Upload
truonglien
View
223
Download
0
Embed Size (px)
Citation preview
Introduction to Cisco SD-WAN (Viptela)
Brad Edgeworth, Systems Engineer, CCIE#31574
Dustin Schuemann, Solutions Architect
Madhavan Aruanchalam, Technical Marketing Engineer
LTRCRS-2005
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Questions? Use Cisco Spark to communicate with the speaker after the session
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
How
cs.co/ciscolivebot#LTRCRS-2005
• Introduction to SD-WAN
• Cisco SD-WAN (Viptela Fundamentals)
• Initial Device Provisioning
• Policy Administration
• Application Awareness
• Segmentation
• Monitoring/Troubleshooting
• Additional Use Cases
Agenda
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Introduction
• Who we are?
• Everyone loves to eat Chorizo
• Not many people know how to make Chorizo; but they can still buy it at the store, or order it at a restaraunt
• In this session, you will learn how to make Chorizo (I.E. SD-WAN) but you do not have to know a lot of these concepts to enjoy it. You can still enjoy SD-WAN from a service provider.
• This session involves a lot of presentation throughout the session and we will have hands-on lab too.
• We will repeat a lot of the key concepts throughout this lab to help you understand it.
Housekeeping
For yourreference only
BRKCRS-2007 5
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 7BRKCRS-2007
Current WAN ChallengesInsufficient
Bandwidth
No Cloud Apps
Readiness
Fragmented
Security
Limited
Scale
High
Cost
Complex
Operations
Is Your WAN
Business
Ready ?
Applications
Downtime
Limited Application
Awareness
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 8BRKCRS-2007
Business Requirements for the WAN are evolving
Managing the network is getting more complex
Apps are moving to
the cloud
Mobile/IoT device
proliferation
Internet edge moving
to the branch
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Customers want to…
Simplify WAN/Branch
management
Reduce WAN and
operating costs
Optimize application
experience
BRKCRS-2007 9
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 10BRKCRS-2007
SD-WAN is the solution
Network capacity
optimization and
increase bandwidth
Protect
application SLA
Lower operating
costs and TCO
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
APPLICATIONS
SDWANCloudOnRamp
IoTEdge Computing
.…
Fabric
USERS
DC
IaaS
SaaS
vDC
Analytics
SECURE SCALE OPEN
Cloud Delivered
DEVICES
THINGS
Automation Virtualization
11BRKCRS-2007
Cisco SD-WAN Holistic Approach
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 13BRKCRS-2007
Cisco SD-WAN Solution Pillars
Application
Quality of Experience
Agile
Operations
Cisco
SD-WAN
Cloud-Delivered
Architecture
Comprehensive
Security
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
4GMPLS
INET
14BRKCRS-2007
Cisco SD-WAN Cloud-Delivered Architecture
Private/Hosted/Managed
Cloud
vEdge Router
vSmart
ControllersvManageSecure
SD-WAN Fabric
Secure
Control Plane
REST API
GUI
An
aly
tics
Multitenant, Cloud-Operated and Cloud-Delivered
Branch
Campus
Cloud
Data Center
Small Office
Home Office
Data Center
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Arbitrary VPN Topologies
VPN1 VPN2
VPN3 VPN4
• Each VPN can have it’s own topology- Full-mesh, hub-and-spoke, partial-
mesh, point-to-point, etc…
• VPN topology can be influenced by leveraging control policies
• Applications can benefit from shortest path, e.g. voice takes full-mesh toplogy
• Security compliance can benefit from controlled connectivity topology, e.g. PCI data takes hub-and-spoke topology
Full-Mesh Hub-and-Spoke
Partial Mesh Point-to-Point
BRKCRS-2007 15
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
OMP Update:
Reachability – IP Subnets, TLOCs
Security – Encryption Keys
Policy – Data/App-route Policies
BGP, OSPF,
Connected,
Static
BFD
IPSec Tunnel
OMP
DTLS/TLS Tunnel
Transport1
Transport2VPN1
A
VPN1
C
BGP, OSPF,
Connected,
Static
vSmart
OMP
Update
OMP
Update
vEdge vEdge
Subnets Subnets
TLOCs TLOCs
Policies
16BRKCRS-2007
Fabric Operation Walk-Through
