cloud-ready wan for iaas & saas with cisco’s next · cloud-ready wan for iaas & saas with...
TRANSCRIPT
Cloud-Ready WAN For IAAS & SaaS With Cisco’s Next-Gen SD-WAN
Sumanth Kakaraparthi – Product Leader SD-WAN
Manan Shah – Director Of Product Management
BRKCRS-2113
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Questions? Use Cisco Spark to communicate with the speaker after the session
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
How
cs.co/ciscolivebot#BRKCRS-2113
BRKCRS-2113 4© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco SD-WAN = Viptela
By end of this session you will learn how to address the
challenges for SaaS and IaaS deployments. You will also
learn how to configure, monitor and troubleshoot SaaS & IaaS
use cases using Cisco SD-WAN software.
Session Objectives
Introduction to Viptela design principle & architecture
Challenges with SaaS deployments
How to address these challenges with CloudExpress
Key challenges with hybrid cloud deployments
How to simplify hybrid cloud deployments with Cloud onRamp
Agenda
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 7BRKCRS-2113
Evolution of WAN
Apps
SD-WANCloud
Use-Cases…
WAN
USERS
DC
IaaS
SaaS
vDC
AnalyticsCloud Delivered
DEVICES
THINGS
Intent-based Network Infrastructure
DNA Center
AnalyticsPolicy Automation
I N T EN T C O N T EX T
S EC U RI T Y
L EA RN I N G
Transport Independent
WAN Fabric
Cloud delivered WAN with
operational simplicity & analyticsEnd-point flexibility:
• Physical or virtual
• Rich services or lite
• Branch, Agg, Cloud
Superior security architecture –
cloud based & on-prem
Application QOE
1
20
5
3
4
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 8BRKCRS-2113
Cisco SD-WAN: Components
Data Center Campus Branch Home Office
Control Plane (Containers or VMs)
Data Plane(Physical or Virtual)
Management Plane(Multi-tenant or Dedicated)
Orchestration Plane
vManage
vSmartvBond
vEdgeISR4kASR1k
ENCS
vOrchestrator
vMonitor
API
4GINTERNET MPLS
CONTROL
ANALYTICSORCHESTRATION
MANAGEMENT
Policy, Security, Routing
On-boarding, life cycle management
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SaaS Adoption & Key Challenges
SaaS Adoption
SaaS adoption in eneterprise is
growing at higher than
expected rate
SaaS spend in 2018 will
grow by 21%
Secuirty
Enterprise customers highlighted
security as a top roadblock for
SaaS adoption
30% of enterprise
customers
Performance
Enterprise customers highlighted
application performance & latency as
second roadblock for SaaS adoption
25% of enterprise
customers
BRKCRS-2113 9
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
How are customers accessing SaaS today
No DIA
Users have to back-haul for
internet access
Single DIA
SaaS applications can take the DIA
path from branch
Dual DIADual DIA paths for SaaS, providing
additional bandwidth and availability
BRKCRS-2113 10
BRKCRS-2113 11© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-WAN solutions can leverage the best path for SaaS from branch to datacenter based performance metrics such as loss, jitter and delay
Sub-optimal optimization as it wont address the performance issues from datacenter to SaaS
Optimize SaaS with SD-WAN for No DIA
Regional
Hub
Best
Performing
MPLS4GMPLS
INET
ISP2
BRKCRS-2113 12© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
What is CloudExpress ?
