SFP Module (PIM) slots.
Ports 10/100/1000Base-T 10/100/1000Base-T 10/100/1000Base-T
(10/100/1000) PIM Options: 2 x
Copper Copper Copper
10 Gbps SFP, 8 x 1
Gbps SFP

Encrypted
Throughput (AES- 100Mbps 100Mbps 100Mbps 1Gbps 10Gbps
256)

List price $395 $795 $895 $2995 $8995

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 168
Note: All priced are list price
Key Foundation Takeaways
Summary
• Explain Cisco SD-WAN subscription license model
• Explain feature license tiers
• Explain bandwidth licensing
• Explain Cisco vEdge router pricing

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 169
Caveats
 Module Objectives
Foundational Enablement
• Understand SD-WAN Control Plane limits
• Understand high availability limitations for control plane
• Understand vEdge hardware limits
• Understand configuration templates and CLI relationship
• Understand software capability limits
• Understand performance limits

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 172
Scalability Considerations
Orchestration/Control/Management Plane
Orchestration Plane Management Plane Control Plane
(vBond) (Multi-tenant or Dedicated) (Containers or VMs)
(vManage) (vSmart)

Horizontal Scale Out Model

2000 vEdges per vBond 2700 vEdges per vManage 2700 vEdges per vSmart
Redundancy Add 1-2 vBonds Redundancy Add 1-2 vSmarts
Horizontal Scale out Model
Horizontal Scale out Model in cluster mode (same DC) Horizontal Scale out Model

4G/LTE Internet

MPLS

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 173
Data Center Campus Branch Home Office
Scalability Considerations
Orchestration/Control/Management Plane
Orchestration Plane
Periodic
(vBond)
DB
Backup
DB
Primary DC Back Up DC
Cluster vManage Cluster vManage

vManage uses Cluster to provide scaling. Not HA.

For <2700 vEdges, 1 active vManage. 1 standby.
For >2700 vEdges, 1 cluster of active vManages.
vManage cluster can only run in the same Data Center.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 174
Scalability Considerations
Data Plane and IPsec
vEdge100 vEdge1000 vEdge2000

IPSec Tunnels : 250 IPSec Tunnels : 1500 IPSec Tunnels : 6000

Max aggregated throughput:

vEdge-100 – 100MB AES-256 full duplex
vEdge-1000 - 1GB AES-256 full duplex
vEdge-2000 – 10GB AES-256 full duplex

Max number of concurrent VPNs: 64

[vpn 0 and vpn 512 included]

Overlay tunnels are static based on policy.

Not dynamically generated on-demand.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 175
vManage Considerations
Configurations
All configuration templates get converted
into CLI. Syntax checks are not performed
by the template and are only validated
when the configuration is pushed to the
device.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 176
vManage Considerations
Troubleshooting
Troubleshooting issues relies heavily on CLI and bash (Linux)

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 177
Feature Functionality Considerations
Software Caveats
Limited Functionality
• QoS (Quality of Service) – 1 Low Latency Queue. 7 WRR Queues. No hierarchical QoS.
• DPI (Deep Packet Inspection) – No support for custom application signatures. Also unlike
AVC/NBAR/Netflow, this data cannot be exported via IPFIX or other protocols. Must be
extracted via vManage.
• WAN Optimization - TCP Optimization road-map item. No WCCP or WAAS capabilities.
• IPv6 – Transport(WAN) support only. No LAN support.

No Functionality
• Unified Communications.
• Support for non-Ethernet interfaces.
• License enforcement. Honor-based licensing.
• Single Sign-On or 2-Factor-Authentication support.
• Reporting – No mechanism to generate reports of any kind. All data is exported as JSON/CSV.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 178
Feature Functionality Considerations
Performance Caveats
The Numbers
• The throughput numbers marketed are full duplex. This means that on the 10G device, the max
achievable throughput in 1 direction is 5G.
• Flow collection is capped at 128K flows. Flows past this point are not collected but will be
serviced in data plane.
• DPI of application flows is capped at 256K flows for forwarding but 128K flows for reporting.
Application flows past this point are not collected.

• vBond and vSmart use a minimum of 2 vCPU and 4GB RAM.