OMP
UpdateOMP
Update
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 17BRKCRS-2007
Critical Applications SLA
Path1: 10ms, 0% loss, 5ms jitter
Path2: 200ms, 3% loss, 10ms jitter
Path3: 140ms, 1% loss, 10ms jitter
vManage
App Aware Routing PolicyApp A path must have:
Latency < 150ms
Loss < 2%
Jitter < 10ms
vEdge Routers continuously
perform path liveliness and
quality measurements
Internet
MPLS
4G LTE
IPSec Tunnel
Optimal Path MTU
TCP Optimization
Remote Site
Regional
Data CenterPath 2
Device QoS(shaping, policing,
queuing, marking)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
DDoS Protection for vEdge Routers
CPU
PacketForwarding
Control Plane Policing: 300pps per flow 5,000pps
ExplicitlyDefinedSources
Cloud Security
AuthenticatedSources
Implicitly TrustedSources
Other
UnknownSources
vManagevSmart
vBond
vEdge
SD-WAN IPSec
Deny except:1. Return packets matching flow entry (DIA enabled)2. DHCP, DNS, ICMP
* Can manually enable :SSH, NETCONF, NTP, OSPF, BGP, STUN
BRKCRS-2007 18
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Transport
(VPN0)
Service
(VPNn)
Out-of-band Management
(VPN512)
IF
• VPNs are isolated from each other, each VPN
has its own forwarding table
• Reachability within VPN is automatically
advertised by the OMP
IF,
Sub-IF
IF,
Sub-IF
IF,
Sub-IF
IF,
Sub-IF
vEdge VPNs and Security Zoning
Internet
MPLS
Untrust Zone
Trust Zone
BRKCRS-2007 19
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
APIs
vSmart Controllers
vAnalytic
s
3rd Party
Automatio
n
vManage
Data Center Campus Branch SOHOCloud
vBond
vEdge
Routers
4GMPLS
INET
20BRKCRS-2007
Cisco SD-WAN Solution ElementsOrchestration Plane
Cisco vBond
• Orchestrates control and management plane
• First point of authentication (white-list model)
• Distributes list of vSmarts/ vManage to all vEdge routers
• Facilitates NAT traversal
• Requires public IP Address [could sit behind 1:1 NAT]
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
vSmart Controllers
vAnalytics3rd Party
Automation
vManage
Data Center Campus Branch SOHOCloud
vBond
vEdge
Routers
4GMPLS
INET
APIs
21BRKCRS-2007
Cisco SD-WAN Solution ElementsControl Plane
Cisco vSmart
• Facilitates fabric discovery
• Dissimilates control plane information between vEdges
• Distributes data plane and app-aware routing policies to the vEdge routers
• Implements control plane policies, such as service chaining, multi-topology and multi-hop
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
APIs
vSmart Controllers
vAnalytics3rd Party
Automation
vManage
Data Center Campus Branch SOHOCloud
vBond
vEdge
Routers
4GMPLS
INET
22BRKCRS-2007
Cisco SD-WAN Solution Elements
Cisco vEdge
• WAN edge router
• Provides secure data plane with remote vEdge routers
• Establishes secure control plane with vSmart controllers (OMP)
• Implements data plane and application aware routing policies
Data Plane
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
vSmart Controllers
vAnalytics3rd Party
Automation
vManage
Data Center Campus Branch SOHOCloud
vBond
vEdge
Routers
4GMPLS
INET
APIs
23BRKCRS-2007
Cisco SD-WAN Solution ElementsManagement Plane
Cisco vManage
• Single pane of glass for Day0, Day1 and Day2 operations
• Multitenant with web scale
• Centralized provisioning
• Policies and Templates
• Troubleshooting and Monitoring
• GUI with RBAC
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
vSmart vSmart
vSmart
vEdge vEdge
Note: vEdge routers need not connect to all vSmart Controllers
24BRKCRS-2007
Overlay Management Protocol (OMP)Unified Control Plane
VS
• TCP based extensible control plane protocol
• Runs between vEdge routers and vSmart
controllers and between the vSmart controllers- Inside TLS/DTLS connections
• Advertises control plane context
• Dramatically lowers control plane complexity and
raises overall solution scale
• OMP Session is established in VPN0
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Establishing OMP Neighbors
• System IP is like a Router ID- Unique per-fabric element
- Non-routable in the overlay
- Learned and advertised by vManage
