SDWAN Viptela Guide

Delivering Cisco Next Generation
SD-WAN with Viptela (Addendum)

Nikolai Pitaev, Senior Technical Marketing Engineer, ENB
@pitaev
DGTL-BRKCRS-2110
#CiscoLive
Agenda
• SD-WAN Fundamentals @ CL Barcelona ‘20
• New since January 2020:
o Cloud: Google Cloud, TGW, vWAN
o Security: SSL Proxy, Umbrella Automation
o Voice and UC
o Multicast
o Infrastructure
• Conclusion
#CiscoLive DGTL-BRKCRS-2110 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
SD-WAN
fundamentals recap
SD-WAN fundamentals in CL On-Demand Library
1. Find DGTL-BRKCRS-2110:
2. Learn in 90 Minutes:
• Building Blocks: controllers and routes • Cloud: SaaS and IaaS
• Deployments: cloud-based and on-prem • Application Quality of Experience
• Use cases: DIA, Security, Colocation • Demonstration
New since CL
Barcelona 2020
Summary of new topics since January 2020
New topics:
• Cloud: SaaS, Google Cloud, AWS TGW, Azure vWAN
• Security: SSL Proxy, Umbrella automation
• Unified Communications
• Multicast
• SD-WAN Infrastructure features
Cloud
Cloud-related SD-WAN topics
1. Cloud onRamp for SaaS Innovations: Microsoft365

2. Cloud onRamp for IaaS: TGW and vWAN automation
3. Google Cloud
SD-WAN SaaS Innovation with Microsoft 365
Use Case: access to cloud-based Office 365 Apps
Key Problem: what is the best way to the App?
Before: active probing on all paths
After: Regional
17.3 (July) identification based on MSFT published categories Hub/CoLo
17.4 (Nov.) user can rely on MSFT telemetry data
Benefits:
improved application performance
SD-WAN
support for new O365 categories
Remote Site Data Center
Key message:
Better O365 user experience with Cisco SD-WAN and application infused path selection
How it works
• Microsoft shares Office 365 connection health insights (aka Telemetry data).
• Cisco SD-WAN devices consumes the insights to make intelligent routing decisions by sending key
O365 traffic on alternate paths.
• Microsoft-Cisco collaboration enables improved O365 user experiences such as Outlook search,
SharePoint document collaboration and Teams conferencing.
Key Message: this is the first app-driven SD-WAN solution, where route selection is
based on telemetry info injected directly from the cloud.
Announcement in November 2019
Last year, Cisco announced improved application
performance in connecting Cisco SD-WAN to Microsoft
Office 365 by up to 40 percent. This SD-WAN solution
directs Office 365 traffic from the customer site to the
closest Microsoft network points of presence using the
optimal path, in many cases bypassing the corporate data
center, dramatically improving users’ experience.
Today, we are announcing the intent to develop new

capabilities that allow IT to seamlessly connect branch
offices to Microsoft Azure Virtual WAN directly, using Cisco
SD-WAN hosted in Azure.
In addition, Cisco SD-WAN will integrate more deeply with

Microsoft Office 365 and be infused with application
insights that will enable it to manage optimal network paths
more effectively and further improve user experience.
https://blogs.cisco.com/enterprise/cisco-and-microsoft-advance-technology-partnership-to-improve-sd-wan-and-cloud-connectivity

3. Google Cloud
Cloud onRamp for IaaS: TGW Innovations
Use Case: connect IaaS infra via TGW to SD-WAN
Key Problem: fast and reliable interconnection
Before: manual interconnection Transit Gateway
After: automated interconnection from vManage
Benefits: fast and reliable config from single UI

SD-WAN
Data Center
Remote Site
Cloud: SD-WAN & AWS TGW Automation
• Automation is targeted for 2nd half of 2020 with 2 options:
1. Branch connect: 2. SD-WAN Cloud Gateway:
Direct connection from branches to TGW Branches connect to SD-WAN Edge

