Maximizing SD-WAN with - technologyleadership.academy€¦ · Summary: Service Chaining Use Cases At branch CPE, enterprise DC, or cloud service Within SD-WAN CPE, or SD-WAN as VNF

Maximizing SD-WAN withService Insertion/Chaining Architectures

VeloCloud Networks Proprietary & Confidential | © Copyright 2016

Steve Woo, VP Products & Co-founder

VeloCloud Networks, Inc. | Proprietary & Confidential | © Copyright 2016

Service chainingverb / serv-ice chain-ing

: interconnecting a set of services through the network

: simplified with both SDN [SD-WAN] and NFV

: meet expectations of dynamic insertion without topology reconfigurations

Businesses Blocked by WAN Challenges

App Performance / Bandwidth

Expense & Constraint Issues

Branch deployment

Complexity

Cloud migration Not supported

by static architectures

X

X

X


Enterprise Legacy WAN

Datacenter

Branch Branch

• Network topology based physical service insertion

• Complex routing – difficult to distribute / disaggregate services

to regional “service” hubs

• Internet traffic backhauled – not optimal for migration to cloud

MPLS

FirewallWeb

security


Alternative to Backhaul: Direct Internet Breakout

Datacenter Branch Branch

• “Direct” to Internet• Cost and operational support for hardware services in branch• Or complexity of forwarding to cloud based security• Best effort for availability and performance

MPLS

INTERNET

Firewall with UTM

Cloud Security

MPLS


Why Software-Defined WAN?

Requirement

Simplicity &

Manageability

• Simplify and expedite new branch rollouts, and

configuration across large number of sites

App performance • Ensure performance and availability of apps, especially

real-time

Bandwidth & Transport

cost

• Leverage economical bandwidth additions

Cloud migration • Optimize access to multiple cloud destinations, with

performance, security and manageability

Services delivery • Virtual services delivery including SD-WAN

• Simplify service chaining to distributed services

Flexible / Incremental

deployment

• Incremental migration, and legacy interoperability

• Avoid capex, proprietary hardware


SD-WAN Service Insertion & Chaining benefits

SD-WAN Advantages

Branch

Edges

Cloud Gateways

SaaS

Zero touch deployments, simplified

operations, one-click service

insertion

Direct cloud access with

performance, reliability and security

Simplified WAN

Management

Managed on-ramp

to the cloud

Datacenter Edges

Transport independent performance for the

most demanding apps, leverages economical

bandwidth

SD-WAN Overlay

Assured Application

Performance


Cloud-Delivered SD-WAN Architecture

Branch SiteEnterprise DC

Hub Edge

Branch

Edge

Enterprise DC

Hybrid Cloud

Traditional

Private

Datacenters

INTERNET

Cloud Gateways

Orchestrator

Private - MPLS

Controllers

Private & Internet circuits, Enterprise & SaaS applications, On premise & Cloud deployments

Service

Insertion Points


Service Insertion at Branch

vCPE platform

OS + HW

Branch Services Insertion

SD-WAN

VNFFW

VNF

WOC

VNF

Orchestration

General Purpose

Virtual CPE

3

HW = hardware; vCPE = virtualized CPE; OS = operating system

= Cloud Delivered

SDWAN

SDWAN Virtual

Services Platform

SDWANFW

VNF

X

VNF

SDWAN Orchestration

SD-WAN Virtual

Services Platform

L7

Fire

wall

Dyn

Multi

Path

VPN NAT

SDWAN

SD-WAN CPE

with virtualized services

Embedded Services

Services on / off

Granular policies by L7 traffic profile

Multiple CPE options:



