Add to collection(s) Add to saved
  1. No category
Uploaded by KATLEGO MOHLABE

CCIE EI Evolving Technology - SDWAN

advertisement 
Cisco Certified
Internetwork
Expert
Enterprise
Infrastructure v1.0
www.orhanergun.net
Cisco SD-WAN
CCIE Enterprise Infrastructure
Section-1: Cisco SD-WAN
Chapter-1: Introduction
Why SD-WAN?
• Traditional WAN is not capable to handle today’s application and
WAN requirements.
• Adoption of Services like SaaS (Software as a Service) & IaaS
(Infrastructure as a Service).
• Exposing an enterprise to the internet can introduce threat and
compliance issues.
• Limited Application Visibility and understanding to networks.
• Expensive WAN Circuits with limited features.
Value Proposition by SD-WAN Solution
• Increasing bandwidth through the activation of idle backup links
and dynamic load-balancing
• Delivering faster cloud access by enabling direct internet access at
the branch
• Reducing operational and management costs through centralized
management that was commonly cloud-based
• Lowering WAN costs through the use of cheaper internet or LTE
connectivity as an alternative to MPLS
What is SD-WAN
• SD-WAN (Software Defined WAN) is the derived from acronym of SDN
(Software Defined Network).
• SD-WAN simplifies challenges of WAN in today’s network and
application requirement by providing application visibility and single
pane of glass for management with automation features like PnP (Plug
and Play) or ZTP (Zero Touch Provisioning).
• This concept is similar to how software-defined networking
implements virtualization technology to improve data
center management and operation
• Advanced Application Optimization
• Multi-Layered Security
• Simplicity at Enterprise Scale
Lots of buzzwords! Which one is SD-WAN?
Cisco SD-WAN Cloud Scale Architecture
Component and Architecture of Cisco SDWAN
• The Cisco SD-WAN solution is a
cloud-delivered Wide Area
Network (WAN) overlay
architecture that extends the
principles of software-defined
networking (SDN) into the WAN.
• Cisco SD-WAN is broken into four
parts:
• Data Plane
• Control Plane
• Management Plane
• Orchestration Plane
Component and Architecture of Cisco SDWAN
• Cisco SD-WAN consist of four main components:
• vManage
• vBond
• vSmart
• vEdge or WAN Edge
vManage
• In the Management Plane, vManage represent
the user interface of the solution.
• Network administrators and operators perform
configuration, provisioning, troubleshooting,
and monitoring activity here.
• vManage provides single pane of glass for
management of all the SD-WAN components
vBond
• Cisco vBond resides in Orchestration Plane.
• The vBond controller is largely responsible for
the Zero-Touch Provisioning process as well as
first-line authentication, control/management
information distribution, and facilitating
Network Address Translation (NAT) traversal.
• vBond is responsible for onboarding the device
into the SD-WAN fabric.
Cisco vSmart
• Cisco vSmart is the "brain" of the solution and
exists within the control plane
• As policies are created on vManage, vSmart is
the component responsible for enforcing these
policies centrally.
• Routing Decisions are made by vSmart only
and it act like a BGP ’RR’ for propagating
routes using OMP (Overlay Management
Protocol).
Cisco WAN Edge or vEdge
• WAN Edge comes under the Data Plane
and used for forwarding.
• Cisco WAN Edge routers come in multiple
forms, virtual and physical.
• The WAN Edge routers form Internet
Protocol Security (IPSec) tunnels with
each other to form the SD-WAN overlay.
Cisco SD-WAN Fabric Components
Control plane redundancy
• Orchestration level redundancy is achieved by having one DNS
name (FQDN) with multiple IP addresses representing different
vBond controllers.
Data plane redundancy
• Data plane redundancy is
achieved on multiple levels. It
starts with site redundancy,
making sure that clients on the
LAN side will use protocols like
Virtual Router Redundancy
Protocol (VRRP) or routing
protocols, such as BGP, OSPF, or
EIGRP.
