The document provides an overview and agenda for a technical deep dive into Cisco SD-WAN. It discusses extending Cisco SD-WAN to Cisco routers, using Cloud onRamp to improve access to SaaS and IaaS applications, and providing layered security between sites and to the cloud. It also covers operations and troubleshooting capabilities in Cisco SD-WAN such as infrastructure monitoring, application visibility, performance statistics, and troubleshooting tools.
8. Traditional SaaS Applications Access
Which way is cloud?
• Direct Internet Access
• Regional Breakout
• Data Center Backhaul
WideArea
Network
Remote SiteUsers
Regional
Hub
Data Center
10. Cloud onRamp for SaaS – Dual DIA
Hub, CoLo,
Cloud Colo
Remote Site
ISP1
Best
Performing
ISP2
SD-WAN
Fabric
Quality Probing
• Detect application performance
through one or more Direct
Internet Access circuits
• vEdge routers chose best
performing path
- Per-Application, Per-VPN
• Automatic failover in case of
performance degradation
• Fully automated
WAN Edge
Loss/
Latency
!
11. Cloud onRamp for SaaS – DIA and Gateway
Quality Probing
Remote Site
Best
Performing
MPLS
ISP2
• Detect application performance
through DIAs and gateways
- Customer/SP owned and operated
- Security, performance, reliability
• vEdge routers chose best
performing path
- Per-Application, Per-VPN
• Automatic failover in case of
performance degradation
• Fully automated
ISP1
Hub, CoLo,
Cloud Colo
Loss/
Latency
!
WAN Edge
SD-WAN
Fabric
15. Traditional IaaS Access
WideArea
Network
VNET VNET
VNET VNET
VPC VPC
VPC VPC
How to provide security,
segmentation, QoS and
reliability to the cloud
workloads?
Remote Site Campus
Data Center
How to provide direct-to-
cloud access?
TunnelTunnel
22. Traditional Branch Security
WideArea
Network
Remote Site
Data Center
Remote Site
VPN1 VPN2
VPN3
Users
Users
Cloud
Firewall
• How to provide application level security?
• How to provide transport independent segmentation?
• How to eliminate backhaul latency for secure cloud access?
Firewall
23. Layered Branch Security with SD-WAN
Application
Firewall
Zone Based
Firewall
Dedicated
Firewall
DIA and Cloud
Users
Compliance
VPN1
VPN2
VPN3
Cloud
Security
• Pick and choose the appropriate security controls
25. Inter-Site Security
VPN
Zone Based
App Firewall
WAN Edge
VPN
Zone Based
App Firewall
WAN Edge
Remote Site / Data Center
• Filter unwanted applications
• Stateful inspection for traffic
• (optional) Dedicatedsecurity
Remote Site / Data Center
VPN
WAN Edge
Dedicated
Firewall
Regional Hub
Service Insertion
26. DIA and Cloud
VPN
Zone Based
App Firewall
Cloud
Security
3rd Party
WAN Edge
DDoS Protection
Remote Site
• Filter unwanted applications
• Stateful inspection for DIA traffic
• Internet security
GRE/IPSec Tunnel
36. • Extend Cisco SD-WANto Cisco ISR and ASR family of routers
• Migrate existing site into Cisco SD-WAN in15 minutes without any additional
hardware
• Provide better use experience consuming cloud SaaS application with Cloud
onRamp for SaaS
• Automatically extend SD-WANinto public IaaS clouds with Cloud onRamp for
IaaS
• Provide layered and stateful security for inter-site and site to cloud communication
with integrated Cisco SD-WAN controls
• Flexible operations model and full solution transparency
Key Takeaways