CloudExpress is the Cisco’s SD-WAN
capability which delivers best application
experience for SaaS applications
BRKCRS-2113 13© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
One of the recommended designs, for vQoE deployments
CloudExpress continuously monitors the edge to SaaS performance on both the DIA paths
CloudExpress picks the best performing path based on the performance metrics (jitter, loss & delay)
Optimize SaaS with Cloud-Express for dual DIA
Regional
Hub
Remote Site
ISP1
Loss/
Latency
Best
Performing
4GMPLS
INET
ISP2
BRKCRS-2113 14© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
How does CloudExpress work for SaaS
DNS resolutionPerformance visibility Path selection
BRKCRS-2113 15© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
DNS servers are defined in VPN0, vedge
performs DNS resolution for the configured
SaaS application on each DIA circuits
Vedge router initiates periodic HTTP pings
toward the configured cloud onramp SaaS
application on each DIA circuits
Vedge router determines best performing
DIA circuit based on loss and latency
characteristics reported by the HTTP pings
Performance visibility for dual DIA
IF IF
ISP1
vEdge Router
(remote site)
DNS Server(s)
ISP2
BRKCRS-2113 16© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SaaS applications & vQoE scores
The vQoE value ranges from 0 to 10, with 0 being the worst quality and 10 being the best.
vQoE = desired metrics / actual metrics * 10
vQoE score is computed for each remote site application and per path
BRKCRS-2113 17© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
DNS resolution for dual DIA
Host performs DNS resolution for SaaS apps, Vedge router dpi engine intercepts user dnsquery
If host dns query is for SaaS, vedge router forwards it to the dns server defined under vpn0 over best performing dia circuit overriding user dns settings
Dns queries for non-SaaS are forwarded according to the routing table, user dnssettings are preserved
Host
DPI
VPN0
IF IF
ISP2 ISP1
DNS Server(s)
DNS Query
Intercepted
vEdge Router
4GMPLS
INET
Salesforce.c
om
Cisco.co
m
BRKCRS-2113 18© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Path selection –first flow
vEdge router may choose sub-performing DIA circuit for the initial application flow as vEdgeDPI engine had not yet identified the SaaS application
Initial application flow is not rerouted, even if using sub-optimal DIA circuit as NAT changes will break TCP flow
First Flow For O365
Host A DPI
VPN0
IF IF
ISP2
Best
Performing
1
vEdge Router
NAT2
Host B
ISP1
AppQoE (3)
NAT1
Classified as
Unknown
BRKCRS-2113 19© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Path selection –subsequent flow
Once vedge router DPI engine identifies cloud SaaS application, cache table is populated and all subsequent application flows are routed over best performing DIA circuit overriding routing decision
If the performance of isp2 degrades & isp1 gets better, existing flows continue on the current path as NAT changes will break TCP flow
New flows will select isp1 as appqoe score is better on isp1
Subsequent Flows - O365
Host BDPI
VPN0
IF IF
ISP2
Best
Performing
2
vEdge Router
NAT2
dstIP/dstPort SaaS App (ISP1 IF)
ISP1
NAT1
Demo
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 21BRKCRS-2113
Configure settings for CloudExpress
Enable CloudExpress
Set DNS on VPN 0
Enable NAT
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 22BRKCRS-2113
Select SaaS applications and vpn
Service VPN In Which Application RunsSTEP 1:
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 23BRKCRS-2113
Identify the DIA sites
STEP 2:
Identify The DIA Sites
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 24BRKCRS-2113
Monitor SaaS performance
Sites Experiencing Good Quality
Sites Experiencing Average Quality
Sites Experiencing Bad Quality
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 25BRKCRS-2113
AppQoE
Optimize SaaS with cloud-express for single DIA & gateway
BRKCRS-2113 27© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
One of the recommended designs, for SaaS deployments
CloudExpress continuously monitors the edge to SaaS performance on both DIA path and the back-haul path
CloudExpress picks the best performing based on the performance metrics (jitter, loss & delay)
Optimize SaaS with cloud-express single DIA
Regional
HubISP1
Loss/
Latency
Best Performing
MPLS4GMPLS
INET
ISP2
BRKCRS-2113 28© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Vedge at the remote site and the gateway perform DNS resolution for the configured cloud onramp SaaS application
Both vedge routers initiate periodic HTTP pings toward the configured cloud onramp SaaS application
Vedge router at the remote site determines best performing path toward the SaaS application based on loss and latency characteristics
Vedge compares SLA between local DIA and composite metric of HTTP ping + BFD through the gateway vedge
Performance visibility for single DIA
HTTP ping
IF
VPN0
IF
VPN0
ISP2
DNS Server(s)
DNS Server(s)
vEdge
(remote site)
vEdge
(gateway)
4GMPLS
INET
ISP1
BFD1
2
3
1
BRKCRS-2113 29© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SaaS applications & vQoE scores
The vQoE value ranges from 0 to 10, with 0 being the worst quality and 10 being the best.