Platforms
• The Cisco SD-WAN solution can be deployed on a number of
different platforms, commonly called WAN Edge routers, which are
available in different form factors. The WAN Edge routers can be
used in either the branch, campus, data center, public cloud or a
private cloud, such as a co-location facility.
Hardware platforms
• Cisco vEdge (formerly Viptela vEdge) Routers running Viptela OS
• Integrated Services Router (ISR) 1000 and 4000 Series running
IOS® XE SD- WAN Software
• Aggregation Services Router (ASR) 1000 Series running IOS XE
SD-WAN Software
Virtual platforms
• Cloud Services Router (CSR) 1000v running IOS XE SD-WAN
Software
• vEdge Cloud Router running Viptela OS
Platforms
Cloud
• Cisco SD-WAN offers a seamless way of connecting to applications
in the cloud and extending the network to the cloud from any site
including the data center (DC), hub or branch.
• Using Cloud onRamp for Software as a Service (SaaS), connectivity
to certain SaaS- based applications, such as Salesforce or Office
365, is optimized by choosing the best available path.
• The Cisco SD-WAN solution helps to automate connectivity
between workloads in the public cloud from the branch or the DC.
Security
• Cisco SD-WAN architecture provides strong security for control
plane, data plane, and management plane operations.
• To enable the SD-WAN branches to have Direct Internet Access
(DIA) without dependency on another device or solution for
security, strong threat defense mechanisms are built into the WAN
Edge router.
Security Feature on WAN Edge
• Following are the threat defense features which are available on
the WAN Edge router:
•
•
•
•
•
•
Stateful Application Firewall
IPS/IDS
URL Filtering
Cisco Advanced Malware Protection (AMP) and ThreatGRID
Cisco Umbrella
Tunneling to Secure internet gateways on the cloud.
Management and operations
• The key benefits of the Cisco SD-WAN solution are automated
management and simplified operations. Cisco vManage offers a
single pane of glass for all management, monitoring, and
troubleshooting aspects of the Cisco SD-WAN solution.
• Cisco vManage exposes a rich set of REST APIs that can operate
the entire Cisco SD- WAN solution.
• Cisco vAnalytics offers an additional SaaS-based service to provide
more information about network health and availability,
application performance and anomalies, and forecasting of
network and application utilization for better capacity planning.
Chapter-2: Cisco SD-WAN Planes
Control Plane
OMP (Overlay Management Protocol)
• OMP Works as BGP in
Traditional Routing.
• Exchanges Routing Information
via vSmart
• vSmart acts like BGP RR
• All WAN Edge builds up the
OMP Session with vSmart only.
TLOC (Transport Locator)
MPLS
• TLOC is Transport Locator use to
identify transport path.
• TLOC replaces the next-hop
information.
• One WAN Edge can be configured up
to 8 colors.
• TLOC Entry consist of following items:
• System IP
• Color
• Encapsulation Protocol
• GRE
• IPSEC
INET
Color: MPLS
E0
Color: INET
E1
MPLS
INET
Color: MPLS
E1
Color: INET
E0
Types of Route
• OMP Route
• TLOC Route
• Service Route
vRoute or OMP Route
• OMP Route is use to provide the destination prefix reachability along
with the TLOC Information.
• It is shared via vSmart in OMP update.
• OMP Route Contains the below information:
• Destination Prefix
• TLOC
• Prefix Attributes
10.1.1.0/24
vRoute or OMP Route, which is learned from
WAN Edge 2 via vSmart using OMP Protocol
TLOC Route
• It Provides the further TLOC reachability information to the WAN Edge.
• WAN Edge does recursive lookup here, first it looks for OMP Route to get
the TLOC information based on the destination prefix, and then look for
TLOC route to get the destination WAN edge reachability based on the
TLOC information received from OMP Route.
• Once the WAN Edge have both OMP Route and TLOC Route, then only it
will establishes the IPSEC VPN with respective WAN Edge.