SD-WAN

SD-WAN Policy-Based Service Chaining

SaaS / IaaS

Enterprise DC

Branch

WebCloud

Gateways

Different service chains applied by policy

Services can be at branch only or dual ended

SD-WAN EdgeSD-WAN

Edge

VPN

Fire

wallDyn

Multi

Path


Multi-Path Optimization Service

Assured Application performance over MPLS, Internet broadband and LTE circuits

Continuous Link Monitoring

Drives automation and

optimization

Dynamic Per Packet Steering

Sub-second steering

without session drops

Aggregated bandwidth for

single flows

On Demand Remediation

Protects against

concurrent degradation

Enables single link

performanceVeloCloud Networks Proprietary & Confidential | © Copyright 2016


Cloud VPN Service

Branch SiteEnterprise DC

Hub Edge

Branch

Edge

Enterprise DC

Traditional

Private

Datacenters

INTERNET

Cloud Gateways

Private - MPLS

IPsec VPN

Unified VPN over all transports

Cloud VPN eliminates backhaul

Automated VPN to cloud via gateway


Extensible Virtual Services

Application FirewallL7 stateful firewall

Cloud Web Security

Identity Based Access Control802.1x authenticated access

Automated Monitoring

Deep Application RecognitionPacket inspection for application

recognition

Application & Link VisibilityLink status and application usage

Application PerformanceApplication network performance statistics

Security Services

Assured WAN Performance

Dynamic Multi-Path OptimizationApplication steering and link remediation

Business PolicyApplication prioritization and network service

insertion

Comprehensive LAN Services

3rd Party

Ecosystem partner apps

Auto IP Address

ManagementBy sites and profiles

DHCP, DNS, WLAN…LAN network services

Policy Based NATSource and destination based

Secure Overlay

Cloud VPNAuto IPsec VPN between Edges and

3rd party devices

Hybrid VPNIPsec VPN and MPLS

Regional / Enterprise Services

Internet Backhaul is Complex With Traditional WAN

Challenges with Traditional WAN

Not performance-aware

Policy definition at L3 only

Requires touching every branch

Per-application tuning difficult

More complex with multiple linksBranch

Headend

Advertise

0.0.0.0/0

(Preferred)

Advertise

0.0.0.0/0


Policy-based Internet Backhaul to Regional DCs

Backhaul ALL or subset of Internet traffic

Flexible link steering policy

Branch

Edge

Primary

Hub EdgeSecondary

Hub Edge

Primary path Secondary path


SD-WAN Distributed Services Insertion for Internet

Branch Site

Distributed Regional Mini-

Datacenters

On Premise

Email DLPFirewalls

Enterprise

Applications

Enterprise Datacenters

Distributed Service Insertion

• SD-WAN one-click app aware service insertion

• Enables disaggregation and distribution of services to

multiple regional mini-datacenters

• Same or different service chains by DC

• SD-WAN optimal for SDN instantiated virtual services in DC

• Reduces branch complexity and attack surface

SD-WAN

Edges

SD-WAN

Edges


SD-WAN Distributed Services Insertion for B2B

Branch Site

Distributed Regional Mini-

Datacenters

Firewalls

Distributed Service Insertion

• Regionalize services even for branch to branch traffic

• Next gen firewall can apply rules by application

SD-WAN

Edges


SD-WAN Multi-DC Services Insertion for Internet

Branch Site

Datacenter 1

SVC

1

Multi-DC Service Insertion

• Dynamic routing for service insertion

Datacenter 2

SVC

2

SD-WAN

Edges

SD-WAN

Edge

SD-WAN

Edge


Cloud / SP Services


SD-WAN Hybrid Services Insertion

Branch Site

Enterprise Hub

On Premises

Security

Other Web traffic

Salesforce.com

Web email

Internet

• Backhaul to on-premises services

– Regional and central

• SD-WAN performance service-chained to cloud security services

• One-click, by application Cloud

Security

Services

SD-WAN service chaining for hybrid services

SD-WAN

Edge

Cloud Services Chaining

Enterprise A

VLAN 1

VLAN 2

VLAN 3

VLAN 4

Enterprise B VRF AVLAN 1

VLAN 2

VLAN 3

VLAN 4

Multi-Tenant

SD-WAN Cloud

Gateway

VRF 3

VRF 4

• Services by Enterprise – VRF mapping

• Services granularity by VLAN tag

VRF B-4

VRF B-3

SP NFV Orchestrator

SD-WAN

Edge


SD-WAN

Service Chained Optimization

MPLS/Private

QoE Service Chaining

WAN edge QoS (prioritization, bandwidth allocation)

SD-WAN multi-path optimization with MPLS CoS

MPLS core with CoS

Interoperable data plane signaling

CoS outside

SDWAN

encapsulation

CoS inside

SDWAN

encapsulation

Policy based CoS

setting

SD-WAN

Edge

Summary: Service Chaining Use Cases

At branch CPE, enterprise DC, or cloud service

Within SD-WAN CPE, or SD-WAN as VNF

Distributed regional service centers

Branch-to-branch and branch-to-Internet traffic

Multi-hop service centers

Hybrid on-premises and cloud services

Cloud services by enterprise and segment

SD-WAN to SP optimization

SD-WAN Interoperability

SD-WAN policy-based interoperability support:

• Data plane

– TOS/CoS

– VLANs

– Upcoming: IETF draft: NSH

• Orchestration

– MEF OpenLSO

– CORD

– Linux Foundation OPEN-O

– ONUG Open SDWAN Exchange


Q&A

www.velocloud.com/sd-wan-dummies

Documents

Maximizing SD-WAN with - technologyleadership.academy€¦ · Summary: Service Chaining Use Cases At branch CPE, enterprise DC, or cloud service Within SD-WAN CPE, or SD-WAN as VNF