Scribd
Upload
148 views60 pages

BRKCRS 2113

Uploaded by

masterlinh2008
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
148 views60 pages

BRKCRS 2113

Uploaded by

masterlinh2008
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 60

Cloud-Ready WAN with

Cisco Next-Gen
SD-WAN
for SaaS & IaaS

Chandra Balaji Rajaram


Hamzah Kardame
BRKCRS-2113
Cisco Webex Teams

Questions?
Use Cisco Webex Teams to chat
with the speaker after the session

How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space

BRKCRS-2113 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Agenda
• Introduction
• SaaS Adoption & Challenges
• Optimize SaaS with SD-WAN Cloud onRamp
• Securing Cloud onRamp for SaaS
• Cloud onRamp for IaaS – Value Proposition
• Multicloud Designs
• Demo
• Conclusion

BRKCRS-2113 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Setting the Stage
Connecting Users to Data Center was the Priority

Internet
Best Effort
Users Applications

WAN
Branch/Campus

Data Center

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Then the Way We Worked Changed

Devices & Things

Campus & Branch Users WAN

DC/Private Cloud
Mobile Users

BRKCRS-2113 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Now…It’s a Multicloud World

Devices & Things

IaaS
WAN SaaS

Mobile Users Campus & Branch Users

DC/Private Cloud

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Enterprise Multi-Cloud Strategy

BRKCRS-2113 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
It’s a multicloud world

85% 87% 94%

Evaluating or using Taken steps towards a Plan to use


public cloud hybrid cloud strategy multiple clouds
Among cloud users
Source: IDC CloudView, April, 2017, n=8,293 worldwide respondents, weighted by country, company size and industry

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
SaaS Challenges
SaaS Adoption & Key Challenges

SaaS Adoption Security Performance


SaaS adoption in enterprise is Enterprise customers Enterprise customers highlighted
growing at higher than highlighted security as a top application performance & latency as
expected rate roadblock for SaaS adoption second roadblock for SaaS adoption

SaaS adoption has grown 30% of enterprise 25% of enterprise


by 29% in 2019 customers customers

BRKCRS-2113 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
How are customers accessing SaaS today

No DIA Single DIA Dual DIA


Users have to back-haul for SaaS applications can take the DIA Dual DIA paths for SaaS, providing
internet access path from branch additional bandwidth and availability

BRKCRS-2113 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Optimize SaaS with No DIA

SD-WAN leverages best path for


SaaS cloud from branch to DC
ISP o Loss
o Jitter
Datacenter
o Delay

MPLS 4G
MPLS
INET

Sub-optimal to address performance issues from DC to SaaS cloud

BRKCRS-2113 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Cloud onRamp for
SaaS
Evolutionary SaaS Cloud Adoption with SD-WAN

Problems:
o Which way is cloud?
o Performance?
o Security?
CoLo

SD-WAN

Remote Site Data Center

BRKCRS-2113 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Cloud onRamp for SaaS

Identify
Sites

Report on Discover Cloud


QoE metric Applications
Optimal SaaS
Experience

Route Determine
Traffic Performance

BRKCRS-2113 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
How does it work?
Configured WAN Edge router HTTP ping packets are sent to DNS requests are duplicated
uses DNS address defined in probe (loss/latency) SaaS across all available Internet
VPN0 to send a DNS request performance across all egress points or Gateway
for pre-configured SaaS Internet egress points. A sites
application Quality of Experience score is
then calculated

HTTP ISP1

DNS ISP1 ISP1


DNS
ISP Score
DNS
1 10
ISP2

2 8

BRKCRS-2113 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Optimize SaaS with Cloud onRamp
Dual DIA

o Monitors the SD-WAN Edge to SaaS


Best Performing
performance on both the DIA paths
Loss/
Latency

o Picks the best performing path based on


the performance metrics (loss & delay)
ISP1 ISP2

MPLS 4G
Datacenter
Remote Site INET

BRKCRS-2113 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Optimize SaaS with Cloud onRamp
Single DIA

o One of the recommended designs, for


SaaS deployments
Best Performing

Loss/
ISP2 o Continuously monitors the SD-WAN Edge
Latency
to SaaS performance on both DIA path and
the back-haul path
Regional
ISP1 Hub

o Picks the best performing based on the


performance metrics (loss & delay)
MPLS 4G
MPLS
INET

BRKCRS-2113 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Quality Probing
Dual DIA Single DIA