• vManage in most cases uses a minimum of 32 vCPU and 64 GB RAM.
• vManage storage is in the order of TBs, and the longevity of data stored is dependent on
storage allocated. There is limited archival/compression capabilities resulting in high data
consumption for telemetry data.
• Statistics stored in vManage are rolled up at 10 min intervals. No further granularity. Not
configurable.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 179
 Key Foundation Takeaways
Summary
• Be aware of the capacity limits of all the SD-WAN components
• Be aware that you may end up in a situation where you have to use the CLI
• Be aware of the features that the SD-WAN platform does not have
• Be aware of the limits of the features that the SD-WAN solution has

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 180
What to Sell?
 Module Objectives
Foundational Enablement
• Master simplified solution, bundle and offer positioning
• Understand how to link discovery and design considerations output and targeted use
cases to solution positioning
• Ensure you are able to articulate pieces and parts needed to satisfy solution
requirements
• Identify insertion points during customer conversation to drive upsell

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 183
Cisco Brand Naming for New SD-WAN Offering
Collateral will reflect this Cisco naming Oct. 31
Viptela brand retired. 1 Brand Cisco Cisco Meraki
Standard terminology Cisco Cisco Meraki
familiar to customers. 2 Solution Name Cisco SD-WAN
Intelligent WAN (IWAN) SD-WAN
DNA Center Cisco Meraki
Cisco vManage
IWAN App Dashboard

Cisco vSmart Controller APIC-EM + PfR

Offering names
unchanged for 3 Offerings Cisco vBond Orchestrator PnP
consistency.
Cisco vAnalytics Network Data Platform

Cisco vEdge Router ISR 4K Cisco Meraki MX

How to use names:
• Always use Cisco name in front of <v> names (e.g. Cisco vManage)
• Use “Cisco SD-WAN” to refer to the former Viptela solution
(Refer to the other solution as ”Cisco IWAN” if you need to discuss both solutions)
• Do not abbreviate with initials or acronyms

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 184
 Cisco SD-WAN
Positioning
Cisco will deliver next generation SD-WAN solutions to our customers by combining
Viptela’s industry-leading SD-WAN solution with Cisco’s enterprise routing platforms
and Cisco DNA Center.

Cisco is committed to offering the broadest range of SD-WAN solutions to our

customers.

• Cisco SD-WAN (Viptela) - For customers and partners that require cloud first SD-
WAN solutions with advanced routing, complex topologies, or granular segmentation
capabilities, Cisco’s SD-WAN solution based on Viptela is the recommended solution.

• Meraki SD-WAN - For customers that are looking for branch unified threat
management (UTM) solutions with SD-WAN functionality or are existing Cisco Meraki
customers looking to expand to SD-WAN, Cisco Meraki is the recommended solution.

• Cisco IWAN - For customers of Cisco’s IWAN solution, we will continue to invest in
the roadmap of IWAN and support customers on Cisco’s IWAN solution. As new
unified offers are made available with Viptela’s technology incorporated in the ISR
and ASRs, customers will be able to migrate to the new unified solution as needed or
desired.

The acquisition of Viptela will ensure Cisco’s SD-WAN solution supports Cisco’s
strategic transition towards cloud and software-centric solutions that deliver predictable
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 185
recurring revenue.
Positioning the Appropriate SD-WAN Solution

h
hr oug
a kt
Bre 4D
Advanced SD-WAN Single Dashboard
• Cloud and OnRamp
• Single pane-of-glass
• More than two active transports Generic SD-WAN management for full stack
or active LTE
infrastructure across the branch
• Comprehensive WAN • Hybrid WAN
• Existing Meraki customers
connectivity & services • L3 overlay for hub-spoke
deployments evaluating SD-WAN
• Complex topologies
• Dynamic path selection • Heavy competitive pricing
• Custom policies at scale
• Cloud-managed pressure
• Advanced routing &
• Zero touch deployment with • Integrated branch security and
segmentation
templates and easy to use network connectivity solution
• Native dynamic cloud
dashboard
application acceleration

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 186
Promotional Offers

Investment Protection SD-WAN Bundle Offer

• Any investment made on AX, AXV & Cisco ONE • 4 discounted soft bundle SKU’s that include ISR 4321,
Software WAN Foundation will be protected with vEdge 100 and a 3 Year Viptela Enterprise or Pro
options to upgrade* to Cisco SD-WAN subscription
• Upgrade SKU’s available at the time of completion of • 4 discounted soft bundle SKU’s that include ISR 4431,
Phase 2 integration on ISR/ASR vEdge 1000 and a 3 Year Viptela Enterprise or Pro
• Requires active Software Support Services (SWSS) subscription
contract or Smart Net to be eligible
• Orderable through Westcon, a joint Viptela and Cisco
distributor
• Program effective August 21, 2017 – April 28, 2018
( end of Q3FY18)
Cisco SD-WAN Bundle Offer
Cisco SD-WAN Bundle Offer
For Partners and Customers
End-user offer • New Cisco SD-WAN bundles provide a savings on ISR 4000 when ordering Viptela vEdge and ISR 4000 together