Router in SD-WAN VPC first
AWS TGW Demo: Step 1
• Duration of the whole demo: 12 Min
• Creation of the 1st TGW

in us-west1
• Creation of the 2nd TGW

in us-east2
• Moving VPC from “Engineering”

to “Production” Tag in us-west1
Cloud: Using TGW as underlay
• SD-WAN can use AWS with TGW peering as underlay
• Pros: AWS is just another transport, full visibility and SD-WAN features
• Cons: static routing on the TGW side
aws-west-1 aws-east-1
TGW-West TGW-East
Host VPC West
TGW Peering
Host VPC East
VPC Attachment SD-WAN tunnel “gold” VPC Attachment

SD-WAN VPC SD-WAN VPC
10.10.3.0/24 10.10.3.0/24
ge0/1 ge0/1
eth0 eth0
10.10.1.0/24
vEdge-West
10.10.1.0/24
vEdge-East
vEdge-West
ge0/0 ge0/0
10.10.2.0/24 10.10.2.0/24
SD-WAN tunnel “public-internet”
Internet

3. Google Cloud
Cloud: SD-WAN & Google Cloud (GCP)
• CSR1000v running non SD-WAN image is supported on GCP
• CSR1000v SD-WAN Image is targeted for 2nd half of 2020
• Example of joint innovation:
o Interaction between SD-WAN
and Service Directory
o App Metadata translated
to SD-WAN SLA/Policies
Service with IP:Port and Metadata Architecture
IP:Port with
Metadata Metadata
Reader
gRPC
Metadata to Policy
REST GCP Service Directory
Mapping
Metadata Service with Metadata

REST Adaptor
REST
NetOps IP:Port for Policy
UI
vManage Service
DevOps
SD-WAN SD-WAN
Router Router
Cloud
Demo Setup Topology
GCP AWS
vBond vSmart1 vManag
e
WAN Emulator
color: public-internet Video Client

CSR1kv
ge3 IGW
sd-wan1-vpc Internet
sd-wan-lan vEdgeCloud
ge2 color: biz-internet
Video Server sd-wan2-vpc
Demo Steps:
1. Video runs over public-internet with bad quality
2. Video Server App registers in Google Service Directory
3. Script polls Service Directory, reads metadata and activates SD-WAN policy
4. SD-WAN switches traffic to a better biz-internet path. Video quality is improved!
Cloud: Summary
1. Cloud onRamp for SaaS Innovations Microsoft365:

endpoint category support, telemetry influenced routing
2. Cloud onRamp for IaaS - TGW and vWAN automation:
segmentation use case automated, cloud provider
backbone is just an additional transport
3. Google Cloud:
Service Directory creates a bridge between Devops
(app metadata) and Netops (network policy)
Security
TLS/SSL Proxy Support with SD-WAN
SSL Proxy will help customers decrypt and

HTTPS traffic
inspect network traffic for malware
Inspect Traffic
Cisco SD-WAN SSL Proxy…

FW
• Intercepts/Redirects SSL traffic to ISR IPS/IDS
• Decrypts packet and inspects SSL Proxy URLF SSL Proxy
Decrypts Encrypts
AMP
• Re-encrypts packet and sends
• Intercepts response (Security Features for
inspection)
• Decrypts packet and inspects
Router
• Re-encrypts packet and forwards to end user
HTTPS traffic
“At the start of 2019, 87% of Web traffic was encrypted”

- Mary Meeker, Internet Trends
Security: Umbrella integration
Auto-Registration to Cisco Umbrella based on Smart
INTERNET
Account credentials:
• Registration of Edge Devices to Umbrella is automatically done
• Secure API key is automatically provisioned on the Edge Device
through HTTPS session
• Cloud Firewall
• DNS Security
• Secure Web Gateway
IPSec Auto-Tunnel to Cisco Umbrella:
• By pushing the SIG Feature template, a customer can now setup UMBRELLA
an IPSec tunnel to Umbrella SIG
• Without this solution, customer would need to manually establish Edge Device
the tunnel for each WAN Edge device at branch
Region 1 Region 2
Layer 7 health check to ZScaler
• Redundant IPsec/GRE tunnels to
ZScaler now support dynamic best path
selection HTTP Probe:
http://gateway.zscalerbeta.net/vpntest
• No longer reliant on IKE DPD for tunnel Gi0/0
failure Transport
(VPN0)
cEdge
• Supported on both vEdge and cEdge
• Ensures traffic takes the best path when Service Mgmt Service
(VPN1) (VPN512) (VPN2)
redundant paths are available
Gi0/1 Gi0 Gi0/3
Transport-side IPsec/GRE Tunnels
3rd Party
• IPsec/GRE tunnels to 3rd party devices

can now be sourced from VPN0 interfaces
• Supported on both vEdge and cEdge Gi0/0
• Conserves hardware resources Transport