BRKCRS-2113 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
vQoE Scores
Dual DIA Single DIA

App Path Score App Path Score


O365 ISP1 (DIA) 10 O365 ISP1 (DIA) 9
O365 ISP2 (DIA) 8 O365 Via Gateway 4

BRKCRS-2113 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
DNS Resolution
Dual DIA Single DIA

BRKCRS-2113 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Path Selection – first flow
Dual DIA Single DIA

BRKCRS-2113 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Path Selection – subsequent flow
Dual DIA Single DIA

BRKCRS-2113 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Securing Cloud onRamp for SaaS
Cloud onRamp for CoLo
Service Chains

DNS/web
Firewall IPS AMP+TG layer security Firewall

vManage

SaaS
SD-WAN
Applications
Regional
Hub/CoLo
Employees (Gateway)

Remote Site
(DIA)
Internet

BRKCRS-2113 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Cloud onRamp for
SaaS
Configuration
Pre-requisites for Cloud onRamp for SaaS

o Enable Cloud onRamp for SaaS under vManage >Administration > Settings.

o Enable NAT under DIA interface of the SD-WAN Edge router using Feature Template.

o Configure DNS Server IP address under Transport VPN (VPN 0) of the SD-WAN Edge
router using feature template.

BRKCRS-2113 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Configuring Cloud onRamp for SaaS in 3 steps

1. Select SaaS Applications and VPNs

2. Identify the DIA sites

3. Identify sites that will be used as Gateways (Optional)

BRKCRS-2113 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Monitor SaaS performance

Sites Experiencing Bad Quality

Sites Experiencing Average Quality

Sites Experiencing Good Quality

BRKCRS-2113 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Cloud onRamp for SaaS
Demo
Demonstration Setup

Dramatic improvement
in download speed!
Mumbai
PoP
DC

File
PoP

File Best Performing Path


Sub-Optimal Path

Sydney
Cloud onRamp for SaaS
Branch
BRKCRS-2113 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Demonstration

BRKCRS-2113 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Cloud onRamp for
IaaS
What is it?
Host
VPCs/VNETs

• Extends full SD-WAN


capabilities into the cloud
Gateway
VPC/VNET
• Extends a common policy
framework across SD-WAN
fabric and cloud MPLS 4G

• Managed via vManage just like Branch


INET
Data Center
any other router

Campus

Securely extending the SD-WAN fabric into the Cloud Service Provider
BRKCRS-2113 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Traditional Cloud Data Center Access
• Dependent on MPLS for private cloud Data Centers
• No direct access to public cloud Data Centers
• No consistent segmentation and QoS policies Public Cloud
Data Centers
Note: Tunnels from remote sites not feasible
IPsec
Private Cloud IPsec
Data Center IPsec VPC VPC

Azure Express VPC VPC


Route

MPLS
CoLo/
Remote Site VNET VNET
CNF AWS Direct VNET VNET
Connect
BRKCRS-2113 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Challenges with Hybrid Cloud Today
1. Branch to cloud
connectivity through DC.

IaaS VPN
GW
instance
2. Complexity in
maintaining p2p Branch
IPSec tunnels
Public Cloud Provider 1
Region 1

5. Connectivity
between regions DC
IaaS
and multiple VPN
GW
instance MPLS/Internet
clouds MPLS/Internet

Public Cloud Provider 1


Region 2
3. No transport resiliency
and App visibility in cloud
IaaS VPN
instance GW DC

Public Cloud Provider 2


Region 1 Branch
4. Heterogeneous branch
and cloud solutions

BRKCRS-2113 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Cloud onRamp IaaS: Value Proposition
IaaS
1. Direct branch to cloud
instances connectivity
2. One SDWAN fabric to
IaaS
instances
manage & connect all
SDWAN GW end-points
Branch
Public Cloud Provider 1
Region 1

