Cisco SD-WAN in Service Provider networks Faisal Chaudhry Stefan Olofsson BRKSPG-2017 Principal Architect Technical Solutions Architect Cisco Webex Teams Questions? Use Cisco Webex Teams to chat with the speaker after the session How 1 Find this session in the Cisco Events Mobile App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space BRKSPG-2017 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 API Scope of Presentation • SD-WAN Components Focus of the session: How SPs are using Cisco SD-WAN Experiences from deployments Automation, Orchestration, API …. • Complimentary products for E2E service Not planning to cover: x Details & features x How to configure BRKSPG-2017 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 Agenda • Overview of Cisco SD-WAN • Deployment Models • End to End Service Orchestration • Managed Services Accelerator (MSX) • Programmability & Automation • Cisco SD-WAN & existing MPLS/Campus networks BRKSPG-2017 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 5 Cisco SD-WAN Overview Software Defined WAN – Transport Independence MPLS Site 2 INET Site 1 Public Clouds (SaaS/IaaS) Site 3 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 7 Software Defined WAN – Transport Independence SD-WAN Fabric Site 2 4G MPLS INET Site 1 Public Clouds IPSec Tunnel © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 8 Software Defined WAN – Intelligent traffic routing App-Aware Routing (TE, SLAs): • • App1 via MPLS App2 via INET Site 2 4G APP1 MPLS INET APP2 Site 1 Public Clouds © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 9 Software Defined WAN - Segmentation Site 2 4G VPN1 VPN1 MPLS VPN2 INET Site 1 VPN2 Public Clouds Site 3 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 10 Software Defined WAN – Centralized Mgmt Provision Site 2 4G VPN1 VPN1 MPLS VPN2 INET Site 1 VPN2 Public Clouds Site 3 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 11 Software Defined WAN – Centralized Mgmt Provision Policy Site 2 4G VPN1 VPN1 MPLS VPN2 INET Site 1 VPN2 Public Clouds Site 3 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 12 Software Defined WAN – Security Provision Policy Security Analytics VPN Based Security policies (Stateful FW) VPN1 IPS 4G Site 2 VPN1 MPLS VPN2 INET AMP Site 1 VPN2 Public Clouds Site 3 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 13 Software Defined WAN – Overlays DC Site 1 Hub & Spoke Site 2 DC Direct Internet Site 1 DC Access Site 1 Site 2 Site 2 Regional Mesh Site 3 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 14 Software Defined WAN – Products MANAGEMENT Orchestration Plane vBond ORCHESTRATION CONTROL Management Plane vManage 4G MPLS Control Plane INET vSmart Data Plane Data Center Campus Branch Home Office BRKSPG-2017 vEdge, cEdge (WAN Edge) © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 15 Controllers – Deployment Hosted On-Premise vBond vManage vSmart ESXi or KVM vBond vManage vSmart Public Cloud (AWS or Azure) Physical Server VM BRKSPG-2017 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 21 Cisco SD-WAN Fabric Operations Policies vSmart OMP DTLS/TLS Tunnel vManage IPSec Tunnel BFD OMP vBond OMP VPN1 MPLS VPN1 VPN2 INET VPN2 BRKSPG-2017 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 22 Deployment Models SD-WAN Controller Hosting Models • Cloud hosted • • AWS or Azure • • • Single or Multiple Availability Zones • Recommended Model • Cloud hosted + On prem • On prem only Public Cloud, Private Cloud and/or DC • Private Cloud or DC IP connectivity between domains required Currently Not Supported • • Public and Private transport still supported Specific design considerations required + BRKSPG-2017 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 24 SD-WAN Tenant Hosting Models • Single Tenant • Virtualized Single Tenant “Micro-tenancy” • Multi-tenant Tenant Dedicated Controllers • VPN Anchored Tenants • Single Tenant Operations • Single Tenant Operations • Multi-tenant Operations • Single Tenant Visibility • Multi-Tenant visibility • Multi-tenant visibility • • Natively Multi-tenant Controllers / Orchestration VPN 1 VPN 1 VPN 2 VPN 2 VPN 2 VPN 1 VPN 2 VPN 1 VPN 2 VPN 1 VPN 2 VPN 1 VPN 2 VPN 1 VPN 2 VPN 1 VPN 2 VPN 1 VPN 1 VPN 