• Cisco ISR 4321 + SNTC(8x5xNBD)+ Viptela vEdge 100 + Viptela 3-year Enterprise or Pro subscription
• Cisco ISR 4431 + Perf License + SNTC(8x5xNBD) + Viptela vEdge 1000 + Viptela 3-year Enterprise or Pro subscription
Terms:
Products eligible • Must be purchased through Westcon, a distributor for Cisco and Viptela, to access the offer
and Guidelines • Cannot be stacked or combined with other offers from Cisco or Viptela
• Program effective August 21, 2017 – April 28, 2018 ( end of Q3FY18)

• Easy transition to a “best of all worlds” SD-WAN solution. Enjoy the simplicity of cloud management with the service
Customer richness of the Cisco ISR.
Benefits • Upgrade to latest ISR and deploy Cisco SD-WAN solution immediately without waiting for the integrated solution.
• Protect customer investment for newer SD-WAN architectures.

• Offer a Viptela solution now, for customers that are committed to the ISR solution long term and want cost savings and benefits
of the solution now. Sell this Cisco SD-WAN bundle that provides for a 50% discount on the ISR 4000 list price.
Partner benefits • Simple quoting and ordering through Westcon (distributor for Cisco and Viptela), helping avoid stall in SD-WAN deals and
facilitating deals for the customer quickly.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 189
 Cisco SD-WAN Bundle Example Benefit
Save Save Free vEdge Free
$13436 $1123 $33237 $7821 SmartNet
Free vEdge Free
SmartNet +$5,000Discount
SNTC SNTC $25416
$12313 + $360 Discount $1042/yr 8x5xNBD
$246/yr 8x5xNBD
SNTC
$123/yr SNTC $521/yr 8x5xNBD
8x5xNBD
ISR4431/K9 ISR4431/K9
$1995 ISR4321 $14600 FL-44-PERF- ISR is 50% discounted vs.
IP Base $995 ISR4321 ISR is 50% discounted $7300 FL-44-PERF-
K9 current list price
IP Base vs. current list price K9

$15300 vEdge-Pro- $15300 vEdge-Pro- Same as current

$10800 vEdge-Pro- $10800 vEdge-Pro- Same as current
50M-3YR 50M-3YR list price 1G-3YR 1G-3YR list price

vEdge-100b- vEdge-100b- Same as current vEdge-1000- vEdge-1000- Same as current

$395 $395 $2295 $2295
AC AC list price AC AC list price

A-la-carte ISR4321-PRO-3Y-50M A-la-carte ISR4431-PRO-3Y-1G

• Customers are getting best-in-class routing with best-in-class SD-WAN with significant savings
Customer
Benefits
• These savings are approximately equal to getting a free vEdge hardware platform and free Cisco SNTC for ~ 5 years
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 190
Cisco SD-WAN Bundle: Deployment Scenarios
ISR Providing T1/E1/DSL Connectivity ISR Providing Services

vManage vManage
Deployment Scenarios

TI / E! / DSL
TI / E1 / DSL Ethernet

ISR vEdge

WaaS

UC
vEdge ISR

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 191
 Ordering Checklist
Cisco SD-WAN Bundle Offer
This offer can only be ordered by qualified* partners using Westcon, a distributor

Westcon contact information

Estimate the required bandwidth for the project
USA: Reid Scrimgeour [email protected] +1 303-222 4778
Choose the Viptela feature
• Canada: + 1-888-307-7218
Engage Westcon. Westcon will provide a single quote
and place the order for Viptela vEdge and the Cisco • LATAM: Eric Silva [email protected] +1 754-260 6539 (Ext 5954)
ISR 4000 using the SKUs noted below. • EMEA: Nico Vermeulen [email protected] +32 479-998 506

