Tech Talk For 23rd July
Tech Talk For 23rd July
Tech Talk For 23rd July
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The goal of this SD-WAN Migration Tech Talk is to
discuss few “specific scenario’s“ of Migrating to
SD-WAN Fabric
Course
Goal
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
To fully utilize this training we recommend to have
prior knowledge of SD-WAN components and
functionalities; you can go through SD-WAN
fundamentals prior to this session.
To fully
utilize this
training
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Agenda
• Chapter 2: Introduction to SD-WAN
• Chapter 3: SD-WAN Architecture
• Chapter 4: Sastre tool for creating Template and policies with Demo
• Chapter 5: Changing vSmart mode from CLI to vManage mode with Demo
• Chapter 6: Data center device bring up with Demo
• Chapter 7: Branch site bring up with Demo
• Chapter 8: DIA site bring up with Demo
• Chapter 9: cEdge device bring up with Demo
• Chapter 10:Application aware policy creation with Demo
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Lab scenario
• LAB 1: TEMPLATE AND POLICY CREATION BY PYTHON SCRIPTS
• LAB 2: BRING VSMART TO VMANAGE MODE WITH TEMPLATE
CUSTOMIZATION
• LAB 3: BRING UP VEDGE DEVICE IN DC
• LAB 4: BRING UP SITE 1 DEVICES
• LAB 5: CONFIGURE DIA FOR SITE 2
• LAB 6: CONFIGURE CEDGES FOR SITE 3
• LAB 7: CREATING APPLICATION AWARE ROUTING
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Chapter 2
Introduction to SD-WAN
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
2.0 Intro to SD-WAN
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Lesson 2.1
Why SD-WAN?
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Traditional WAN
Management Management
Station 1 Station 2
Internet
1 Mbps
CE1 CE2
WAN
X 10 Mbps Y
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Traditional WAN Challenges
Complex Security
Operations Challenges
Challenges
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
What is Software Defined ”Networking”?
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The Need for Software-Defined and Unified Networking
Ease Integration
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco DNA
Cisco DNA Center
Multi-tenant Rich Network
Cloud-Delivered Analytics Automation
USERS
SDWAN
Cloud .… IoT
OnRamp
ACI
DC Fabric
DEVICES
SDA Fabric DC
APPs
IaaS
THINGS SaaS
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
SD-WAN vs DNA vs SDN
SDN
Foundation Architecture Decouples Network Control / Forwarding Functions
Cisco DNA
Architecture for Digital Transformation
SD-WAN
Foundation of Enterprise WAN
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Lesson 2.2
SD-WAN Features
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Enterprise Grade Capabilities with Reduced Cost and
Complexity for Agile IT
Private
Cloud
MPLS
3G/4G-LTE
Colocation
Branch
Internet
Public Cloud
• Leverage local Internet path for
public cloud and Internet access
• Secure VPN for private and virtual public
cloud access
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
APPLICATION VISIBILITY
4G/LTE
Transport Type
SLA
# Cloud Broadband
Service Chain
Local/Remote Breakout
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
REDUCE RISK
Secure Segmentation
vEdge
Cloud Router VPN 1
Data Center
IPSec VPNVPN
3 2
Tunnel
VPN 3
VPN 4
Cloud Security
Internet MPLS
Corporate
Data Center
4G/LTE
Small Office End-to-end segmentation
Home Office
VPN3 VPN4
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
REDUCE COMPLEXITY
Service Based Traffic Engineering
UDP/5001
UDP/5002 MPLS • Wasted Bandwidth
Allow UDP/5001
Regional DC
Deny UDP/5002
• Firewall service is inserted into the overlay topology
• Security policy is enforced
VNF (Firewall)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
BETTER USER EXPERIENCE
Cloud
Applications
Cloud
Data Center
Data Data
Center Center
Small Office Small Office
Home Office Secure Secure
Home Office
SD-WAN SD-WAN
Fabric Fabric
Secure and resilient Optimized SaaS access and performance visibility from all branches (Cloud
IaaS cloud-networking onRamp)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Simplify WAN Management
Single Pane Of Glass Operations Rich Analytics
• Cloud-first management and orchestration
• Zero-touch provisioning
Power Tools
vManage
APIs
Management/
Orchestration Plane
3rd Party
vAnalytics
Automation
vBond
vSmart Controllers
Control Plane
MPLS 4G
INET
vEdge Routers
Data Plane
Cloud Data Center Campus Branch SOHO
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco SD-WAN Integration Plan
