BRKSPG-2017

Cisco SD-WAN in Service
Provider networks
Faisal Chaudhry
Stefan Olofsson
BRKSPG-2017
Principal Architect
Technical Solutions Architect
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
BRKSPG-2017
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
3
API
Scope of Presentation
•
SD-WAN
Components
Focus of the session:

How SPs are using Cisco SD-WAN

Experiences from deployments

Automation, Orchestration, API ….

•
Complimentary products for E2E
service
Not planning to cover:
x
Details & features
x
How to configure
BRKSPG-2017
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
4
Agenda
•
Overview of Cisco SD-WAN
•
Deployment Models
•
End to End Service Orchestration
•
Managed Services Accelerator (MSX)
•
Programmability & Automation
•
Cisco SD-WAN & existing MPLS/Campus networks
BRKSPG-2017
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
5
Cisco SD-WAN
Overview
Software Defined WAN – Transport
Independence
MPLS
Site 2
INET
Site 1
Public Clouds
(SaaS/IaaS)
Site 3
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
7
Software Defined WAN – Transport
Independence
SD-WAN Fabric
Site 2
4G
MPLS
INET
Site 1
Public Clouds
IPSec Tunnel
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
8
Software Defined WAN – Intelligent traffic routing
App-Aware Routing (TE, SLAs):
•
•
App1 via MPLS
App2 via INET
Site 2
4G
APP1
MPLS
INET
APP2
Site 1
Public Clouds
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
9
Software Defined WAN - Segmentation
Site 2
4G
VPN1
VPN1
MPLS
VPN2
INET
Site 1
VPN2
Public Clouds
Site 3
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
10
Software Defined WAN – Centralized Mgmt
Provision
Site 2
4G
VPN1
VPN1
MPLS
VPN2
INET
Site 1
VPN2
Public Clouds
Site 3
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
11
Software Defined WAN – Centralized Mgmt
Provision
Policy
Site 2
4G
VPN1
VPN1
MPLS
VPN2
INET
Site 1
VPN2
Public Clouds
Site 3
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
12
Software Defined WAN – Security
Provision
Policy
Security
Analytics
VPN Based Security policies (Stateful FW)
VPN1
IPS
4G
Site 2
VPN1
MPLS
VPN2
INET
AMP
Site 1
VPN2
Public Clouds
Site 3
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
13
Software Defined WAN – Overlays
DC
Site 1
Hub &
Spoke
Site 2
DC
Direct
Internet
Site 1
DC
Access
Site 1
Site 2
Site 2
Regional
Mesh
Site 3
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
14
Software Defined WAN – Products
MANAGEMENT
Orchestration Plane
vBond
ORCHESTRATION
CONTROL
Management Plane
vManage
4G
MPLS
Control Plane
INET
vSmart
Data Plane
Data Center
Campus
Branch
Home Office
BRKSPG-2017
vEdge, cEdge
(WAN Edge)
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
15
Controllers – Deployment
Hosted
On-Premise
vBond
vManage vSmart
ESXi or KVM
vBond
vManage vSmart
Public Cloud (AWS or Azure)
Physical Server
VM
BRKSPG-2017
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
21
Cisco SD-WAN Fabric Operations
Policies
vSmart
OMP
DTLS/TLS Tunnel
vManage
IPSec Tunnel
BFD
OMP
vBond
OMP
VPN1
MPLS
VPN1
VPN2
INET
VPN2
BRKSPG-2017
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
22
Deployment Models
SD-WAN Controller Hosting Models
•
Cloud hosted
•
•
AWS or Azure
•
•
•
Single or Multiple
Availability Zones
•
Recommended Model
•
Cloud hosted + On prem
•
On prem only
Public Cloud, Private
Cloud and/or DC
•
Private Cloud or DC
IP connectivity between
domains required
Currently Not Supported
•
•
Public and Private
transport still supported
Specific design
considerations required
+
BRKSPG-2017
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
24
SD-WAN Tenant Hosting Models
•
Single Tenant
•
Virtualized Single Tenant
“Micro-tenancy”
•
Multi-tenant
Tenant Dedicated
Controllers
•
VPN Anchored Tenants
•
Single Tenant Operations
•
Single Tenant Operations
•
Multi-tenant Operations
•
Single Tenant Visibility
•
Multi-Tenant visibility
•
Multi-tenant visibility
•
•
Natively Multi-tenant
Controllers / Orchestration
VPN 1
VPN 1
VPN 2
VPN 2
VPN 2
VPN 1
VPN 2
VPN 1
VPN 2
VPN 1
VPN 2
VPN 1
VPN 2
VPN 1
VPN 2
VPN 1
VPN 2
VPN 1
VPN 1
VPN 2
VPN 1
VPN 2
VPN 2
VPN 1
VPN 2
VPN 1
VPN 2
VPN 1
VPN 1
VPN 2
VPN 2
VPN 1
VPN 2
VPN 1
VPN 2
VPN 1
BRKSPG-2017