• TLOC Route contains the following information:
• TLOC
• WAN IP
• Attributes
Service Route
• It contains the information about the
reachability of any Service Device
(Firewall, Load Balancer or IPS/IDS).
• The WAN Edge which is connected to
any of these device will be generating
the Service Route.
Service Routes
Data Plane
VPN
• VPN Plays a major role in the SD-WAN
data Plane operations.
• VPN is alternative of VRF on Viptela
Hardware.
• All the VPN can be configured only
with number not name unlike VRF.
• Each VPN have its own routing table.
• There are two types of VPN configure
by default:
• VPN0
• VPN512
VPN 512
VPN 1
.
.
VPN n
VPN 0
VPN 512
• By Default Configured VPN.
• Used for Out of Band Management only.
• Equivalent to default VRF Management
• Only Used for Management Traffic.
VPN0
• VPN0 is known as Transport VPN.
• Used for Initiate and terminate IPSEC VPN.
• All the Transport Interfaces should be configured under VPN0.
• Used as front door VRF for terminating VPN Traffic.
• System IP is part of VPN0 by default.
• Used for making communication to other controllers.
• Secondly can be used for management and control traffic as well.
VPN1 to VPNn
• All the VPN from VPN1 to the limit of VPN’s are known as Service
VPN.
• Used as regular VRF’s on the WAN Edge devices for communicating to
LAN Side services.
• All the traffic originated from Service VPN, will be having VPN tag on
it and sent through the same IPSEC tunnel between the WAN Edge
devices.
• VPN Tag will be used on the destination WAN edge for landing the
traffic into appropriate VPN.
IP Security (IPSec)
• IPSEC is a framework for a set of protocols for security at the
network or packet processing layer of network communication.
• IPSEC provide two choices of security services: Authentication
Header [AH] which essentially allows authentication of the sender
of data, and encapsulated security payload [ESP], which supports
both authentication of the sender as well as encryption of data.
The specific information associated with each of these services is
inserted into the packet in a header that follow the IP packet
header. Separate key protocols can be selected, such as ISAKMP
protocol.
IPSEC VPN
• IPSEC tunnel will be configured between all the WAN Edges in full
mesh manner by default.
• One IPSEC tunnel will be used to carry multiple VPN traffic.
• By Default using AES Encryption type.
IPSEC Key Exchange
• For scalability purpose, SD-WAN is not using IKE (Either IKEv1 or
IKEv2) for key exchange between the WAN Edges.
• WAN Edges will be using there DTLS/SSL secure channel with vSmart
for key exchange process.
• All the WAN Edges will share there keys along with OMP update to
vSmart and vSmart will be responsible for exchanging the keys.
Bidirectional Forwarding Detection (BFD)
• BFD Probes will sent by all the the WAN Edges to other WAN Edges
through all the transports.
• BFD probes send over the IPSEC tunnel.
• BFD probes makes sure the TLOC reachability, if BFD Probes fails, the
that TLOC will be considered as invalid.
• BFD probes also be used for checking the circuit quality, by checking
the following parameters:
•
•
•
•
Drop Counts
Jitter
Latency
Bandwidth
Management Plane
Device Templates
• vManage is used for management plane and pushing configuration to
the WAN Edges.
• Device templates is the combination of multiple feature templates.
• Feature templates are used to enable specific global configuration to
the WAN edge device.
• The other half of the configuration is policy other than templates.
Type of Policy in SD-WAN
• Centralized Control Policy
• Centralized Data Policy
• Localized Control Policy
• Localized Data Policy
Centralized Control Policy
• It’s a Central policy and defined on vSmart.
• It defines how routing (Route learning and Advertisement ) will take
place in SD-WAN through vSmart.
• Similar like Route-map in traditional routing.
• It also defines the topology between the WAN edges (by default it’s
full mesh).
Centralized Data Policy
• This policy is used to match the data packet based on IP and port.
• This can be used as ACL in traditional routing.
• This policy is managed by vSmart and downloaded to WAN Edge.