MPLS

IaaS
instances Branch

IaaS
instances
SDWAN GW

Internet
5. Multi-cloud Public Cloud Provider 1
Region 2
solution
DC
3. Resilient & hybrid access from
IaaS cloud
instances
4. Application steering
IaaS
instances
SDWAN GW
DC

Public Cloud Provider 2


Region 1

BRKCRS-2113 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Cisco SDWAN Cloud onRamp for IaaS
Public Cloud (AWS & Azure) connectivity solution consumable through the vManage platform

1. Public cloud credentials


2. vManage invokes added along with other
3. IaaS instances
instantiation of Cloud information to instantiate
mapped to VPNs
Edge instances ands vEdge GWs
in the SDWAN vManage
adds routers to
overlay Platform
overlay

MPLS
IaaS instances

Branch

IaaS instances
Cloud GW

4. Instances
automatically Public Cloud Provider 1 Region 1 Internet
added and
reachable through DC
the SDWAN
overlay

BRKCRS-2113 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
MultiCloud onRamp for IaaS - Explained
Standard IPSec + BGP SD-WAN Standard IPSec + BGP
(2x) (2x)
VPC VNET
BGP <-> OMP BGP <-> OMP
AZ1
AS1

VPC VNET
VPN
VGW
AZ2 GW AS2
AZ1
INET
Host VPC WAN Edge WAN Edge
Host VNET
AS
MPLS
AZ2 Direct Express
VPC WAN Edge VNET
WAN Edge Connect Route
AZ1
Gateway VPC Gateway VNET AS1

VGW VPN
AZ2 GW AS2

Host VPC Host VNET


AWS Region Azure Region
vManage
BRKCRS-2113 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Segmentation and Optimal Topology
• End-to-end segmentation across public and private Data Centers
• Optimal application topology for best performance

UC VPN1
VPC
Finance
Finance VPN2 Gateway
VPC VPN2 Resources

VPN3 VPC
HR VPN3 HR
Resources
SD-WAN
Data Center

UC VPN1 HR
VPN3
Resources
Finance VPN2

BRKCRS-2113 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Multicloud Designs
Integrating with AWS Transit Gateway
Pros:
VPC VPC VPC o Automated provisioning through vManage (CoR-
IaaS)*
o Lower costs while comparing to Transit VPC design
Transit o More BW available per site (~1.25 Gbps per tunnel)
Gateway o HA Support for IKE-IPSec tunnels

Cons:
Automated IKE-IPSec o Potential sub-optimal path from Branch to TGW
Internet/ tunnels
due to lack of dynamic path selection based on
Direct
performance
Connect
o End-to-end WAN segmentation not preserved
o Operation overhead: Need to monitor individual
tunnels from all the branches to TGW

Branch DC
Campus
*Coming soon
BRKCRS-2113 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Integrating with AWS Transit Gateway
Pros:
VPC VPC VPC
o Extend SD-WAN upto TGW
• vManage automation*
• Apply uniform business intent via SD-WAN policies
all the way into cloud
Transit
• Extend existing network segmentation into the
Gateway
cloud
VPN Attachment o Optimized routing and path selection
VPC
S2S IPsec Tunnels o Lower operational overhead
o DPI and flow visibility, up to the cloud
o Leverage SD-WAN for HA architecture

SD-WAN Cons:
SD-WAN Last Mile Optimization
o Higher cost, requiring a pair of redundant SD-WAN
Edge routers in each AWS region
o S2S VPN tunnel limits to ~1.25 Gbps
• Mitigate via multiple VPN tunnels and leverage ECMP

Branch Campus Data Center


*Coming soon
BRKCRS-2113 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Integrating with AWS Transit Gateway
Pros:
VPC VPC VPC o Higher single connection bandwidth
• Terminating SD-WAN VPC to AWS Transit Gateway
as a VPC attachment eliminates 1.25 Gbps limitation
Transit o Saves the cost associated with AWS S2S VPN
Gateway connections
VPC Attachment
VPC
Cons:
o Loss of dynamic routing support via BGP
• Routes in AWS Transit Gateway will need to be
statically defined.
o Addition/Removal of SD-WAN router (scaling out or
SD-WAN failover scenarios) implies need for changes within
SD-WAN Last Mile Optimization
TGW routing table
o Connection between the SD-WAN VPC and AWS
Transit Gateway is unencrypted