• OMP peering establishes between
System IPs- Over TLS/DTLS tunnels
• Single OMP peering between vEdge
and vSmart, even if multiple TLS/DTLS
INETMPLS
vSmart vSmart
System IP: 1.1.1.53 System IP: 1.1.1.54
DTLS/TLS
vEdge
System IP: 1.1.1.1
BRKCRS-2007
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
INETMPLS
vSmart
OMP: vRoutes (OMP Routes)
• Routes learned from local service side
• Advertised to vSmart controllers
• In essence, this is the routes from other sites that are reached via the Tunnel (overlay)
• Most prominent attributes:- TLOC
- Site-ID
- Label
- VPN-ID
- Tag
- Preference
- Originator System IP
- Origin Protocol
- Origin Metric
Connected
Static
Dynamic (OSPF/BGP)
vEdge
OMP Update
Service Side
BRKCRS-2007 26
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
INETMPLS
vSmart
OMP: TLOC Routes
• Routes connecting locations to physical networks
• Provides a method of locating the encapsulating interface of that remote vEdge device
• Advertised to vSmart controllers
Connected
Static
Dynamic (OSPF/BGP)
vEdge
TLOCs
OMP Update
BRKCRS-2007 27
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
INETMPLS
vSmart
OMP: Network Service Routes
• Routes for advertised network services, i.e. Firewall, IDS, IPS, generic
• Advertised to vSmart controllers
• Most prominent attributes:- VPN-ID
- Service-ID
(FW, IDS, IDP, Custom)
- Label
- Originator System IP
- TLOC
vEdge
Firewall
OMP Update
NetworkService
BRKCRS-2007 28
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Data
Center
Remote
Office
Regional
Hub
FW
4GMPLS
INET
OMP: Network Service Routes Example
BRKCRS-2007 29
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Data
Center
Remote
Office
Regional
Hub
Service
Advertisement
Policy
Advertisement*
(+ Service)vSmart
VPN1
VPN1
VPN1
FW
4GMPLS
INET
OMP: Network Service Routes Example
BRKCRS-2007 30
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Transport Redundancy - Meshed
Internet MPLS
vEdge routers are directly connected
to all the transports
SD-WAN tunnels are built through
all directly connected transports
Site Network
BRKCRS-2007 32
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Transport Redundancy - Meshed
Internet MPLSInternet MPLS Internet MPLS
Circuit Failure Transport Failure Router Failure
vEdge routers are directly connected
to all the transports
SD-WAN tunnels are built through
all directly connected transports
Site Network Site Network Site Network
Note: Internet transport is still reachableNote: Internet transport is still reachable
BRKCRS-2007 33
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Transport Redundancy – L2 Switch
Internet MPLS
vEdge routers are directly connected to
all the transports through L2 switches
SD-WAN tunnels are built through
all directly connected transports
Site Network
BRKCRS-2007 34
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Transport Redundancy – L2 Switch
Internet MPLSInternet MPLS Internet MPLS
Circuit Failure Transport Failure Router Failure
vEdge routers are directly connected to
all the transports through L2 switches
SD-WAN tunnels are built through
all directly connected transports
Site Network Site Network Site Network
Note: Internet transport is still reachable
BRKCRS-2007 35
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Transport Redundancy – TLOC Extension
Internet MPLS
Each vEdge router is connected to a
given transports
SD-WAN tunnels are built through
local and remote transports
Site Network
BRKCRS-2007 36
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Transport Redundancy – TLOC Extension
Internet MPLS Internet MPLS
Circuit Failure Transport Failure Router Failure
Each vEdge router is connected to a
given transports
SD-WAN tunnels are built through
local and remote transports
Site Network Site Network
Internet MPLS
Site Network
BRKCRS-2007 37
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2007
Terminology
VPNs
• These are like VRFs; used for segmenting traffic
• VPN0 is System Defined
• Used for control plane traffic for OMP, Orchestration, vManage, etc.