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
25
SD-WAN Single Tenant Virtualization
Aka RBAC by VPN / Micro-tenancy
• Single Overlay Network supporting VPN anchored tenancy
• Single Set of Controllers
• vManage provides Admin Access and VPN Group View Access (Read Only)
• Target Use is environment where a single network would support several
lightweight tenants (e.g. Airports)
Operational
Roles
Admin*
Create VPN dashboards
• Create/discover VPN segments in a network
• Create VPN groups
• VPN dashboard for each VPN group
Define VPN group access
• Link user group to VPN group
• Create users with access to VPN group
*Full Access to standard vManage Dashboard
VPN Group Operator
Monitor Access to VPN Dashboard only
• Monitor devices, network, and application
status via VPN dashboard
• VPN dashboard information restricted to
devices with segments in VPN group
• Monitor option restricted to devices with
segments in VPN group
• Interface monitoring on device restricted to
interfaces of segments in the VPN group
BRKSPG-2017
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
26
SD-WAN Single Tenant Virtualization
VPN Group Operator Dashboard
VPN Group: Better Airways (VPN 1, 2)
VPN details
Better Airways
Better Airways Subtenant access and setup
for Ticketing and Guest WiFi service.
Device
health
status
Application
status
BRKSPG-2017
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
27
SD-WAN Multi-Tenancy
Native Multi-Tenancy Enabled via Different Platforms
Multi-tenant Orchestration and Management
vManage
vBond
Provider Layer
Tenant Layer
Tenant Layer
MSX
Tenant Layer
MSX
Tenant 1
Containerized Routing Controllers
MSX
Tenant 2
MSX
Tenant 3
vSmart
vSmart
vSmart
Multi-tenant and Multi-Service
Orchestration and Management
Single Tenant Data Plane
VPN 2
VPN 1
VPN 2
VPN 1
VPN 2
VPN 1
VPN 2
VPN 1
VPN 2
VPN 1
VPN 2
VPN 1
Hosting Facility(Cloud/DC)
(Limited EFT Availability Only)
BRKSPG-2017
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
28
SD-WAN Multi-Tenancy
Native Multi-tenancy Platform (Limited EFT Availability)
• vManage / vBond Natively Multi-tenant
• Provider and Tenant views for mission specific administration
• Clustered deployment for scale and redundancy
• Dynamic Tenant Creation with sizing checks
• vSmart Containerized for tenant sizing flexibility
• vSmarts can be deployed in Containerized or VM format per tenant
• Single Tenant operation to ensure control plane stability during any condition
• Single Tenant WAN Edge
• WAN Edges are always single tenant
• Multi-tenant devices possible with VNF platforms
MSX Platform is available and will be discussed later in this presentation
BRKSPG-2017
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
29
SD-WAN Controller Scalability
Same Principles Apply for Cloud and On-Prem
vBond
Horizontal Scaling with no inter-vBond dependencies
Used for initial node bringup and TLOC bringups only
Every vBond node is always Active
Recommended ratio 2000:1 WAN Edge to vBond
vSmart
Horizontal Scaling with full mesh of peering b/t vSmarts of the same tenant
Provides OMP control plane services (Routing, Security, Polices and Services)
Active/Active Redundancy with WAN Edge intelligent session distribution (disabled by default)
Recommended ratio 4000:1 TLOCs to vSmart
vManage
vManage Clustering for Scale and Redundancy
Provides Orchestration and Management Services
Active/Passive Cluster Redundancy with WAN Edge intelligent session distribution
Recommended ratio 2700:1 WAN Edge to vManage
BRKSPG-2017
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
30
SD-WAN Controller Redundancy
Same Principles Apply for Cloud and On-Prem
vBond
vBond
No Shared State
Active
Active
vSmart
vSmart
OMP
Active
Active
vManage
vManage
DB Sync
Active
Standby
No Shared State
DNS FQDN to cover multiple vBonds
(e.g. vbond.enterprise.com)
OMP Mesh amongst all active vSmarts
vSmart dynamic discovery via vBond
No configuration Required
Active / Standby Cluster Architecture (Improved in 19.2)
Clusters are maintained from within vManage
Database synchronization required b/t Active/Standby
BRKSPG-2017
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
31
End to End Service
End to End Service Orchestration
