Maximizing SD-WAN with
Service Insertion/Chaining Architectures
VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Steve Woo, VP Products & Co-founder

VeloCloud Networks, Inc. | Proprietary & Confidential | © Copyright 2016
Service chaining
verb / serv-ice chain-ing
: interconnecting a set of services through the network
: simplified with both SDN [SD-WAN] and NFV
: meet expectations of dynamic insertion without
topology reconfigurations

Businesses Blocked by WAN Challenges
App Performance / Bandwidth
Expense & Constraint Issues
Branch deployment
Complexity
Cloud migration Not supported
by static architectures
X
X
X
VeloCloud Networks Proprietary & Confidential | © Copyright 2016

Enterprise Legacy WAN
Datacenter
BranchBranch
• Network topology based physical service insertion
• Complex routing – difficult to distribute / disaggregate services
to regional “service” hubs
• Internet traffic backhauled – not optimal for migration to cloud
MPLS
Firewall
Web
security
VeloCloud Networks Proprietary & Confidential | © Copyright 2016

Alternative to Backhaul: Direct Internet Breakout
Datacenter
BranchBranch
• “Direct” to Internet
• Cost and operational support for hardware services in branch
• Or complexity of forwarding to cloud based security
• Best effort for availability and performance
MPLS
INTERNET
Firewall with UTM
Cloud Security
MPLS
VeloCloud Networks Proprietary & Confidential | © Copyright 2016

Why Software-Defined WAN?
Requirement
Simplicity &
Manageability
• Simplify and expedite new branch rollouts, and
configuration across large number of sites
App performance • Ensure performance and availability of apps, especially
real-time
Bandwidth & Transport
cost
• Leverage economical bandwidth additions
Cloud migration • Optimize access to multiple cloud destinations, with
performance, security and manageability
Services delivery • Virtual services delivery including SD-WAN
• Simplify service chaining to distributed services
Flexible / Incremental
deployment
• Incremental migration, and legacy interoperability
• Avoid capex, proprietary hardware
VeloCloud Networks Proprietary & Confidential | © Copyright 2016








SD-WAN Service Insertion & Chaining benefits

SD-WAN Advantages
Branch
Edges
Cloud Gateways
SaaS
Zero touch deployments, simplified
operations, one-click service
insertion
Direct cloud access with
performance, reliability and security
Simplified WAN
Management
Managed on-ramp
to the cloud
Datacenter Edges
Transport independent performance for the
most demanding apps, leverages economical
bandwidth
SD-WAN Overlay
Assured Application
Performance
VeloCloud Networks Proprietary & Confidential | © Copyright 2016

Cloud-Delivered SD-WAN Architecture
Branch Site Enterprise DC
Hub Edge
Branch
Edge
Enterprise DC
Hybrid Cloud
Traditional
Private
Datacenters
INTERNET
Cloud Gateways
Orchestrator
Private - MPLS
Controllers
Private & Internet circuits, Enterprise & SaaS applications, On premise & Cloud deployments
Service
Insertion Points
VeloCloud Networks Proprietary & Confidential | © Copyright 2016

Service Insertion at Branch

vCPE platform
OS + HW
Branch Services Insertion
SD-WAN
VNF
FW
VNF
WOC
VNF
Orchestration
General Purpose
Virtual CPE
3
HW = hardware; vCPE = virtualized CPE; OS = operating system
= Cloud Delivered
SDWAN
SDWAN Virtual
Services Platform
SDWAN
FW
VNF
X
VNF
SDWAN Orchestration
SD-WAN Virtual
Services Platform
L7
Fire
wall
Dyn
Multi
Path
VPN NAT
SDWAN
SD-WAN CPE
with virtualized services
Embedded Services
 Services on / off
 Granular policies by L7 traffic profile
Multiple CPE options:
VeloCloud Networks Proprietary & Confidential | © Copyright 2016

VeloCloud Networks Proprietary & Confidential | © Copyright 2016
SD-WAN
SD-WAN Policy-Based Service Chaining
SaaS / IaaS
Enterprise DC
Branch
Web
Cloud
Gateways
Different service chains applied by policy
Services can be at branch only or dual ended
SD-WAN Edge
SD-WAN
Edge
VPN
Fire
wall
Dyn
Multi
Path

VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Multi-Path Optimization Service
Assured Application performance over MPLS, Internet broadband and LTE circuits
Continuous Link Monitoring
Drives automation and
optimization
Dynamic Per Packet Steering
Sub-second steering
without session drops
Aggregated bandwidth for
single flows
On Demand Remediation
Protects against
concurrent degradation
Enables single link
performanceVeloCloud Networks Proprietary & Confidential | © Copyright 2016

VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Cloud VPN Service
Branch Site Enterprise DC
Hub Edge
Branch
Edge
Enterprise DC
Traditional
Private
Datacenters
INTERNET
Cloud Gateways
Private - MPLS
IPsec VPN
Unified VPN over all transports
Cloud VPN eliminates backhaul
Automated VPN to cloud via gateway