Phase 1 Phase 2 Phase 3
No Integration Platform Integration Management Integration
Deployment Scenarios
Support and Scale current customer Viptela SD-WAN on strategic Cisco Deliver end-to-end experience with
commitments platforms full DNA integration
Management: platforms (ISR, CSR, ENCS, ASR1K) • Full DNA Center capabilities (Assurance, Integrated
• vManage Management: workflows for SD-Access and SD-WAN)
• vManage for SD-WAN capabilities on IOS-XE
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
SD-WAN is sure the way
ahead
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Chapter 3
SD-WAN Architecture
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
3.0 SD-WAN Architecture
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Lesson 3.1
Topology
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Topology
SD-WAN Fabric
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential. For Channel Partner use only. Not for public distribution. 31
Lesson 3.2
Architecture
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco SD-WAN Architecture
vManage
MANAGEMENT
vSmart
vBond
Management Plane
(Multi-tenant or Dedicated) SD-WAN
ANALYTICS Router
Control Plane
(Containers or VMs)
CONTROL
INTERNET MPLS 4G
Data Plane
(Physical or Virtual)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cloud Data Center Campus Branch Home Office
33
Sequence of Migration
vManage
vSmart
vBond
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Planning the Migration
Time & Effort Expended
On Existing Network
On SD-WAN Routers
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Factors to consider before Migration
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Controller Deployment Options
Cisco Hosted
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Chapter 4
Tool to create policies and Template
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
4.0 Sastre tool to create policies and Templates
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Lesson 4.1
Automation Tool
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Tool for Policy creation
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Introduction
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
API driven Architecture
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Lesson 4.2
How to use
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The use of tool is very simple and it helps to save
time , let’s go to quick Lab exercise demo
Lab 1
Demo
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Nice demo
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Chapter 5
Changing Mode of SD-WAN components
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
5.0 Changing vSmart mode from CLI to vManage mode
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Lesson 5.1
Different modes of SD-WAN components
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
We can configure SD-WAN components in CLI as well as in
vManage mode where we can use Templates and policies
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Lesson 5.2
How to configure different modes
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
We can change mode of the device with the help of
Templates association with Device. Lets see that in
Lab 2
Demo
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Good to know!
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Chapter 6
Data center device bring up
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
6.0 Data center device bring up
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Lesson 6.1
DC /Hub Migration
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Migrating at the Datacenter
Non-SDWAN Remote Office
Site
MPLS SD-WAN Internet
Fabric
DC/non-SDWAN SD-WAN
CE Router prefixes prefixes Perimeter Firewall
(OMP) (OMP)
Non-SDWAN prefixes
(OSPF/BGP)
VPN0 VPN0
• SD-WAN to non-SDWAN interoperability
DC/SDWAN OMP-to-
prefixes VPN1 VPN1 BGP/OSPF
(OSPF/BGP)
SD-WAN Traffic
Core Switches
Non-SDWAN Traffic
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Migrating at the Datacenter
Routing at the Edge SD-WAN Fabric
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Migrating at the Datacenter
Routing at the Edge SD-WAN Fabric
• To Non-SDWAN/Legacy sites →
CE
Underlay
Non-SDWAN + Local
• To SD-WAN sites → SD-WAN prefixes (OSPF/BGP)
Fabric
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Migrating at the Datacenter
Routing at the Edge SD-WAN Fabric
• To Non-SDWAN/Legacy sites →
CE
Underlay
• To SD-WAN sites → SD-WAN SD-WAN
prefixes
Fabric (BGP/OSPF)
Migrating at the Datacenter