• This use to match the QoS Parameters.
• This policy also used to change the next-hop of the packet.
• This can be applied to Transport VPN as well as Service VPN incoming
packets.
Localized Control Policy
• This policy locally stored on WAN Edge router.
• This is used for manipulating or filtering the routing information.
• This mainly used for routing information configured on service side
VPN.
• It works as filter list or route-map for the routing protocol (OSPF or
BGP) configured on service VPN (Interface).
Localized Data Policy
• This policy is similar like Centralized Data Policy but stored locally on
the WAN Edge.
• This policy also used for matching data packet but mainly used for
QOS deployment.
• This policy can be applied in individual interface unlike the Centralized
Data Policy which is applied on per VPN basis.
Chapter-3: SDWAN Features
SD-WAN Orchestrator
• The Service Orchestrator provides the service management of the SDWAN service lifecycle including service fulfillment, performance,
control, assurance, usage, analytics, security and policy
• For example, the Service Orchestrator is responsible for configuring
the end-to-end SD- WAN managed service between SD-WAN Edges
and SD-WAN Gateways over one or more underlay WANs, e.g.,
Internet and MPLS, setting up application-based forwarding over
WANs based on security, QoS or business or intent-based policies
SD-WAN Gateway
• The SD-WAN Gateway is a special case of an SD- WAN Edge that also
enables sites interconnected via the SD-WAN to connect to other sites
interconnected via alternative VPN technologies, e.g., CE or MPLS
VPNs
SD-WAN Gateway
• There are two ways to deliver an SD-WAN service to sites connected
via another VPN service.
• One way requires an SD- WAN Edge to be placed at each subscriber
site connected to the VPN service so SD-WAN tunnels can be created
over the VPN
SD-WAN Gateway
• Another way is to use an SD-WAN Gateway
• In this scenario, an SD-WAN Gateway initiates and terminates the SDWAN tunnels like an SD-WAN Edge and initiates and terminates VPN
connections to and from sites interconnected by the VPN
• This approach enables sites interconnected via SD-WAN and other
VPN technology domains to intercommunicate
SD-WAN Gateway
• This approach does not require SD-WAN Edges to be placed at each
VPN site to achieve interconnectivity
• However, SD-WAN service capabilities such as application-based
traffic forwarding over multiple WANs or QoS and Security policy
management will not be available at the MPLS VPN sites because they
do not have SD-WAN Edges which perform these functions
SD-WAN Web Portal
• Subscriber Web Portal is added to the enterprise’s
existing managed services portal
• It works in conjunction with the service orchestrator to monitor
the SD-WAN as a service
• The MSP or CSP typically integrates the Subscriber Web Portal for
the SD-WAN managed service into their existing customer portal
used for other managed services
SD-WAN Key Characteristics
1. The ability to support multiple connection types, such
as MPLS, Last Mile Fiber Optical Network or through high speed
cellular networks e.g. 4G LTE and 5G wireless technologies.
2. The ability to do dynamic application aware path selection, for
load sharing and resiliency purposes.
3. A simple interface that is easy to configure and manage.
4. The ability to support VPNs, and third party services such as
WAN optimization controllers, firewalls and web gateways.
SD-WAN – Dynamic Path Selection
• This feature ensures traffic uses the best path depending on the
business need, such as mission-critical and delay-sensitive
applications
SD-WAN – Dynamic Path Selection
• SD-WAN solution requires a
path selection/control
solution that allows for each
application to dynamically
switch their paths in realtime, in response to network
conditions, rather than
sticking to one particular
underlay!