VeloCloud Networks Proprietary & Confidential | © Copyright 2016
Extensible Virtual Services
Application Firewall
L7 stateful firewall
Cloud Web Security
Identity Based Access Control
802.1x authenticated access
Automated Monitoring
Deep Application Recognition
Packet inspection for application
recognition
Application & Link Visibility
Link status and application usage
Application Performance
Application network performance statistics
Security Services
Assured WAN Performance
Dynamic Multi-Path Optimization
Application steering and link remediation
Business Policy
Application prioritization and network service
insertion
Comprehensive LAN Services
3rd Party
Ecosystem partner apps
Auto IP Address
Management
By sites and profiles
DHCP, DNS, WLAN…
LAN network services
Policy Based NAT
Source and destination based
Secure Overlay
Cloud VPN
Auto IPsec VPN between Edges and
3rd party devices
Hybrid VPN
IPsec VPN and MPLS

Regional / Enterprise Services

Internet Backhaul is Complex With Traditional WAN
Challenges with Traditional WAN
 Not performance-aware
 Policy definition at L3 only
 Requires touching every branch
 Per-application tuning difficult
 More complex with multiple links
Branch
Headend
Advertise
0.0.0.0/0
(Preferred)
Advertise
0.0.0.0/0
VeloCloud Networks Proprietary & Confidential | © Copyright 2016

Policy-based Internet Backhaul to Regional DCs
 Backhaul ALL or subset of Internet traffic
 Flexible link steering policy
Branch
Edge
Primary
Hub Edge
Secondary
Hub Edge
Primary path Secondary path
VeloCloud Networks Proprietary & Confidential | © Copyright 2016

SD-WAN Distributed Services Insertion for Internet
Branch Site
Distributed Regional Mini-
Datacenters
On Premise
Email DLP
Firewalls
Enterprise
Applications
Enterprise Datacenters
Distributed Service Insertion
• SD-WAN one-click app aware service insertion
• Enables disaggregation and distribution of services to
multiple regional mini-datacenters
• Same or different service chains by DC
• SD-WAN optimal for SDN instantiated virtual services in DC
• Reduces branch complexity and attack surface
SD-WAN
Edges
SD-WAN
Edges
VeloCloud Networks Proprietary & Confidential | © Copyright 2016

SD-WAN Distributed Services Insertion for B2B
Branch Site
Distributed Regional Mini-
Datacenters
Firewalls
Distributed Service Insertion
• Regionalize services even for branch to branch traffic
• Next gen firewall can apply rules by application
SD-WAN
Edges
VeloCloud Networks Proprietary & Confidential | © Copyright 2016

SD-WAN Multi-DC Services Insertion for Internet
Branch Site
Datacenter 1
SVC
1
Multi-DC Service Insertion
• Dynamic routing for service insertion
Datacenter 2
SVC
2
SD-WAN
Edges
SD-WAN
Edge
SD-WAN
Edge
VeloCloud Networks Proprietary & Confidential | © Copyright 2016

Cloud / SP Services

VeloCloud Networks Proprietary & Confidential | © Copyright 2016
SD-WAN Hybrid Services Insertion
Branch Site
Enterprise Hub
On Premises
Security
Other Web traffic
Salesforce.com
Web email
Internet
• Backhaul to on-premises services
– Regional and central
• SD-WAN performance service-chained to cloud security services
• One-click, by application Cloud
Security
Services
SD-WAN service chaining for hybrid services
SD-WAN
Edge

Cloud Services Chaining
Enterprise A
VLAN 1
VLAN 2
VLAN 3
VLAN 4
Enterprise B VRF A
VLAN 1
VLAN 2
VLAN 3
VLAN 4
Multi-Tenant
SD-WAN Cloud
Gateway
VRF 3
VRF 4
• Services by Enterprise – VRF mapping
• Services granularity by VLAN tag
VRF B-4
VRF B-3
SP NFV Orchestrator
SD-WAN
Edge

VeloCloud Networks Proprietary & Confidential | © Copyright 2016
SD-WAN
Service Chained Optimization
MPLS/Private
QoE Service Chaining
 WAN edge QoS (prioritization, bandwidth allocation)
 SD-WAN multi-path optimization with MPLS CoS
 MPLS core with CoS
 Interoperable data plane signaling
CoS outside
SDWAN
encapsulation
CoS inside
SDWAN
encapsulation
Policy based CoS
setting
SD-WAN
Edge

Summary: Service Chaining Use Cases
 At branch CPE, enterprise DC, or cloud service
 Within SD-WAN CPE, or SD-WAN as VNF
 Distributed regional service centers
 Branch-to-branch and branch-to-Internet traffic
 Multi-hop service centers
 Hybrid on-premises and cloud services
 Cloud services by enterprise and segment
 SD-WAN to SP optimization

SD-WAN Interoperability
SD-WAN policy-based interoperability support:
• Data plane
– TOS/CoS
– VLANs
– Upcoming: IETF draft: NSH
• Orchestration
– MEF OpenLSO
– CORD
– Linux Foundation OPEN-O
– ONUG Open SDWAN Exchange
VeloCloud Networks Proprietary & Confidential | © Copyright 2016

Q&A
www.velocloud.com/sd-wan-dummies