Routing at the Edge SD-WAN Fabric
SD-WAN Traffic
Non-SDWAN Traffic
Lesson 6.2
How to configure device
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Lets configure the Data center device in
Lab 3
Demo
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Chapter 7
Branch site bring up
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
7.0 Branch site device bring up
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Lesson 7.1
Branch Migration options
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Branch Migration – Replace CE
Traditional Branch Deployment
Internet MPLS
Existing CE
Active Path
Backup Path
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Branch Migration – Replace CE
SD-WAN to Legacy site communication via DC/Regional Hub
DC/Remote Office
• Replace CE Legacy Sites
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Branch Migration – Replace CE
SD-WAN to Legacy site communication via underlay
DC/Remote Office
• Replace CE Legacy Sites
overlay
VPN0 CE
SD-WAN (WAAS, UC, T1/E1)
Router VPN1
VPN1 S SD-WAN/non-SDWAN A
prefixes (OSPF/BGP)
OMP-to-BGP/OSPF SD-WAN/non-SDWAN Traffic
VRRP Non-SDWAN Traffic
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
LAN
Branch Migration – Retain CE, Add SD-WAN
L2 : SD-WAN to Legacy site communicationDC/Remote
Return traffic from overlay
via underlay
Office
Is policy routed to Cisco
Router for symmetric flow to
services Legacy
Sites
Internet SD-WAN MPLS
Fabric
VPN0 CE
SD-WAN (WAAS, UC, T1/E1)
Router VPN1
VPN1 S SD-WAN/non-SDWAN A
prefixes (OSPF/BGP)
OMP-to-BGP/OSPF SD-WAN Traffic
VRRP Non-SDWAN Traffic
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential LAN
Branch Migration – Retain CE, Add SD-WAN
L2 : SD-WAN to Legacy site communication via underlay
DC/Remote Office
Legacy
Sites
Internet SD-WAN MPLS
Fabric
VPN0 CE
SD-WAN (WAAS, UC, T1/E1)
Router VPN1
VPN1 S Non-SDWAN A
prefixes (OSPF/BGP)
SD-WAN Traffic
VRRP Non-SDWAN Traffic
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential LAN
Branch Migration – Retain CE, Add SD-WAN
L2 : SD-WAN to Legacy site communication via underlay
DC/Remote Office
Legacy
Sites
Internet SD-WAN MPLS
Fabric
VPN0
VPN0 CE
SD-WAN (WAAS, UC, T1/E1)
Router VPN1
VPN1 S A
SD-WAN Traffic
VRRP Non-SDWAN Traffic
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential LAN
Branch Migration – Retain CE, Add SD-WAN
L3 : SD-WAN to Legacy site communication via DC/Regional Hub
SD-WAN
Fabric
INET MPLS
SD-WAN CE
Router
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Branch Migration – Retain CE, Add SD-WAN
L3 : SD-WAN to Legacy site communication via DC/Regional Hub
SD-WAN
Fabric
INET MPLS
SD-WAN +
Non-SDWAN prefixes
(OMP)
CE
OMP-to-BGP/OSPF
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Branch Migration – Retain CE, Add SD-WAN
L3 : SD-WAN to Legacy site communication via DC/Regional Hub
SD-WAN
Fabric
INET MPLS
Non-SDWAN prefixes
(BGP/OSPF)
CE
PREFERRED
[SD-WAN & Non-SDWAN
prefixes] → SD-WAN Router [Non-SDWAN prefixes] → CE
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Branch Migration – Retain CE, Add SD-WAN
L3 : SD-WAN to Legacy site communication via DC/Regional Hub
DC/Remote Office
SD-WAN CE
Router
SD-WAN Traffic
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Non-SDWAN Traffic
Branch Migration – Retain CE, Add SD-WAN
L3 : SD-WAN to Legacy site communication via Underlay
SD-WAN
Fabric
INET MPLS
CE
OMP-to-BGP/OSPF
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Branch Migration – Retain CE, Add SD-WAN
L3 : SD-WAN to Legacy site communication via Underlay
SD-WAN
Fabric
INET MPLS
Non-SDWAN prefixes
(BGP/OSPF)
CE
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Branch Migration – Retain CE, Add SD-WAN
L3 : SD-WAN to Legacy site communication via Underlay
SD-WAN
Fabric
INET MPLS
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Branch Migration – Retain CE, Add SD-WAN
L3 : SD-WAN to Legacy site communication via Underlay
DC/Remote Office
SD-WAN CE
Router
SD-WAN Traffic
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Non-SDWAN Traffic
Extended Transports – TLOC Extensions
• Each vEdge router is connected to a • SD-WAN tunnels are built through
given transports local and remote transports
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
TLOC Extension Configuration Example
vpn 0 ip route 10.5.52.52/32 100.65.51.1 vpn 0
interface ge0/0 interface ge0/0
description MPLS tunnel description INET tunnel
ip address 100.65.51.1/30 Add route to reach
ip dhcp-client
tunnel-interface vedge-52 mpls
tunnel end-point nat
encapsulation ipsec !