SD-WAN – Simpler Management Compare to
Legacy WAN
• GUI provides simpler
management, reduced
troubleshooting time,
mass deployment and
update , centralized
monitoring and so on
Source : VeloCloud SD-WAN
SD-WAN – Wan Optimization – Security and
Other Services
• WAN optimization accelerates application traffic by overcoming
latency and reducing the amount of data traversing the WAN by
applying techniques like, deduplication, compression and caching
to dramatically increase the amount of available bandwidth
• Most SD-WAN implementations offer a way to encrypt your
branch-to-branch corporate traffic using IPSEC which protects the
data in transit
• Because most SD-WAN vendors offer IPsec, it’s common to think
that SD-WANs are inherently secure
SD-WAN – Wan Optimization – Security and
Other Services
• Most SD-WAN implementations offer a way to encrypt your branchto-branch corporate traffic using IPSEC which protects the data in
transit
• Because most SD-WAN vendors offer IPsec, it’s common to think that
SD-WANs are inherently secure
SD-WAN – Wan Optimization – Security and
Other Services
• It’s true that IPsec handles
protecting the data as it
traverses the network
• But it has no impact on
DDOS protection, man-inthe-middle and malware for
direct branch-to-cloud traffic
• Centralized security control
should be re thought when it
comes to SD-WAN security
Source : ARYAKA
SD-WAN – Wan Optimization – Security and
Other Services
• For example, you still need stateful firewall capabilities between the
public Internet and your WAN edge device to grant or deny access
SD-WAN – Wan Optimization – Security and
Other Services
• Most NGFWs also comes
with a variety of UTM
functions, including
intrusion detection and
prevention (IDS/IPS),
quarantining or otherwise
deflecting detected
malware, and web filtering,
which knows about risky
Internet sites and prevents
your users from visiting
them
SD-WAN – Wan Optimization –
Deduplication and Compression
• Deduplication analyzes blocks of
data, looking for repetition
• It replaces multiple copies of data
with references to a single,
compressed copy, thereby reducing
the amount of capacity needed
SD-WAN – Wan Optimization –
Deduplication and Compression
• Data Deduplication (dedupe) provides storage savings by
eliminating redundant blocks of data
• Storage capacity reduction is accomplished only when there is
redundancy in the data set
• Compressing large files into smaller bits allows users to store
more data and also it makes data transmission much quicker and
easier
• Compressed data must be decompressed so that the original data
can be extracted and the amount a document is compressed is
measured by something called the compression ratio
SD-WAN – Wan Optimization – Deduplication
and Compression
• Data compression reduces the number of bits required to represent
the information
• Compressing large files into smaller bits allows users to store more
data and also it makes data transmission much quicker and easier
• Compressed data must be decompressed so that the original data can
be extracted and the amount a document is compressed is measured
by something called the compression ratio
SD-WAN – Wan Optimization – Deduplication
and Compression
• Unlike deduplication, compression is not concerned with whether a
second copy of the same block exists, it simply wants to store the
most efficient block on the storage
• Examples of common file level compression that we use in our day-today lives include MP3 audio and JPG image files
SD-WAN – Wan Optimization – How Data
Compression Works?
• Entropy Encoding is one of the techniques for compression
• You might start with a string like:
AABCABBCABACBAAACBCCAABAAACBAA
• You might notice that some letters appear more than others - A appears
about 2x as much as B and C, and the other letters don't appear at all
• Using that information, you can choose an encoding that represents the
characters in the string with less information, e.g., A may be encoded
using binary 0, while B and C are assigned 10 and 11respectively. If you
were originally using 8 bits per character, that is a big savings
SD-WAN – Wan Optimization – How Data
Compression Works?