2 VPN 1 VPN 2 VPN 2 VPN 1 VPN 2 VPN 1 VPN 2 VPN 1 VPN 1 VPN 2 VPN 2 VPN 1 VPN 2 VPN 1 VPN 2 VPN 1 BRKSPG-2017 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 25 SD-WAN Single Tenant Virtualization Aka RBAC by VPN / Micro-tenancy • Single Overlay Network supporting VPN anchored tenancy • Single Set of Controllers • vManage provides Admin Access and VPN Group View Access (Read Only) • Target Use is environment where a single network would support several lightweight tenants (e.g. Airports) Operational Roles Admin* Create VPN dashboards • Create/discover VPN segments in a network • Create VPN groups • VPN dashboard for each VPN group Define VPN group access • Link user group to VPN group • Create users with access to VPN group *Full Access to standard vManage Dashboard VPN Group Operator Monitor Access to VPN Dashboard only • Monitor devices, network, and application status via VPN dashboard • VPN dashboard information restricted to devices with segments in VPN group • Monitor option restricted to devices with segments in VPN group • Interface monitoring on device restricted to interfaces of segments in the VPN group BRKSPG-2017 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 26 SD-WAN Single Tenant Virtualization VPN Group Operator Dashboard VPN Group: Better Airways (VPN 1, 2) VPN details Better Airways Better Airways Subtenant access and setup for Ticketing and Guest WiFi service. Device health status Application status BRKSPG-2017 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 27 SD-WAN Multi-Tenancy Native Multi-Tenancy Enabled via Different Platforms Multi-tenant Orchestration and Management vManage vBond Provider Layer Tenant Layer Tenant Layer MSX Tenant Layer MSX Tenant 1 Containerized Routing Controllers MSX Tenant 2 MSX Tenant 3 vSmart vSmart vSmart Multi-tenant and Multi-Service Orchestration and Management Single Tenant Data Plane VPN 2 VPN 1 VPN 2 VPN 1 VPN 2 VPN 1 VPN 2 VPN 1 VPN 2 VPN 1 VPN 2 VPN 1 Hosting Facility(Cloud/DC) (Limited EFT Availability Only) BRKSPG-2017 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 28 SD-WAN Multi-Tenancy Native Multi-tenancy Platform (Limited EFT Availability) • vManage / vBond Natively Multi-tenant • Provider and Tenant views for mission specific administration • Clustered deployment for scale and redundancy • Dynamic Tenant Creation with sizing checks • vSmart Containerized for tenant sizing flexibility • vSmarts can be deployed in Containerized or VM format per tenant • Single Tenant operation to ensure control plane stability during any condition • Single Tenant WAN Edge • WAN Edges are always single tenant • Multi-tenant devices possible with VNF platforms MSX Platform is available and will be discussed later in this presentation BRKSPG-2017 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 29 SD-WAN Controller Scalability Same Principles Apply for Cloud and On-Prem vBond Horizontal Scaling with no inter-vBond dependencies Used for initial node bringup and TLOC bringups only Every vBond node is always Active Recommended ratio 2000:1 WAN Edge to vBond vSmart Horizontal Scaling with full mesh of peering b/t vSmarts of the same tenant Provides OMP control plane services (Routing, Security, Polices and Services) Active/Active Redundancy with WAN Edge intelligent session distribution (disabled by default) Recommended ratio 4000:1 TLOCs to vSmart vManage vManage Clustering for Scale and Redundancy Provides Orchestration and Management Services Active/Passive Cluster Redundancy with WAN Edge intelligent session distribution Recommended ratio 2700:1 WAN Edge to vManage BRKSPG-2017 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 30 SD-WAN Controller Redundancy Same Principles Apply for Cloud and On-Prem vBond vBond No Shared State Active Active vSmart vSmart OMP Active Active vManage vManage DB Sync Active Standby No Shared State DNS FQDN to cover multiple vBonds (e.g. vbond.enterprise.com) OMP Mesh amongst all active vSmarts vSmart dynamic discovery via vBond No configuration Required Active / Standby Cluster Architecture (Improved in 19.2) Clusters are maintained from within vManage Database synchronization required b/t Active/Standby BRKSPG-2017 