color mpls restrict tunnel-interface
MPLS INET
! encapsulation ipsec
interface ge0/2 color biz-internet restrict
description INET tunnel !
ip address 10.5.51.51/24 interface ge0/2
! ip address 10.5.51.52/24
tunnel-interface ge0/0 ge0/0 tloc-extension ge0/0
encapsulation ipsec preference 100.65.51.1/24 dhcp
no shutdown
100 ge0/2 ge0/2 !
color biz-internet restrict 10.5.51.51/24 10.5.51.52/24 interface ge0/3
max-control-connections 1 description MPLS tunnel
! ip address 10.5.52.52/24
interface ge0/3 tunnel-interface
ip address 10.5.52.51/24 ge0/3 ge0/3
10.5.52.51/24 10.5.52.52/24 encapsulation ipsec
tloc-extension ge0/0 color mpls restrict
no shutdown vedge-51 vedge-52 max-control-connections 1
! !
ip route 0.0.0.0/0 100.65.51.2 ge0/1 ge0/1 ip route 0.0.0.0/0 10.5.52.51
ip route 0.0.0.0/0 10.5.51.52 100.5.5.51/24 100.5.5.52/24
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vManage config
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Lesson 7.2
Branch Migration device config
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Lets configure the Branch device in
Lab 4
Demo
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Chapter 8
Branch site bring up with DIA
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
8.0 Remote site bring up with DIA
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Lesson 8.1
Cloud on Ramp
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cloud Adoption
Cloud Ready WAN
Cloud
Data Center
Data Data
Center Center
ISP1 ISP1
SD-WAN SD-WAN
ISP2 Fabric MPLS Fabric
Data Center Data Center
Remote Site Remote Site
IaaS
instances
vEdge GW
Branch
MPLS
IaaS
instances Branch
IaaS
instances
vEdge GW
Internet
P ublic Cloud P rovider 1
5. Multi-cloud Region 2
solution
DC
IaaS
instances 3. Resilient & hybrid access from
cloud
IaaS
instances 4. Application steering
vEdge GW
DC
GRE/IPSEC Tunnels
DNS Redirection Best suited for cloud SaaS applications
Interoperates with Cloud onRamp for SaaS
Augments native fabric security
Cloud
SOHO Data Center Can co-exist with on-premise L4-L7
MPLS 4G
security modes
INET
• VPN segmentation
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Lets configure the DIA in
Lab 5
Demo
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Yehaa!
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Chapter 9
cEdge Device bring up
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
9.0 cEdge configuration
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Lesson 9.1
cEdge configuration
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Lets configure cEdge devices via CLI
Lab 6
Demo
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Good to know!
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Chapter 10
Application aware policy
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
10.0 Application aware policy configuration
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Lesson 10.1
App aware policy
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Application-Aware Routing Policy
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Application-Aware Routing Policy Configuration
Step 1: Create a list of sites to which the application-
aware routing policy is to be applied
policy
lists
site-list mySites
Step 3: Create lists of applications, IP prefixes, and
site-id 100-200 VPNs to use in identifying application traffic of interest
! (in the match section of the policy definition
policy
lists
Step 2: Create SLA classes and traffic characteristics vpn-list myVPN
vpn 10
to apply to matching application data traffic. !
data-prefix-list approute-Prefixes
policy ip-prefix 10.1.0.0/16
sla-class bulk-data-sla !
latency 150 app-list myApps
! app office365
sla-class critical-data-sla app salesforce
loss 5 !
latency 150 !
! !
sla-class voice-sla
loss 1
latency 100
jitter 5
!
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Application-Aware Routing Policy Configuration
Step 4: Within the policy, create one or more Step 5: Apply the policy to a site list:
numbered sequence of match–action pairs
apply-policy
policy
site-list mySites
app-route-policy myApproutePolicy
app-route-policy myApproutePolicy
vpn-list myVPN
!
sequence 10
!
match
app-list myApps
!
action
sla-class critical-data-sla preferred-color mpls
!
!
sequence 20
match
dscp 46
!
action
sla-class voice-sla preferred-color gold
!
!
sequence 30
match
destination-data-prefix-list approute-Prefixes
!
action
sla-class bulk-data-sla preferred-color biz-internet
backup-sla-preferred-color public-internet
!
default-action sla-class bulk-data-sla
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Lesson 10.2
App Aware Policy Configuration
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Lets configure Application aware policy in
Lab 7
Demo
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Way to go!
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential