3. User and Application Landscape is Changing
Change in App Content Change in App Delivery Change in App Consumption
Rich, Dynamic, Web-Based Cloud, SaaS, Virtualized Mobile, Diverse devices
Internet Edge Is Moving to the Branch
Applications Are Moving to the Cloud
INTERNET MPLS 4G
DC vDC
IaaS SaaS
mobile
branch
guest
head
office
4. Architectural Constrain
SOFTWARE DEFINED: True separation of control, data
and management
CLOUD: Cloud hosted and delivered
APPLICATION AWARE: Visibility & SLA business intent
policy enforcement
SCALE AND FLEXIBILITY: True enterprise scale
SECURITY: Ingrained authentication, encryption,
segmentation, access controls & service chaining
OPEN: for automation, orchestration,
best-of-breed integration
Application
Bandwidth
Requirements
Cloud
Consumption
Disjointed
Security
Simplified
Operations
WAN
Flexibility
Time
To Capability
Challenges
Enabling Seamless transition
from traditional WAN to SD WAN
SECURE WAN FABRIC
Broadband 4G/LTEMPLS
ZERO TOUCH ZERO TRUST
1
5. Traditional Networks
Control and Data Plane same
devices
Peer-to-peer control plane
Routing protocol prorogate
for all (N^2) complexity
Localize management
Complex to mnage
Not scalable
Impossible to support
multiple transport
6. 4G/LTE
MPLS1Internet
MPLS2
SD-WAN Principals
• Separation Control and Data Plane
• DTLS/TLS is used to establish the
control channel
• Control channel is established only
with central controllers
• No scaling issues are with full mesh
of control plane
• Control channel does not have to
follow the data path
7. Cisco SD-WAN Architecture
Control Plane
(Containers or VMs)
Data Plane
(Physical or Virtual)
Management Plane
(Multi-tenant or Dedicated)
Orchestration Plane
API
4GINTERNET MPLS
vSmart
ANALYTICSORCHESTRATION
vManager
vManage
vSmart
vEdge
vBond
vBond
Data Center Campus Branch Home Office
8. Cisco SD-WAN Solution Elements
4G/LTE
MPLSInternet
vEdge Routers
vSmartvManage
Ubiquitous
Data Plane
Secure
Control Plane
Controllers
On-premise/cisco Cloud/
Partner Cloud
vBond
10. Zero-Trust Security Principles
DTLS/TLS
Control Tunnel
Strong authentication
- PKI certificates, 2048bit keys
Highly encrypted tunnels
- DTLS/TLS AES256
- White-list model
Ubiquitous Deployment
- Automatic NAT mitigation
Control Elements
X.509 Certificate
11. Secure Bring-up With Approval
• Per-device control on TPM identity trust
• Single stage (Zero Touch Provisioning) – TPM identity is automatically trusted
• Two stage (One Touch Provisioning) – TPM identity is not automatically
trusted. Requires administrator validation.
• Staging Mode – TPM identity is automatically trusted for control, but not for
data. Requires administrator validation.
12. End to End Security
TransportsTransportsTransports
Site 1 Site 2
IPSec AES256-GCM
ESPv3 with HMAC SHA-1
vSmart
Controllers
Control Plane
DTLS/TLS
IPSec security
associations
IPSec security
associations
Update Update
Symmetric encryption IPsec AES256-GCM
ESPv3 with HMAC SHA-1
Traffic Encryption and Authentication Header
Tunnel Liveliness Detection (BFD)
Anti-Replay Protection
Rekey 12 hours
Each vEdge advertises its local
IPsec encryption key
Traffic Encrypted
with Key 2
Traffic Encrypted
with Key 1
vEdge
Router
vEdge
Router
Local
Remote Local
Remote
13. Configuration Simplicity and ZTP
• Templates are attached to provisioned
vEdge routers
• Variables are used for rapid bulk
configuration rollout with unique per-
device settings
• Local configuration changes are not
allowed
- Prevents configuration drift
14. Configuration Simplicity and ZTP
Zero Touch Bringup
Server
Control and Policy
Elements
Full Registration
and Configuration
vEdge Router
1 2
3 4 5
* Factory default config
Assumption:
DHCP on Transport Side (WAN)
DNS to resolve ztp.viptela.com*
Authentication
Push the configuration
Enforce the version
16. Application Performances and AAR
Path1: 10ms, 0% loss, 2ms jitter
Path2: 200ms, 3% loss 5ms jitter
Path3: 140ms, 1% loss 3ms jitter
vSmart
Controllers
App Aware Routing Policy
App A path must have
latency <150ms and loss <2%
Path 2
vEdge Routers continuously perform