Enterprise Controllers
vManage
vSmart
vBond
Centralized Services
Underlay Transport
MPLS
INET
Internet Breakout
Security
Cloud Access
Extranets
Unified Communications
Remote Access
DC
(CPE, Transport, VPNs,
Routing, Services)
Branch
(CPE, Transport, VPNs,
Routing, Services)
Virtualized CPE
Physical CPE
BRKSPG-2017
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
33
End to End Service Orchestration
SD-WAN Controllers
On-Prem
vManage
•
vSmart
Public Cloud
vBond
Requires dedicated Platform for
Private Orchestration
•
Provided by Cisco as part of
ordering a new Enterprise Overlay
Instantiation and Lifecycle Management (LCM);
including auto-healing, scale-out, configuration management …
BRKSPG-2017
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
34
End to End Service Orchestration
SD-WAN CPEs (DC / Branch)
vManage
vSmart
vBond
Validate Device
ZTP/PNP
Initial Bring-up
•
Zero Touch Provisioning for Virtual CPE and
Physical CPE
•
VNF Management and Chaining
•
Configuration Templates
•
Life-cycle Management (LCM) for VNFs,
Services and Infrastructure
•
Telemetry
Apply Config
Transport
Enable Services
BRKSPG-2017
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
35
End to End Service Orchestration
Underlay Transport and Network Services
SD-WAN VRF
Routing
NTE
VPC/VNET
Routing / Leaking
VRF/VPN
Policies
INET
MPLS
Shared Services
SaaS
BRKSPG-2017
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
36
End to End Service Orchestration
MSX
3rd party
BRKSPG-2017
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
37
NSO and MSX
Managed Services Accelerators
•
•
•
Service Creation & Delivery Platform
Full Stack solution integrates with OSS/BSS
Orchestration + User/Operator Portal, Service
Monitoring, Identity Mgmt, Logging & Alarms …
•
•
•
Provides Pre-build Service Packs for SDWAN, vBranch …
Also available as SaaS offering
Reduce Development costs & Time to offer
Network Services Orchestration (NSO)
•
•
•
Multi-vendor service orchestrator
100s of customers in large global ENTs and SPs
Automation Use-cases: existing and NGN
•
•
Provides DIY capabilities
Pre-build packages (aka Core Function
Packs)
NSO Core Function Pack (CFP)
NSO Core Function Packs (CFPs) accelerate automation and service to market speed
with Cisco developed and supported prebuilt onboarding and configuration packages.
BRKSPG-2017
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
38
End to End Service Orchestration: NSO
CLI
NETCONFG
vManage
REST
UI
CLI
REST
ACI
Controllers, EMS ..
V
Physical Networks
V
V
Virtual Networks
BRKSPG-2017
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
39
End to End Service Orchestration: NSO
CLI
REST
UI
Service
Models
Device
Models
NETCONFG
vManage
CLI
REST
ACI
Controllers, EMS ..
V
Physical Networks
V
V
Virtual Networks
BRKSPG-2017
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
40
End to End Service Orchestration: Layered
Services Architecture (LSA)
Customer facing
Services (CFS)
Service
Models
(High level)
Resource facing
Services (RFS)
Resource facing
Services (RFS)
BRKSPG-2017
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
41
NSO SDWAN Core
Function Pack
(CFP)
NSO Core Function Packs (CFP)
Cisco
Network Services Orchestrator
SD-WAN
SD-WAN +
vBranch
CFP
NFVO
CFP
•
•
Custom
CFP
Service Model
Ready-made implementations for specific features:
NFVO, ENFV, SD-WAN, SAE
Productized, TAC supported
BRKSPG-2017
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
43
NSO SD-WAN CFP: Control plane events
Generate CSR for vManage
Generate CSRs for vBond, vSmart and
add (configure) on vManage
2
3
Install signed Certificates on Controllers
5
SD-WAN Control Plane up
6
4 Sign CSR
CA server
DC
1
Create vManage,
vBond, vSmart
with day0 config
file & apply rootcerts
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
NSO SD-WAN CFP: WAN Edge events
Upload Edge SN to vManage
Instruct vManage to generate
bootstrap (day0) config file
1
2 Get list of un-used Edges
3
4 Get Bootstrap config file
5 Create Edge + VMs with day0 config
Edge to SD-WAN controllers + sync
6
ENCS
Site 1
DC
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
45
Managed Services
Accelerator (MSX)
Orchestration and more?