• APAC: Ned Speed [email protected] +65 687-657 30

Bundle PID Description

ISR4321-PRO-3Y-20M Cisco ISR4321/K9 + vEdge100b-AC + 3 Year Software (SD-WAN controller & CPE software) Subscription License to use SEN capabilities on vEdge, Professional license, 20 Mbps
ISR4321-ENT-3Y-20M Cisco ISR4321/K9 + vEdge100b-AC + 3 Year Software (SD-WAN controller & CPE software) Subscription License to use SEN capabilities on vEdge, Enterprise license, 20 Mbps
ISR4321-PRO-3Y-50M Cisco ISR4321/K9 + vEdge100b-AC + 3 Year Software (SD-WAN controller & CPE software) Subscription License to use SEN capabilities on vEdge, Professional license, 50 Mbps
ISR4321-ENT-3Y-50M Cisco ISR4321/K9 + vEdge100b-AC + 3 Year Software (SD-WAN controller & CPE software) Subscription License to use SEN capabilities on vEdge, Enterprise license, 50 Mbps
   
ISR4431-PRO-3Y-100M Cisco ISR4431/K9 + vEdge1000-AC + 3 Year Software (SD-WAN controller & CPE software) Subscription License to use SEN capabilities on vEdge, Professional license, 100 Mbps
ISR4431-ENT-3Y-100M Cisco ISR4431/K9 + vEdge1000-AC + 3 Year Software (SD-WAN controller & CPE software) Subscription License to use SEN capabilities on vEdge, Enterprise license, 100 Mbps
ISR4431-PRO-3Y-1G Cisco ISR4431/K9 + Perf Lic + vEdge1000-AC + 3 Year Software (SD-WAN controller & CPE software) Subscription License to use SEN capabilities on vEdge, Professional license, 1 Gbps
ISR4431-ENT-3Y-1G Cisco ISR4431/K9 + Perf Lic + vEdge1000-AC + 3 Year Software (SD-WAN controller & CPE software) Subscription License to use SEN capabilities on vEdge, Enterprise license, 1 Gbps
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 192

*Qualified partners are partners that sell both Viptela and Cisco products
Software Investment
Protection Offer
Software Investment Protection Offer
For Partners and Customers
• Save on the cost to upgrade to a Cisco SD-WAN solution when buying a 3-year Viptela software subscription
End-user offer

• Applies to Cisco ISR 4000, ASR 1000, CSR, or ENCS purchased with AX / AXV bundles or Cisco ONE WAN Foundation license
• To be eligible for this offer, must have active Software Support Services (SWSS) contracts and/or Smart Net contracts
Terms: • Requires minimum 3-year Viptela software subscription purchase
Products eligible
• Cannot be stacked or combined with other offers from Cisco or Viptela
and Guidelines
• Program effective Once Phase 2 integration* is complete - Until further notice

• Protects pending and recent investments in Cisco ISR 4000 by providing the customer credit toward the purchase of the Viptela
3-year software subscription.
Customer • Save on costs of upgrading to a Cisco SD-WAN solution.
Benefit • Any investment in AX, AXV, or Cisco ONE Software WAN Foundation will be protected. There will be options to upgrade to
Viptela’s SD-WAN capabilities after Cisco completes the integration.

• Simplified transaction, avoiding stall in SD-WAN deal, facilitate deal for the customer quickly
Partner Benefits • Simplified adoption of Cisco SD-WAN with Viptela by providing software credit good toward Viptela software subscription
licenses, to protect the customer recent or pending investment in ISR 4000
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 194
*Integration is Phase 2 when vEdge software is integrated on EN routing platforms
 Example Software Investment Protection
Benefit
Product ID Hardware AX License / Cisco ONE Annual SWSS One Year Upgrade discount
(example: AXV License Software (12-month) Smart Net Applied Toward
ISR4331) WAN Foundation (8x5xNBD) Viptela
License 3-yr. Subscription
License*

C1-CISCO4331 $3300 NA $2000 $460 $509 $2000

ISR4331-AX $3300 $2000 (AX License) NA NA $509 $2000

ISR4331-AXV $3300 $3700 (AXV License) NA NA 1455 $3700

Example†
1. Customer has procured C1-CISCO4331
2. Cisco ONE Software WAN Foundation License is priced at $2000
3. Viptela Subscription for Professional (PRO) License for 3-years is $10,710‡
4. Customer pays for migration to Viptela 3-year PRO License: $10,710 - $2,000 = $8,710†
*Amount applied toward Viptela subscription is the list credit for the original license.
† Field discount is applied on the final price.
‡ Minimum Viptela 3-Year
© 2016 Cisco PRO
and/or or ENT
its affiliates. subscription
All rights mustConfidential
reserved. Cisco be purchased.195
Subscription lifetime software maintenance and upgrades are included in the subscription.
Positioning
 Hardware Positioning
What to Sell
w Bundle
d With Ne able* credit
Lea
iptela Avail SW
tive**
r e V cen
Pu In
+
vEdge ISR 4000 Series
vEdge + ISR 4000 Series