• IPsec Tunnels terminate on VPN0 interfaces
• WAN Transports are associated to VPN0
• VPN512 is used for Out-Of-Band System Management
• VPN1-511 is defined by user and used for site-to-site data traffic
• Our lab is using VPN10, VPN20, and VPN40 for data traffic
Colors
• Used to associate an interface in VPN0 to a specific transport type
• Examples include: MPLS, Biz-Internet, Private,Public
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2007
Terminology
Colors
• Used to associate an interface in VPN0 to a specific transport type
• Examples include: MPLS, Biz-Internet, Private,Public
Transport Locator IDs (TLOCS)
• Used to identify the encapsulating interface of a remote
• Primarily this is based on System-ID but includes encapsulating interface IP and Color
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
MPLS
41BRKCRS-2007
Visualizing the ConceptsVPN0
VP
N0
Colo
r: M
PL
S
Internet
Underlay Routing
Nothing is Encapsulated
VPN0: VSMART
Used for Control Plane
Control Plane
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Data Plane
MPLS
42BRKCRS-2007
Visualizing the ConceptsUser Defined VPN
VP
N0
Colo
r: M
PL
S
Internet
VPN0: VSMART
Used for Control Plane
Control Plane
VPN1
A
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Data Plane
MPLS
43BRKCRS-2007
Visualizing the ConceptsUser Defined VPN
VP
N0
Colo
r: M
PL
S
Internet
VPN0: VSMART
Used for Control Plane
Control Plane
VPN1
A
VPN2
B
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Data Plane
MPLS
44BRKCRS-2007
Visualizing the ConceptsUser Defined VPN
VP
N0
Colo
r: M
PL
S
Internet
VPN0: VSMART
Used for Control Plane
Control Plane
VPN1
A
VPN2
B
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Lab Orientation
• Every student works by themselves. Don’t have to wait on others to proceed!
48BRKCRS-2007
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Lab Topology
49
Hub Site 1
San Jose
Branch 2
Chicago
Branch 1
Miami
DC 1
198.18.133.36
198.18.128.0/18
10.3.0.0/24 Based
on LAN Pool
133.212133.211
10.4.0.0/24
MPLS Transport
AS 100
.1
.2
.1
.1
ad1
198.18.133.1
BR2-PC
10.3.0.10
BR1-PC
VLAN-PRIMARY
BR2-Core
DC1-MPLS-CE
10.4.254.0/24
WANemwkst1
DC1-INET-CE
vPod GW
TLOC
198.18.133.34
LiveAction
ZTP
vEdge
vManage
vSmart
vBond
Internet Transport
AS 200
DC1-VEDGE1 DC1-VEDGE2
BR1-VEDGE1 BR1-VEDGE2
BR2-VEDGE1
172.16.1.0/30
.2
172.16.2.0/30
.1
172.16.3.0/30
.2
172.16.4.0/30
.1
.2
100.64.1.0/30
100.64.3.0/30
100.64.4.0/30
.1
.1.1
DHCP
DHCP
172.16.10.2/30
.2
.1
172.16.13.2/30172.16.12.2/30
172.16.11.2/30
.2
.1
.2
.1
.2
.1
.2
.10
.12
.11
.13
Site id: 100
Site id: 300 Site id: 400
WANem
br0
WANem
br1
WANem
198.18.133.40
10.4.0.10
.2 .3
.1
.1
Virtual IP: 10.3.0.1
FW
198.18.133.200Viptela
Management
Cloud
BRKCRS-2007
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Accessing the Lab
50BRKCRS-2007
• Access to the lab is obtained by launching Cisco Anyconnect and
connecting to:
dcloud-lon-anyconnect.cisco.com
• Your instructor will have your desktop already VPNed in. If it is not VPNed
in, then please reach out to your instructor to provide you with your
username and credentials that are unique to your pod.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Accessing the Lab
51
• Initiate a remote desktop session to the Dcloud workstation
198.18.133.36 by clicking on the start button and typing in:
mstsc /v:198.18.133.36
• You will be prompted for user credentials.
• Use the username: WKST1\demo and the password: C1sco12345
BRKCRS-2007
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Accessing the Lab
52
If a different username is shown than above, click on use another account and
type in the appropriate username.
BRKCRS-2007
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Questions? Use Cisco Spark to communicate with the speaker after the session
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
How
cs.co/ciscolivebot#LTRCRS-2005
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Please complete your Online Session Evaluations after each session
• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt
• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/.
Complete Your Online Session Evaluation
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Tech Circle
• Meet the Engineer 1:1 meetings
• Related sessions
55BRKCRS-2007