(VPN0)
cEdge
• Simplifies design
Service Mgmt Service
(VPN1) (VPN512) (VPN2)
Gi0/1 Gi0 Gi0/3
SD-WAN Security - Summary
Latest innovations:
• SSL Proxy
• Cisco Umbrella automation
• Layer 7 health check to ZScaler
• Transport-side IPsec/GRE Tunnels
Unified
Communications
Key use cases Flexible
Connectivity
Directly connect with
Cloud or On-Premise call
control with improved user
experience while
positioning for the future
Large Scale VoIP

On-Premise UCM Provisioning
Leverage the power of
vManage Templating and
Policy orchestration to
provision scalable, consistent
UC across the enterprise
UCM Cloud
Hardware
Consolidation
Reduce CapEx and OpEx
by consolidating UC and
WebEx Calling
3rd Party SD-WAN into a single CPE
Voice Module Support
Digital Voice Modules
Phase 2 (July)
T1E1 Multiflex Trunk NIM PVDM4 – Packet Voice DSP High Density DSP Service
Modules 1 - 8 Port Modules (DSPs) with 32 - 256 Modules (SM-X-PVDMs)
sessions
Analog Voice Modules

Phase 1 (April)
High Density Analog

FXS / FXO Voice NIM BRI Voice NIM E/M NIM Modules
Voice Service
Modules 2 - 6 Ports Modules 2 - 4 Ports 4 Ports
Modules
UC Portfolio Summary
20Gb+ 4400 / ASR architecture
Dedicated CPU sockets for
Control & Data Plane ISR 4461
1/10Gb
ISR 4451
1Gb 4300 architecture ISR 4431

Single socket CPU Multiple CPU cores
ISR 4351
ISR 4331
100Mb ISR 4321
Small Office Branch Campus Midsize Campus Large Campus Data Center Cloud/Virtual
UC Configuration and Policy
vManage/vSmart
Does not participate in Call Routing
Provisions ISR for UC
- Distributed Dial Plan (SIP Dial Peer)
- Call Manipulation (Translation)
- Media/Codec Selection
- SRST Management/Control
Plane
Data Plane
Participates in Data Plane
Provides extended Dial Plan support
- Enterprise call routing
- Media Termination
- SIP
Does not invoke configuration change
Call Control
PSTN
Basic Workflow
1 2 3
Voice-Policy
ü Call Routing ü Map Feature
ü Translation- Templates
ü Voice Card
Profile ü Map Voice-Policy
ü SRST
ü Line Parameters Elements
ü SIP Media Profile
Feature Device
Template Template
Configuration Snippet
voice register pool 1
voice-class codec 1
dtmf-relay rtp-nte sip-notify
!
sip-ua voice-card 0/2
voice class codec 1 no local-bypass
codec preference 1 g722-64 bytes 160 !
codec preference 2 g729r8 dial-peer voice 2 voip
codec preference 3 g711ulaw bytes 160 voice-class codec 2
! session protocol sipv2
voice class codec 2
codec preference 1 g722-64 bytes 160 Voice Policy dtmf-relay rtp-nte digit-drop sip-notify
!
codec preference 2 g729r8
dial-peer voice 100 voip
codec preference 3 g711ulaw bytes 160
!
SIP Template destination-pattern .T
voice service voip no shutdown
allow-connections sip to sip session protocol sipv2
no supplementary-service sip handle-replaces session target ipv4:10.21.24.35 Voice-Card Template
no supplementary-service sip moved-temporarily !
no supplementary-service sip refer dial-peer voice 101 pots
sip incoming called-number .
registrar server expires max 300 min 200 port 0/2/0
bind control source-interface GigabitEthernet0/0/0 no shutdown
bind media source-interface GigabitEthernet0/0/0 !
! dial-peer voice 911 pots
ip address trusted list destination-pattern 911
ipv4 10.0.0.0 255.0.0.0
!
SRST Template forward-digits all
port 0/2/0
fax protocol t38 no shutdown
! !
voice register global voice-port 0/2/0
max-dn 48
caller-id enable
max-pool 24 secondary dialtone
system message "SRST Mode" !
!
UC Call Flow Review (CLI)
ROUTER# show voip rtp connections
VoIP RTP Port Usage Information:
Max Ports Available: 19999, Ports Reserved: 101, Ports in Use: 1
show voip rtp connections