Who is it for: Who is it for: Who is it for:

Customers that need centralized Customers that need a next- Customers that have bought or
management with a next- generation SD-WAN solution and are considering to buy ISR4K
generation SD-WAN solution rich services e.g. voice, security,
and diverse WAN connectivity. Sell: Cisco SD-WAN vManage
Sell : Cisco SD-WAN vEdge and licenses with investment
vManage Sell: ISR4K with Cisco SD-WAN protection offer**
vEdge Bundle*

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 197
Cisco SD-WAN: Positioning For Day-1
1. Pure-play Cisco SD-WAN architecture
a. Lead with Cisco SD-WAN products as-is

2. Need T1/E1/DSL, UC, UCS-E, WAAS

a. Position vEdge + ISR4k bundle
b. (Fallback) Leave existing ISR as-is and add vEdge (with Cisco SD-WAN architecture)

3. Plan to purchase or just purchased ISR4k – want SD-WAN down the road

a. Position ISR4k with Cisco ONE. Software upgrade to existing platforms will get to Cisco SD-WAN (9
mo)

4. Existing IWAN 2.x customer

a. Stay the course – IWAN 2.x with committed roadmap
b. Migration to Cisco SD-WAN architecture – plan for migration
Solution Components and Subscriptions
One-Time and Annual
Sit at the edge or in a hosted environment
One-time
in the private, public or hybrid cloud
Hardware
or Software vEdge Provide secure, dynamic access
Support and HW Replacement Included with Software Subscription Routers over any transport

Centrally manage and configures SD-WAN

Real-time dashboard for health and control
Annual vManage
Recurring Northbound API integration
Software
The brain of the Virtual WAN
Subscription
Simplify, Centralize, Abstract and Automate
vSmart
Controllers © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 199
Pricing Model
Subscription and Perpetual Elements
1. Subscription* license (1YR, 3YR and 5YR) for Viptela software charged per CPE. This cost is dependent
on two factors:
• Service bandwidth. Figure 2 below covers how service bandwidth is calculated.
• Features: Figure 1 below covers feature buckets.

2. Perpetual cost of Viptela CPE** element.

Subscription cost of
Perpetual cost of Viptela software
Operational cost of
Viptela CPE (Includes SD-WAN
controller + CPE Viptela solution
hardware
software)

*Note: Subscription cost of Viptela software includes cost of SD-WAN controllers, 24x7x365 Viptela support, next day hardware replacement
for Viptela CPE, software upgrades on all components and the cost of hosting the Viptela controllers in the Viptela cloud.

**Note: CPE can be Viptela owned or in the case of Virtual CPE customer owned. Cost here implies Viptela CPE only.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 200
Pricing Model
Multiple Options
Plus Pro + DPI Enterprise
SD WAN SD WAN SD WAN Analytics
controllers controllers controllers
Dynamic Dynamic
Hub Routing Routing

Hub Spoke Spoke Hub Spoke Spoke

AAR
AAR AAR
Local
MPLS Internet Local MPLS Internet MPLS Internet
breakout
breakout E2E (App based) E2E
Segmentation CloudExpress
Segmentation

Spoke Spoke Spoke Spoke Spoke Spoke

Spoke Spoke Spoke

Dynamic Routing Dynamic Routing

Features: Features: Features:

• Encrypted Fabric • Plus capability • Pro + DPI
• Hub-and-spoke only • Dynamic routing • CloudExpress
• App-aware routing (AAR) • E2E Segmentation (Multi-VPN) • Analytics
• Split tunnel • AAR with DPI
• Full-mesh Competition: None
Competition: Transport Optimization
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 201
players Competition: IWAN prior to acquisition
 Case Study
Network as a Service