Branch Campus Data Center


BRKCRS-2113 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Integrating with AWS Transit Gateway
Pros:
VPC VPC VPC o Regionalized CoLo design benefits
• Service Chain
• Scale as you grow
Transit • High speed path to cloud
Gateway • High-speed
connectivity to the o Optimized routing and path selection to the
CoLo
cloud via DC CoLo
• S2S IPsec Tunnels
o Leverage SD-WAN for HA architecture

Cons:
SD-WAN
o CoLo management overhead
SD-WAN Last Mile Optimization o S2S VPN tunnel limits to ~1.25 Gbps
• Mitigate via multiple VPN tunnels and
leverage ECMP

Branch Campus Data Center


BRKCRS-2113 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Cisco SD-WAN integration with Microsoft vWAN
Deep integration between CSR SD-WAN and Azure Virtual WAN

Azure Troubleshooting Troubleshooting Azure


telemetry Optics & telemetry data & telemetry data Optics telemetry
Cisco
vManage

Cisco SD-WAN
vWAN fabric vWAN
Region Cisco SD-WAN Cisco SD-WAN Region
1 End point End point 2

Branch Branch Branch

CSR SD-WAN Endpoint in vWAN Hub Auto Peering with vWAN Hub Policy synced with vWAN and vManage

BRKCRS-2113 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Cloud onRamp for IaaS
Demo
Cloud onRamp for IaaS in 72 Seconds

Presentation © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Cloud onRamp for IaaS
TGW Branch VPN Automation Demo
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Cloud onRamp for IaaS
TGW Sd-WAN GW Automation Demo
Presentation © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Cisco onRamp for SaaS - Summary

DNS resolution
Performance visibility
Path selection

An innovative way to identify the best path to SaaS applications


© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cloud onRamp for IaaS - Summary

Direct branch to IaaS cloud


connectivity, if desired

Consistent policy management for


branch & cloud

Resilient and scalable access to cloud

Multicloud ready

BRKCRS-2113 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
BRKRST-2791
Building and using Policies with Cisco SD-
BRKRST-2377 WAN
08:00
SD-WAN Security 08:00 BRKRST-2560
Keynote 09:30
SD-Wan Machine Analytics, Machine
08:00
Learnings and IA

BRKCRS-1579 BRKRST-2096
SD-Wan Proof Of Concept
11:00
SD-WAN Powered by 11:00 BRKRST-2095 BRKRST-2093
Meraki SD-WAN Routing 16:00 Deploy, monitor and troubleshoot
11:00 BRKRST-2091
BRKRST-2041 Migration
BRKARC-2012 SD-WAN Datacenter and Branch 09:00
WAN Architecture 11:00 ENFV Architecture, Configuration and
11:00 Integration Design
troubleshooting
and Design Principal
BRKRST-2559
BRKCRS-2110 3 Steps to design SD-WAN On Prem
14:00
Delivering Cisco Next 14:00 BRKRST-3404 BRKRST-2097 BRKOPS-2826
gen SD-WAN with How to choose the 16:00 Conquer the Cloud with SD-WAN SD-WAN as Managed Services 11:00
14:45
Viptela correct branch device BRKRST-2095
SD-WAN Routing Migrations
16:45
BRKCRS-2113 Keynote 17:00
Cloud Ready WAN for 17:00 Cisco Live
IAAS and SAASA with Celebration
Cisco SD-WAN 18:30

SD-WAN
#CLEMEA
Breakouts
Complete your
online session
survey • Please complete your session survey
after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live t-shirt.
• All surveys can be taken in the Cisco Events
Mobile App or by logging in to the Content
Catalog on ciscolive.com/emea.

Cisco Live sessions will be available for viewing on


demand after the event at ciscolive.com.

BRKCRS-2113 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Continue your education
Continue your education

Demos in the
Walk-In labs
Walk-in Labs
Cisco campus
Showcase

Meet the engineer


Engineer
Related sessions
1:1 meetings

BRKCRS-2113 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Thank you

You might also like