Port range not configured
Min Max Ports Ports Ports
Media-Address Range Port Port Available Reserved In-use
------------------------------------------------------------------
Global Media Pool 8000 48198 19999 101 1
------------------------------------------------------------------
VoIP RTP active connections :
No. CallId dstCallId LocalRTP RmtRTP LocalIP RemoteIP MPSS VRF
1 439 440 8018 32398 10.104.55.21610.104.55.62NO NA
Found 1 active RTP connections
ROUTER# show voice call status

CallID CID ccVdb Port Slot/DSP:Ch Called # Codec MLPP Dial-peers
0x3B5 1C2D 0x1B7F03C8 50/0/115.0 0502289600 g711alaw 20114/102
show voice call status 0x6EF 2525 0x1B996AB0 50/0/130.0
2 active calls found
0554322189 g711alaw 20129/102
ROUTER# debug voice ccapi calls

Call 23 set InfoType to SPEECH
*Mar 4 11:53:26.605: //-1/xxxxxxxxxxxx/SIP/Info/ccsip_process_tcp_queue_event: Event type: send msg, connid: 6, fd: 0
ACK sip:7002@10.104.55.65:5060 SIP/2.0
Via: SIP/2.0/TCP 10.104.55.55:5060;branch=z9hG4bK974E
From: <sip:10.104.55.55>;tag=21A32655-182
To: <sip:7002@10.104.55.65>;tag=31978359
Date: Wed, 04 Mar 2020 11:53:26 GMT
Call-ID: 979D8058-5D4511EA-8049E498-283111D1@10.104.55.55
Max-Forwards: 70
debug ccapi calls CSeq: 101 ACK
Allow-Events: telephone-event
Session-ID: 00000000000000000000000000000000;remote=83b54a01625b52269d3f4987ea9ce152
Content-Length: 0
Cisco Cloud UC (UCaaS) Overview
• Enterprise unified communications and

collaboration as a service from the Cloud
Powered by Cisco’s Unified Communications
Cisco Cloud UC Overview (UCaaS)
•
Manager and Webex in the cloud
• Hosted and operated by Cisco
• Webex Teams, Webex Meetings, Jabber, and all
Cisco collaboration endpoints supported
• Cloud Calling option in Collaboration FLEX Plan
Cisco UCM Cisco UCOne Cisco Webex Cisco Webex Cisco Webex
Cloud Teams Meetings Calling
UC: key takeaways
• Phase 1 introduces SIP only support for SRST and analog
• SD-WAN + UC enhances VoIP provisioning and consistency
• SD-WAN + UC will position for the future (UCaaS)
• SD-WAN + UC consolidates hardware
Multicast
Multicast support comes to SD-WAN
IOS XE SD-WAN’s multicast supports sending data to multiple destinations
vSmart Controllers
OMP
Update
IGMP/PIM OMP
Update
SD-WAN
OMP RP
Sender
Update Fabric
Receiver Branch OMP
Update
Data
IGMP/PIM
Center
Receiver Branch
Replicators Control Plane Multicast Stream
§ cEdges interoperate with IGMP v2/v3 and PIM on the service side § cEdge Replicators replicate multicast stream to receivers
§ cEdges advertise receiver multicast groups using OMP § Multicast is encapsulated in point-to-point tunnels
SDWAN Overlay Multicast – vEdge vs cEdge – 20.1/17.2
Feature vEdge cEdge
Overlay Multicast - PIM ASM
Replicator
Auto RP - Proxy
IGMP V2
IPSec and GRE Encapsulation
ECMP across multiple TLOCs
Overlay Multicast - PIM SSM
WAN Edge RP Functionality
Static RP
Auto-RP (Candidate RP and Mapping-Agent)
IGMP V3
Caveats
SD-WAN Feature Limitation (17.2)
×SD-WAN Application Aware Routing
×TLOC-Extension with Multicast
Multicast Features - Unsupported