Transformed
Customer
Experience

CHALLENGES VIPTELA SOLUTION BUSINESS OUTCOMES

Customer Experience Applications Verizon Managed SD-WAN with Video and WiFi inside Branches
Viptela SEN
• Self-service kiosks Faster Applications
• Video conf with live experts 1400 locations
Agile Operations
• New Retail Bank Apps
Augment MPLS with LTE
Simplify branch IT operations Business Continuity: Data loss
(incl ATMs) Prevention and Backup
Improve Business continuity with
Data loss prevention, backups
 Case
Case Study
Studies: GAP
Global Retailer
Cloud onRamp

Enabled Cloud-
Based Healthcare
Apps

CHALLENGES VIPTELA SOLUTION BUSINESS OUTCOMES

Outages at Clinics MPLS  MPLS+ broadband Zero Outages

Couldn’t enable SaaS Apps Cloud-based EMR enabled Adding Bandwidth 120  2 days

Need to add to Office365 and Cloud- Next Phase: Migrate Office 365, Voice 10x Bandwidth
based Voice to Cloud
No wasted engineering hours
 Case Study
Global Retailer

40%
Reduction in
WAN Costs

CHALLENGES VIPTELA SOLUTION BUSINESS OUTCOMES

Reduce OpEx and CapEx costs Viptela SEN infrastructure 26x Bandwidth improvement

Re-energize customer 1600 stores globally 5x Improvement store conversions

in-store experience
MPLS  dual broadband $20M Saved over 3-years
Improve mobile application performance
7 Segments – PCI, guest WiFi,
security
Gap - 3700 Company/Franchise Locations
Before and After
WAN Components Before After
• 60-70% cheaper broadband at high
• Poor price to bandwidth economics
Circuits bandwidth
• Tied to 2 providers
• Free to choose any provider

• 25 stores a night
• Bring-up - 2 stores a night
Time to Capability • Instantaneous planning and
• 9-12 months planning for any change
provisioning

• Expensive firewalls and MPLS infrastructure for • Network security built-in

Security
isolation • Network fully segmented

• Inefficient - combination of home grown, carrier • Centralized control, full visibility and
Management
provided and 3rd party tools operationally elegant

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 205
 Case Study
Global Industrial Firm

46
Portfolios
consolidated

CHALLENGES VIPTELA SOLUTION BUSINESS OUTCOMES

Rapid M&A integration Viptela SEN infrastructure 14 to 1 Carrier MPLS VRFs

14 different environment, 8 carriers Enable active active  MPLS + internet Months to weeks rapid
M&A onboarding
Massive migration to O365 & AWS
46 Portfolios consolidated
Business unit segmentation
 Case Study
Banking Fortune 500

80%
Less time
for deploying
new branch
WAN

CHALLENGES VIPTELA SOLUTION BUSINESS OUTCOMES

High bandwidth apps (HD Video) Viptela SEN infrastructure 20x Bandwidth Improvement

Improve application performance 3000 locations 4x Improvement in app performance

Simplify branch IT operations Augment MPLS with broadband 50 Sites deployed per night
(incl ATMs)
1000 Devices upgraded in 4 hours

1.5 Engineering hours plan / site

(contrast with 40 hours earlier)
 Viptela
Why We Won
Customer Delivered Value Why We Won (vs) Cisco IWAN

• MPLS to All broadband transition (50x bandwidth, 60% • Scale (3500 stores) with geo diverse footprint
savings) • 1/10th the planning time
• Segmentation for line of business and compliance • Clean architecture – fully segmented, true zero touch,
• 25-40 store turn-up a night (vs 2 per week with Cisco) application aware routing, full app visibility
Fortune-500 • Centralized control with full visibility • All existing apps saw multi-fold improvement in
(Retail) • Simple to operate performance
• No head-end complexity

• Dual MPLS to Hybrid (MPLS, broadband, 4G/LTE) • Management simplicity – single pane of glass, integrate
transition with full REST APIs
• Scale (6000 devices, 3000 branch offices) • All required functionality works at scale – 6000 devices
• Centralized management & operational simplicity • Users experienced 400% improvement in performance
• Inter-operate with existing network (DC, WAN Opt,
Top-6 US Bank Firewalls)
(Financial Services) • Security & segmentation
• Optimal Internet exits

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 208
 Viptela
Why We Won
Customer Delivered Value Why We Won (vs) Cisco IWAN