Identity
Mgmt
Device
Mgmt
Data
Platform
Billing
Catalog
System
Message
Handler
UI
Frontend
Service
Lookup
Virtualized CPE
Site 1
DC
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
47
MSX Platform
UI / API
OSS / BSS
Integration
MSX Platform
IOT
SDA
Branch
NFV
SDWAN
SPN
SP DC
NFV
Cloud
Meraki
Umbrella
Collab
MSX Platform
Identity
Mgmt
Device
Mgmt
Data
Platform
Billing
Catalog
System
BRKSPG-2017
Message
Handler
UI
Frontend
Service
Lookup
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
48
MSX Platform
MSX vBranch (ENCS)
SP OSS/BSS
1
3
ASAv
FTDv
3 MSX vBranch support, WAN Edge VNFs
4 MSX OSS/BSS APIs (MSX micro-service)
MSX
Tenant 3
WAN
Edge
CIsco SD-WAN
Controllers
4G
Viptela
SD-WAN Fabric
Data Center (DC)
MPLS
INET
2
Sites WAN Edge
(vEdge/cEdge)
1 MSX Multi-tenancy, SD-WAN Controller on-boarding
2 Public Cloud, MSX on-boarding
MSX
MSX
MSX
Tenant 1 Tenant 2
3rd Party
VNFs
4
MSX
Tenant 4
vEdge
Public Cloud
BRKSPG-2017
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
49
Programmability &
Automation of
Cisco SD-WAN
Programmability
Fault Mgmt / operations
Native APIs
Ansible
Scripting (Python)
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
51
Native APIs
https://vManageIP:8443/apidocs
OSS/BSS
REST
API
vManage
vSmarts
vBond
BRKSPG-2017
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
52
Programmability – Ansible
Ansible
Role functions
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Add Controllers
Set Organization Name
Set vBond
Set Enterprise Root CA
Get Controller CSR
Install Controller Certificate
Install Serial File
Export Templates
Import Templates
Add/Change/Delete
Templates
Attach Templates
Export Policy
Import Policy
Add/Change/Delete Policy
Activate Policy
Get Template facts
Get Device facts
•
•
•
•
Ease of use, config mgmt. & IT
automation tool
Agent less
Run tasks sequentially
Idempotent
vManage
vSmarts
vBond
BRKSPG-2017
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
53
References
•
DEVNET main page: https://developer.cisco.com/sdwan/
•
DEVNET DevOps: https://github.com/CiscoDevNet/sdwan-devops
•
Ansible with SD-WAN: https://github.com/CiscoDevNet/ansible-viptela
•
Python SDK: https://github.com/CiscoDevNet/python-viptela
BRKSPG-2017
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
54
MPLS & Campus
Interworking
Existing IP/MPLS network
Centralized Controllers
vBond
vSmart
vManage
EMEA Region
Regional
vBond, vSmart
MPLS
US/NA Region
INET
SP Core
MPLS
INET
Regional
Hub Site(s)
IP/MPLS
APJC Region
Full Mesh IPSec in Region
MPLS
Choice of WAN Edge
based upon scalability,
performance …
INET
BRKSPG-2017
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
56
Existing IP/MPLS network
OMP
BGP
OMP
EMEA Region
1) BGP/MPLS Peering
MPLS
US/NA Region
INET
SP Core
MPLS
INET
Regional
Hub Site(s)
BGP/MPLS
APJC Region
Full Mesh IPSec in Region
MPLS
2) End to End SD-WAN
BRKSPG-2017
INET
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
57
SDA Campus & SD-WAN network
ROADMAP
LISP / BGP
OMP
LISP / BGP
VXLAN
IPSec
VXLAN
SDA Campus site
SDA Fabric
B
C
SDA Branch
B
SD-WAN
Fabric
SDA Fabric
C
BRKSPG-2017
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
58
Agenda
•
Overview of Cisco SD-WAN
•
Deployment Models
•
End to End Service Orchestration
•
Managed Services Accelerator (MSX)
•
Programmability & Automation
•
Cisco SD-WAN & existing MPLS/Campus networks
BRKSPG-2017
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
59
Complete your
online session
survey
•
Please complete your session survey
after each session. Your feedback
is very important.
•
Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live t-shirt.
•
All surveys can be taken in the Cisco Events
Mobile App or by logging in to the Content
Catalog on ciscolive.com/emea.
Cisco Live sessions will be available for viewing on
demand after the event at ciscolive.com.
BRKSPG-2017
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
60
Continue your education
Demos in the
Cisco Showcase
Walk-In Labs
Meet the Engineer
1:1 meetings
Related sessions
BRKSPG-2017
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
61
Thank you