× PIM Bidir
× AnycastRP/MSDP(Across WAN)
× Multicast BSR
× IPv6 Overlay Multicast
× IPv6 underlay Multicast
Multicast: key takeaways
• Cisco ISRs/ASRs now support multicast
• SD-WAN XE introduces support for PIM, IGMPv3 and RP
• Cisco SD-WAN now fully supports IPv4 multicast across all platforms
SD-WAN Infra features
Summary of the key infra SD-WAN features
• Single Image for IOS-XE and IOS-XE SD-WAN
• CLI add-on templates
• Per-Tunnel QoS support on SD-WAN
• AppNav-XE with SD-WAN
Single Image for IOS-XE and IOS-XE SD-WAN
IOS-XE
IOS-XE Single
SINGLE IOS-XE
IOS-XE SD-WAN
IMAGE Image
IMAGE SD-WAN
IMAGE
IOS-XE
IOS-XE
Autonomous SD-WAN
CONTROLLER
‘Autonomous’
Mode mode
‘Controller’
mode
mode
IOS XE vs IOS XE SD-WAN
‘AUTONOMOUS’ mode ‘CONTROLLER’ mode
• Only non SD-WAN use-cases are • Only SD-WAN use-cases are
supported supported
• Autonomous mode is default mode in • Controller mode requires a second
boot sequence reboot
• Can be configured using exec CLI • Can be configured using exec CLI
• ‘controller-mode disable’ • ‘controller-mode enable’
Router# controller-mode ?
Operational Mode Change disable controller-mode disable
enable controller-mode enable
reset controller-mode reset
IOS-XE
IOS-XE IOS-XE
IOS-XE SD-WAN
IMAGE SD-WAN
IMAGE
Change to Autonomous Mode Change to Controller Mode