• Pure MPLS to Hybrid transition • Works on MPLS, dual-Internet and 4G/LTE in exactly the
• Single WAN technology for hospitals, admin offices, same way – single domain
partner networks, cloud access • Centralization and service insertion capabilities
• Security – centralization of firewall services • Simplified architecture
• Simplified routing environment & zero downtime to • Easy to operate and troubleshoot
existing network during transition
Fortune 100 • Templatized roll-out with audit compliance
• HIPAA compliance
(Healthcare)

• Transition from Dual MPLS with 40 provider VRFs to fully • Head-end and branch site complexity
segmented Hybrid network • Scale to 1000s
• Scale to 1000s of locations – global footprint • Easy to segment, operate and troubleshoot
• Centralized management & operational simplicity
• Single WAN technology for all portfolio companies, cloud
Very large access, partner networks
Manufacturing Co • M&A quick onboarding

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 209
 Proven Solutions
Across Multiple Verticals
Customer Industry Challenge Solution

60-70% cheaper broadband at high bandwidth, centralized

Retail High cost, slow change, limited flexibility
control, full visibility.

Dollar cost averaged the bandwidth cost down using a mix of

Needed more bandwidth and guaranteed
Financial transport (MPLS, Broadband, LTE). Traffic now uses the optimal
network uptime for a new teller application
network path to avoid downtime and slowdowns.

Slow performance and MPLS outages

Monthly savings reduced the cost per Mbps by more than 80%.
provided an expensive and poor user
Tech Diverse circuits improve the reliability of the global network, with
experience
more than half of Agilent’s sites doubling WAN redundancy.

With an MPLS contract renewal

approaching, Cigna wanted the flexibility to Gained back control of its control plane and created the Cigna
Healthcare
change carriers without a massive Service Provider Agnostic Network.
technology shift

Satisfied strict security and audit requirements and provided

greater flexibility for partnerships and secure clinical solutions.
Healthcare Security and high network cost Cost reductions with the removal of remote site voice equipment
and expensive PRIs, aging WAN acceleration equipment and
maintenance.

Scale to support evolving field operations,

Provided 30-60% savings in overall bandwidth costs. Enabled
Energy and support cloud migration and application
faster response to acquisitions, divestitures and policy changes.
SLAs © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 210
 Shifting the Sales Approach
What to Sell = Software
Traditional Approach New Approach
• Software-based selling
• Focused on selling hardware leads with software and is
always a journey
• Heavy upfront cost Capex
Sale • OpEx Sale with Cisco ONE
Subscription and EA’s
• Leads with features as well
as speeds and feeds • Leads with use case and
outcomes
• Network and security sales
approach build on each other • Network and security sales
to provide success in phases approach is integrated to
demonstrate greater value
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 211
 Key Foundation Takeaways
Summary
• There are new solution bundles and offers to simplify the selection of the right
innovation
• Mapping back to discovery and design considerations output and targeted use cases
simplifies overall solution positioning
• Software offers provide the necessary pieces and parts to satisfy solution requirements
as customers embark on the design and deploy for impact journey
• The software sales motion is a journey and naturally provides insertion points during the
customer conversation to drive upsell

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 212
Team Exercises
 Module Objectives
Foundational Enablement
• Highlight key takeaways including challenges, desired benefits, impacting trends, and
requirements that are contained within the sample scenario discovery output
• Develop and execute on the appropriate engagement strategy based on the customer
audience and desired outcomes
• Identify important information that is lacking within the discovery output documentation
and determine how would you gather missing information
• Determine the appropriate tools to leverage while engaging (PPT, Whiteboard, Solution
Demo, ROI Calculator, etc.)
• Execute your engagement strategy as part of a role play while leveraging the appropriate
tools, expanding discovery and while providing unique insights

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 215
Foundation Scenario Takeaway
Reference
Plan of Action and Role Play Exercise

Facilitator Explains the Framework for Team Exercises Assessment of Prerequisites

• Split teams – 1, 2, 3, 4 count around the table • Trends, Challenges, Benefits,

• 2 Scenarios Shared – Groups 1 & 3 get Scenario 1 while Groups 2 & 4 get Scenario 2 Capabilities (Insights)
• 1 hour joint prep • Sample Customer Discovery
• 2 teams selected to present x (20 min Q&A + 10 min discussion + 20 min roleplay + 10 min closing thoughts) = 2 • Design Considerations
Hours
• Potentially White board
• Teams 1, 2 or 3,4 will act as Cisco and teams 3,4 or 1, 2 will act as customer during role play (Facilitator choice)
• Potentially Demo
• Expectations of Exercise:
• Develop engagement strategy
• Present scenario to room
• Who is your audience? (Defined in scenario itself)
• What is the outcome you are trying to drive?
• Discuss your key takeaways (challenges, desired benefits, impacting trends, etc.)
• What important information is lacking and how would you gather that?
• Discuss what tool(s) you will use during the role play and why?
• Role play your engagement while leveraging the appropriate tools and expanding your discovery while
providing unique insights.
• Customer Team gets a list of likely questions just before role play begins