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 31 End to End Service End to End Service Orchestration Enterprise Controllers vManage vSmart vBond Centralized Services Underlay Transport MPLS INET Internet Breakout Security Cloud Access Extranets Unified Communications Remote Access DC (CPE, Transport, VPNs, Routing, Services) Branch (CPE, Transport, VPNs, Routing, Services) Virtualized CPE Physical CPE BRKSPG-2017 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 33 End to End Service Orchestration SD-WAN Controllers On-Prem vManage • vSmart Public Cloud vBond Requires dedicated Platform for Private Orchestration • Provided by Cisco as part of ordering a new Enterprise Overlay Instantiation and Lifecycle Management (LCM); including auto-healing, scale-out, configuration management … BRKSPG-2017 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 34 End to End Service Orchestration SD-WAN CPEs (DC / Branch) vManage vSmart vBond Validate Device ZTP/PNP Initial Bring-up • Zero Touch Provisioning for Virtual CPE and Physical CPE • VNF Management and Chaining • Configuration Templates • Life-cycle Management (LCM) for VNFs, Services and Infrastructure • Telemetry Apply Config Transport Enable Services BRKSPG-2017 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 35 End to End Service Orchestration Underlay Transport and Network Services SD-WAN VRF Routing NTE VPC/VNET Routing / Leaking VRF/VPN Policies INET MPLS Shared Services SaaS BRKSPG-2017 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 36 End to End Service Orchestration MSX 3rd party BRKSPG-2017 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 37 NSO and MSX Managed Services Accelerators • • • Service Creation & Delivery Platform Full Stack solution integrates with OSS/BSS Orchestration + User/Operator Portal, Service Monitoring, Identity Mgmt, Logging & Alarms … • • • Provides Pre-build Service Packs for SDWAN, vBranch … Also available as SaaS offering Reduce Development costs & Time to offer Network Services Orchestration (NSO) • • • Multi-vendor service orchestrator 100s of customers in large global ENTs and SPs Automation Use-cases: existing and NGN • • Provides DIY capabilities Pre-build packages (aka Core Function Packs) NSO Core Function Pack (CFP) NSO Core Function Packs (CFPs) accelerate automation and service to market speed with Cisco developed and supported prebuilt onboarding and configuration packages. BRKSPG-2017 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 38 End to End Service Orchestration: NSO CLI NETCONFG vManage REST UI CLI REST ACI Controllers, EMS .. V Physical Networks V V Virtual Networks BRKSPG-2017 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 39 End to End Service Orchestration: NSO CLI REST UI Service Models Device Models NETCONFG vManage CLI REST ACI Controllers, EMS .. V Physical Networks V V Virtual Networks BRKSPG-2017 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 40 End to End Service Orchestration: Layered Services Architecture (LSA) Customer facing Services (CFS) Service Models (High level) Resource facing Services (RFS) Resource facing Services (RFS) BRKSPG-2017 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 41 NSO SDWAN Core Function Pack (CFP) NSO Core Function Packs (CFP) Cisco Network Services Orchestrator SD-WAN SD-WAN + vBranch CFP NFVO CFP • • Custom CFP Service Model Ready-made implementations for specific features: NFVO, ENFV, SD-WAN, SAE Productized, TAC supported BRKSPG-2017 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 43 NSO SD-WAN CFP: Control plane events Generate CSR for vManage Generate CSRs for vBond, vSmart and add (configure) on vManage 2 3 Install signed Certificates on Controllers 5 SD-WAN Control Plane up 6 4 Sign CSR CA server DC 1 Create vManage, vBond, vSmart with day0 config file & apply rootcerts © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public NSO SD-WAN CFP: WAN Edge events Upload Edge SN to vManage Instruct vManage to generate bootstrap (day0) config file 1 2 Get list of un-used Edges 3 4 Get Bootstrap config file 5 Create Edge + VMs with day0 config Edge to SD-WAN controllers + sync 6 ENCS Site 1 DC © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 