path liveliness and quality
measurements Latency, Loss and Jitter,
Auto Load Balance
Device QoS
(shaping, policing,
queuing, marking)
Internet
MPLS
4G LTE
Optimal Throughput
17. End to End Segmentation
Use Cases
Security Zoning
Compliance
Guest WiFi
Multi-Tenancy
Extranet
Interface
VLAN
Prefix
TransportsTransports
Site 1
Site 2
Data Center
VPN
A
VPN
B
VPN
C
IPSec
20
IP
8
UDP
36
ESP
4
VPN
…
Data
Label
802.1q
802.1q
IF
IF
IF
IF
Isolated virtual private networks across any
transport
VPN mapping is based on physical vEdge Router
interface, 802.1Q VLAN tag or a mix of both
18. Per-Segment Topologies
Full Mesh Hub-and-Spoke Regional Hub
Unified Communications Data Center Applications Regional Internet/Services
Optimal Application Experience
20. How optimize Public cloud performance (SaaS)
Regional
internet exit
Branch with
local DMZ
Data
Center/DMZ
vFabric
httping probes
SaaS traffic primary
SaaS traffic backup
Score Color
8-10 GREEN
5-8 YELLOW
0-5 RED
24. Self Healing Capabilities
Active Software
Available Software
Available Software
Available Software
A
B
C
D
Activate
Rollback
vEdge Router
1
2
3
Failed
Upgrade
vEdge Router
1
Attach Template
vManage
2
Connectivity
Lost
Rollback
3
25. High Availability and Redundancy
VRRP OSPF/
BGP
OSPF/
BGP
Internet InternetMPLSMPLS
Internet
MPLS
Site
Data
Center
MPLS
Internet
vSmart Controllers
Control
Data
26. vEdge Portfolio
vEdge capabilities integrated
into all IOS-XE platforms
(ISR, CSR, ENCS, ASR1K)
cloud
Interconnect
(2 Gbps +)
Small Office
Home Office
100 Mbps
Branch
Campus
1 Gbps
Large Campus
Data Center
10 Gbps
Higher Capacity
Aggregation
20 Gbps+
ISR4K
ASR1K
Private Cloud
ENCS
27. Why Cisco SD-WAN
Trusted by Fortune 500 Enterprises
Cisco SD-WAN: The Most-Deployed Enterprise Grade SD-WAN
Thousands of sites, every major industry, including:
RETAIL HEALTHCARE FINANCIAL SERVICES ENERGY
Most deployed and trusted by
Fortune 500 enterprises
Winning 95% of
competitive POCs
Standards Compliant: …and more
Notas do Editor
Cisco SD-WAN provide Multi transport Network
Over disjoin network - Separation of the control plane
Application visibility over 3000+ application
Limited scale them of thousand
Reduce the WAN cost
Direct access to cloud and improve the performances
Simplify the operation
Disjoined Network
No application visibility
Limited scale
Insufficient BW
WAN cost
No direct access to cloud app
Hybrid
Fragment Security
Complex Operations
Component – vEdge Router (Hardware / Software), Control Component (software
Support – smaller branch, Large Datacenter, Public and Private cloud
Controller can be deployed – Viptela / Private / On Premise
Transport Independent Fabric
Create Secure data plane connection between the vEdge and controllers
Only control information send to the controller
vManage for Management and monitoring.
Rest full APIS
Transport Independent Fabric
Can connect multiple transport to Single router
Simplify the deployment using Zero Touch
Zero trust
All connation are A/A
Eliminate WAN side routing
Delivery Platform (Routing)
Full Router, Full BGP and OSPF
(VRF) Segmentation
Full QoS and Shaping
Multicast
Traffic redirection (Svc Insertions)
High Availability (AS/AP)
Replace the router and simplify the Network
Application & Policies
DPI and Application Visibility,
Application SLA base policy (best path base on the underline network performances)
Traffic engineering
Segmentation based topology
Secure internet gateway
SaaS and IaaS path selection and acceleration
Operation, Monitoring and Analytics
Complete configuration and Management
No Configuration in Edge Device
5 min revert, 8 min revert for upgrade
Optimal Throughput – MTU discovery
Largest Deployed in Retail, Healthcare, Financial Services and Energy
Most deployed across Fortune-500 Enterprises
Thousands of production sites in every major industry
Compliant with PCI, HIPAA and other industry standards
1. Sophistication of Use cases for the Enterprise - hybrid wan, business partners, soho, cloud, M&A etc
2. Most deployed and trusted SDWAN solution by Fortune 500