• In room discussion:
• How does this align to existing customer engagement opportunities?
• What additional tools and skills could are necessary to empower you through the engagement process?
Foundation Scenario Addition Takeaway
Reference
Plan of Action and Role Play Exercise

Facilitator Explains the Framework for Team Exercises Assessment of Prerequisites

• Split teams – 1, 2, 3, 4 count around the table • Demo

• 2 Scenarios Shared – Groups 1 & 3 get Scenario 1 while Groups 2 & 4 get Scenario 2 • Design Considerations
• 1 hour joint prep • Products, Solutions & Other
• 2 teams selected to present x (20 min Q&A + 10 min discussion + 20 min roleplay + 10 min closing thoughts) = 2 Considerations
Hours • Caveats
• Teams 1, 2 or 3,4 will act as Cisco and teams 3,4 or 1, 2 will act as customer during role play (Facilitator choice) • Roadmap Impact
• What to Sell?
• Expectations of Exercise:
• Develop engagement strategy
• Present scenario to room
• Discuss your key takeaways
• What are the technical and design priorities?
• How do the technical and design priorities map back to the business drivers and vice versa?
• Do we have a solution?
• What are we actually able to deliver on vs. what is still Marchitecture?
• Are there any caveats that we need to be familiar with that will impact the end state design?
• What is the unique value only the Cisco solution can provide?
• How do you anticipate a competitor will approach addressing customer requirements while laying traps for
us?
• What important information is lacking and how would you gather that?
• Discuss what tool(s) you will use during the role play and why?
• Role play your engagement while leveraging the appropriate tools.

• In room discussion:
• How does this align to existing customer design scenarios?
• What additional tools and skills could are necessary to empower you through the engagement process?
Facilitator Role and Tips Takeaway
Reference
Making the Most of the Exercises
• Teams execute while Facilitator guides = Actor vs. Director
• Facilitator is expected to join both sides of the role play as an actor to nudge in each direction to keep things on track
• Critical for bulk of role play to be controlled by SE audience, but
• Facilitator will have a list of potential Cisco leading questions and Customer leading questions for each scenario document

During Role Play

• Driver interaction to make sure people are participating
• Stay on course to avoid going in rat hole or going off conversation
• Facilitator will join the customer side of the role to help reset the direction of the role play without being disruptive
• Facilitator will join the Cisco side of the role to lead by example

After Role Play

• Ask to team
• Highlight key points (Good & Bad)
• Reveal missed opportunities
• Explain why got involved as actor to nudge on either side

Sample Facilitator Tips

• Might need to pull the team out of role play within the first five minutes to reset if not effective, but should be careful to not be disruptive throughout role play
• Rather than disrupting role play seek to join both sides of the role play as an actor to nudge in each direction
• Freeze and Resume technique can be used however in an extremely controlled fashion for facilitator to make key points during the role play without extended
audience comment or participation (example could be after baiting a team and they took the hook)

Sample Freeze and Resume Application

• Freeze and Resume technique can be used in an extremely controlled fashion for facilitator to make key points during the role play without extended audience
comment or participation
• Example could be after baiting a team and they take the hook resulting in the facilitator pointing out that the team fell into the trap:
• Your competition does xyz, how do you do that results in defensive behavior or derailing the conversation
• Deep dive technical questions from network engineer with mixed stakeholder audience results in team rat holing and not considering entire audience
• Tough business line of questioning results in diversion and never answering question
Scrimmage

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 219
 Key Foundation Takeaways
Summary
• Practicing is fun and important
• It is critical to perform the proper discovery and to gather and analyze key take-aways
• Account teams will benefit from creating a strategy based on the customer audience and
desired outcomes
• There is a big difference between planning a strategy and executing on that strategy –
Practice is important
• Most of the time there is important information lacking within the discovery output
documentation requiring that we dig deeper with the customer in certain areas
• Different tools provide different value during the engagement process and we must
choose the right tool for the job

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 220
Closing Thoughts