45 Managed Services Accelerator (MSX) Orchestration and more? Identity Mgmt Device Mgmt Data Platform Billing Catalog System Message Handler UI Frontend Service Lookup Virtualized CPE Site 1 DC © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 47 MSX Platform UI / API OSS / BSS Integration MSX Platform IOT SDA Branch NFV SDWAN SPN SP DC NFV Cloud Meraki Umbrella Collab MSX Platform Identity Mgmt Device Mgmt Data Platform Billing Catalog System BRKSPG-2017 Message Handler UI Frontend Service Lookup © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 48 MSX Platform MSX vBranch (ENCS) SP OSS/BSS 1 3 ASAv FTDv 3 MSX vBranch support, WAN Edge VNFs 4 MSX OSS/BSS APIs (MSX micro-service) MSX Tenant 3 WAN Edge CIsco SD-WAN Controllers 4G Viptela SD-WAN Fabric Data Center (DC) MPLS INET 2 Sites WAN Edge (vEdge/cEdge) 1 MSX Multi-tenancy, SD-WAN Controller on-boarding 2 Public Cloud, MSX on-boarding MSX MSX MSX Tenant 1 Tenant 2 3rd Party VNFs 4 MSX Tenant 4 vEdge Public Cloud BRKSPG-2017 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 49 Programmability & Automation of Cisco SD-WAN Programmability Fault Mgmt / operations Native APIs Ansible Scripting (Python) © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 51 Native APIs https://vManageIP:8443/apidocs OSS/BSS REST API vManage vSmarts vBond BRKSPG-2017 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 52 Programmability – Ansible Ansible Role functions • • • • • • • • • • • • • • • • • Add Controllers Set Organization Name Set vBond Set Enterprise Root CA Get Controller CSR Install Controller Certificate Install Serial File Export Templates Import Templates Add/Change/Delete Templates Attach Templates Export Policy Import Policy Add/Change/Delete Policy Activate Policy Get Template facts Get Device facts • • • • Ease of use, config mgmt. & IT automation tool Agent less Run tasks sequentially Idempotent vManage vSmarts vBond BRKSPG-2017 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 53 References • DEVNET main page: https://developer.cisco.com/sdwan/ • DEVNET DevOps: https://github.com/CiscoDevNet/sdwan-devops • Ansible with SD-WAN: https://github.com/CiscoDevNet/ansible-viptela • Python SDK: https://github.com/CiscoDevNet/python-viptela BRKSPG-2017 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 54 MPLS & Campus Interworking Existing IP/MPLS network Centralized Controllers vBond vSmart vManage EMEA Region Regional vBond, vSmart MPLS US/NA Region INET SP Core MPLS INET Regional Hub Site(s) IP/MPLS APJC Region Full Mesh IPSec in Region MPLS Choice of WAN Edge based upon scalability, performance … INET BRKSPG-2017 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 56 Existing IP/MPLS network OMP BGP OMP EMEA Region 1) BGP/MPLS Peering MPLS US/NA Region INET SP Core MPLS INET Regional Hub Site(s) BGP/MPLS APJC Region Full Mesh IPSec in Region MPLS 2) End to End SD-WAN BRKSPG-2017 INET © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 57 SDA Campus & SD-WAN network ROADMAP LISP / BGP OMP LISP / BGP VXLAN IPSec VXLAN SDA Campus site SDA Fabric B C SDA Branch B SD-WAN Fabric SDA Fabric C BRKSPG-2017 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 58 Agenda • Overview of Cisco SD-WAN • Deployment Models • End to End Service Orchestration • Managed Services Accelerator (MSX) • Programmability & Automation • Cisco SD-WAN & existing MPLS/Campus networks BRKSPG-2017 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 59 Complete your online session survey • Please complete your session survey after each session. Your feedback is very important. • Complete a minimum of 4 session surveys and the Overall Conference survey (starting on Thursday) to receive your Cisco Live t-shirt. • All surveys can be taken in the Cisco Events Mobile App or by logging in to the Content Catalog on ciscolive.com/emea. Cisco Live sessions will be available for viewing on demand after the event at ciscolive.com. BRKSPG-2017 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 60 Continue your education Demos in the Cisco Showcase Walk-In Labs Meet the Engineer 1:1 meetings Related sessions BRKSPG-2017 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 61 Thank you