• Config lost, device in day-0 • Config lost, device in day-0
CLI Add-On Templates
T e mplate
dd - On
Use Case: CLI A
• Needed feature or functionality does
not yet exist in a vManage Feature
Template
• Caveat or bug workaround
Solution:
• Configure Device Template as
normal
• Attach CLI Add-On Template to
append configuration Device Template
• Supported Commands
Per-Tunnel QoS support on SD-WAN
Per-Tunnel QoS allows a site to dynamically adjust the sending rate of its traffic to
accommodate lower bandwidth circuits at remote locations.
vManage
vSmart vSmart vSmart
sdwan
interface GigabitEthernet2
tunnel-interface
Physical encapsulation ipsec
Shaper color Internet restrict
tunnel-qos spoke
c/GRE)
exit
sdwan Overlay (IPSe Branch 1 bandwidth-downstream 9000
interface GigabitEthernet2 exit
tunnel-interface Branch1
Overlay
INTERNET
encapsulation ipsec Shaper
Branch2 Physical
color Internet restrict
tunnel-qos hub Shaper
Underlay
exit
exit Data Center Shaper
Overlay
(IPSec/G
RE) sdwan
tunnel-interface
Physica encapsulation ipsec
l color Internet restrict
S ha pe
r tunnel-qos spoke
exit
bandwidth-downstream 8000
Branch 2 exit
Adaptive QoS introduced in 17.3 IOS XE
Ability to detect the current bandwidth rate for the WAN circuit and
dynamically update the interface shaper and egress queue bandwidth values.
vManage
vSmart vSmart vSmart
sdwan
qos-adaptive
Per-tunnel QoS period 30
Physical downstream range 5000 15000
DC to Branch1 Overlay Shaper: Shaper downstream 10000
Range 5000~15000 Kbps
upstream range 8000 12000
Default 10000 Kbps
c/GRE) Branch 1
Overlay (IPSe
upstream 10000
!
Branch1
!
Overlay
Branch1 to DC Physical Shaper: !
INTERNET
Branch2 Shaper Physical
Range 8000~12000 Kbps
Shaper
Underlay Default 10000 Kbps
sdwan
Data Center Shaper
Overlay
(IPSec/G qos-adaptive
RE) period 60
downstream range 10000 30000
Per-tunnel QoS downstream 20000
DC to Branch2 Overlay Shaper: Physica upstream range 16000 24000
l
Range 10000~30000 Kbps S ha pe
r upstream 20000
Default 20000 Kbps !
Branch2 to DC Physical Shaper: !
Range 16000~24000 Branch 2 !
Kbps
Default 20000 Kbps
AppNav-XE with SD-WAN 1 Un-optimized traffic enters cEdge
WCM vManage
2 cEdge redirects traffic to WAAS (AppNav)
REST
3 WAAS optimizes traffic and returns to cEdge
vSmart
Controllers
VRF 1 VRF 1
WAN
2
1
AppNav-XE Optimized AppNav-XE
VRF 1 VRF 1
3
WAE WAE
Summary of the key infra SD-WAN features
• Single Image for IOS-XE and IOS-XE SD-WAN
• CLI add-on templates
• Per-Tunnel QoS support on SD-WAN
• AppNav-XE with SD-WAN
Conclusion
• See DGTL-BRKCRS-2110 from CL Barcelona 2020 for SD-WAN
fundamentals available at the on-demand library
• Key SD-WAN innovations since January 2020 are:
1. Cloud: Google Cloud, AWS TGW and Azure vWAN automation, SaaS
2. Unified Communication
3. Security: SSL proxy, Umbrella automation
4. Multicast
5. Infra: single image, CLI add-on templates, per tunnel QoS, AppNav
Thank you
#CiscoLive
#CiscoLive

SDWAN Viptela Guide

Uploaded by

Document Informationclick to expand document information

Copyright:

Available Formats

SDWAN Viptela Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SDWAN Viptela Guide

Uploaded by

Copyright:

Available Formats

Delivering Cisco Next Generation

SD-WAN with Viptela (Addendum)

1. Cloud onRamp for SaaS Innovations: Microsoft365

Key Problem: what is the best way to the App?

Before: active probing on all paths

Today, we are announcing the intent to develop new

In addition, Cisco SD-WAN will integrate more deeply with

1. Cloud onRamp for SaaS Innovations: Microsoft365

Use Case: connect IaaS infra via TGW to SD-WAN

Key Problem: fast and reliable interconnection

Before: manual interconnection Transit Gateway

After: automated interconnection from vManage

Benefits: fast and reliable config from single UI

Direct connection from branches to TGW Branches connect to SD-WAN Edge

• Duration of the whole demo: 12 Min

• Creation of the 1st TGW

• Creation of the 2nd TGW

• Moving VPC from “Engineering”

VPC Attachment SD-WAN tunnel “gold” VPC Attachment

SD-WAN tunnel “public-internet”

1. Cloud onRamp for SaaS Innovations: Microsoft365

Metadata Service with Metadata

color: public-internet Video Client

1. Cloud onRamp for SaaS Innovations Microsoft365:

SSL Proxy will help customers decrypt and

Cisco SD-WAN SSL Proxy…

“At the start of 2019, 87% of Web traffic was encrypted”

• IPsec/GRE tunnels to 3rd party devices

• Conserves hardware resources Transport

Gi0/1 Gi0 Gi0/3

Large Scale VoIP

Analog Voice Modules

High Density Analog

1Gb 4300 architecture ISR 4431

show voip rtp connections

ROUTER# show voice call status

ROUTER# debug voice ccapi calls

• Enterprise unified communications and

Multicast Features - Unsupported

Change to Autonomous Mode Change to Controller Mode

vSmart vSmart vSmart

vSmart vSmart vSmart

You might also like

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.