• Another
encoding
schema can be
Run-length
encoding
SD-WAN – Wan Optimization – Security and
Other Services
• Packet loss occurs when network congestion or problems in the
physical infrastructure cause packets to be lost during transmission
• It’s expressed as a percentage of packets
SD-WAN – Wan Optimization – Security and
Other Services
• Packet loss is addressed by some WAN optimization appliances using
forward error correction (FEC) that allows receiving stations to
automatically regenerate lost packets without requiring transmission
• Let’s have a look at Forward Error Correction
SD-WAN - Forward Error Correction
• For some applications it is necessary to have good error protection
• Sometimes, it will be impossible for the receiver to communicate
back with the sender to check for errors in the received packages
SD-WAN - Forward Error Correction
• Some algorithms are made for this kind of situation as for example in
a multiple receiver communication
• They use a forward error correction, which is based on the addition of
redundant bits over the bit stream of data
SD-WAN - Good to have capabilities with SDWAN
• Some of these features might be good to have for some companies
and must to have for others depends on the application requirements
and the constraints
• Quality of Service , Zero Touch Deployment , Global Coverage ,
Vendor POC support , Cloud Enablement
SD-WAN - Quality of Service
• Internet connectivity is one of the cheapest and most widely available
bandwidth options
• However, when it comes to building a corporate wide area network
(WAN), Internet connectivity is still not seen as a reliable medium for
important business data
SD-WAN - Quality of Service
• Quality of service (QoS)
refers to the ability of a
network to provide higher
levels of service using traffic
prioritization and control
mechanisms
SD-WAN - Quality of Service
• Some SD-WAN vendors market their Forward Error Correction (FEC) and
Dynamic Path Selection/Control features as QOS but they are not QOS
mechanisms
• Although these features improve the network performance, they shouldn’t
marketed as QOS features!
• Some SD-WAN vendors support Traffic Shaping , Rate Limiting , Policying as
QoS features as well
SD-WAN - Quality of Service
• QoS simply
prioritization
some traffic
and punishing
others!
SD-WAN - Zero-touch
Deployment/Provisioning
• With this capability, IT teams can bring up services without the need to
interact with physical equipment, resulting in fast and efficient deployment
of services
• ZTP can be found in switches, wireless access points, SD-WAN nodes, NFVplatforms , firewalls and many other networking devices
• Not all ZTP implementations are truly ‘Zero Touch’ though, so sometimes
you will also come across terms like ‘minimal touch provisioning’ or ‘one
touch provisioning’
SD-WAN - Global Coverage
• If your business requires international connectivity, you may need to
analyze the provider's point-of-presence (POP) coverage to understand the
effect on application performance
• Certain providers and vendors operate a significant global network
presence that includes specific POPs for both private and internet traffic
• SD-WAN features are focused on application performance, but latency and
jitter challenges can arise when deploying international services
SD-WAN Vendor POC Support
• The proof of concept for SD-WAN is an excellent way to understand
and verify the capability of an SD-WAN offering
• Some vendors offer demo hardware for a period of time, often with
presales resources to assist with the configuration
SD-WAN Cloud Connection
• Some SD-WAN products have the ability to program “cloud breakout”
based on applications, allowing direct access to trusted sites (like
SalesForce.com), while tunneling traffic to unknown sites to either cloudbased or centrally-based inspection services
• This ensures improved productivity, minimizes unnecessary inspection of
trusted traffic and provides better security than traditional hub-spoke
MPLS solutions
SD-WAN Cloud Connection - SAAS
• Enterprises today face major user experience problems for SaaS
applications because of networking problems
• The centralized Internet exit architecture can be inefficient and
results in poor SaaS performance
• And branch sites are running out of capacity to handle Internet traffic
which is a concern because more than 50% of branch traffic is
destined to the cloud
SD-WAN Cloud Connection- SAAS
• Common network designs
consolidates application and
service controls at centralized
DMZs and the data centers
• As a result, enterprise traffic
destined for the Internet or public
clouds must be backhauled
through a centralized DMZ facility
• This causes the traffic to trombone
or hairpin, creating an inefficient
route that increases the distance
between the user and the
application
Related documents
network
network
CategoriesofNetwork1.2 - Copy
CategoriesofNetwork1.2 - Copy
A computer network comprises two or more computers that are connected
A computer network comprises two or more computers that are connected
Table of Contents - Baton Rouge Community College
Table of Contents - Baton Rouge Community College
4896 Network Admin for US AFA Colorado Springs Summit
4896 Network Admin for US AFA Colorado Springs Summit
201193040347
201193040347
When evaluating a network architecture to fuel your digital
When evaluating a network architecture to fuel your digital
Download
advertisement