vQoE = desired metrics / actual metrics * 10
vQoE score is computed for each remote site application and per path
BRKCRS-2113 30© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
DNS resolution for single DIA
If local DIA circuit is the best path, vedgerouter forwards DNS query to the DNS server defined under VPN0 over local DIA circuit
If gateway vedge router is the best path, local vedge router forwards DNS query to the gateway vedge router, which in turn forwards it to the DNS server defined under VPN0 over it’s local DIA circuit.
Gateway vedge router dpi engine intercepts dns query for SaaS applications only, dnsqueries for non-cloud applications are forwarded according to the routing table
IF
VPN0
ISP2
DNS Server(s)
vEdge Router
(remote site)
DPI
VPN0
DPI
IF
Host
1
2
DNS Query
Intercepted
DNS Query
Intercepted
vEdge
Router
(gateway)
1DNS Query for Cloud
onRamp SaaS
application
2 DNS Query for
application
Best
Performing
ISP1
4GMPLS
INET
Loss/
Latency
BRKCRS-2113 31© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Path selection –first flow
Host initiates communication with the SaaS application
Local site vedge router may choose sub-performing path for the initial application flow as vedge DPI engine had not yet identified the SaaS application
Initial application flow is not rerouted, even if using sub-optimal path as NAT changes will break TCP flow
IF
VPN0
DPI
VPN0
DPI
IF
Host A
1
vEdge Router
(remote site)
Best
Performing
4GMPLS
INET
ISP1
NAT2
NAT1
ISP2
BRKCRS-2113 32© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Path selection –subsequent flow
Host initiates communication for subsequent flows to SaaS application, as the cache table is already populated and application flows are routed over best performing path, overriding the routing decision.
If the performance of chosen path degrades while the flow is still active, existing flows continue on the current path, as nat changes will break tcp flow
New flows will select, new optimal path based on the appqoe score for that particular application
IF
VPN0
DPI
VPN0
DPI
IF
vEdge
Router
(gateway)
2
dstIP/dstPort -> SaaS App (ISP2 IF)
vEdge Router
(remote site)
Best
Performing
4GMPLS
INET
ISP1
NAT2
NAT1
ISP2
dstIP/dstPort SaaS App (ISP1 IF)
Configuration
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Service VPN In Which Application Runs
STEP 1:
34BRKCRS-2113
Identify the SaaS applications
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 35BRKCRS-2113
Identify client sites for CloudExpress
STEP 2:
Identify Sites That You Want SaaS Optimization Enabled
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 36BRKCRS-2113
Identify sites that will be used as gateways
STEP 3: Identify Sites That You Want SaaS
Optimization Enabled
Troubleshooting
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 38BRKCRS-2113
Troubleshooting application metrics
Local /Gateway
End To End Metrics
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 39BRKCRS-2113
Troubleshooting OMP metrics
Metrics From Gateway To SaaS
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 40BRKCRS-2113
Troubleshooting CloudExpress on local exit
Metrics To SaaS From Local Exit
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 41BRKCRS-2113
Troubleshooting CloudExpress on gateway exit
Remote Exit Information
Demo
Hybrid Cloud & SD-WAN
BRKCRS-2113 44© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
New use cases accelerate adoption
• Multi-Cloud adoption
• Container-based applications
• Serverless Compute
• Machine learning / AI
• IoT
IaaS Adoption & Key Trends
IaaS spend in 2018 will grow by 22% CAGR
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 45BRKCRS-2113
Hybrid Cloud Connectivity - Today
Branch
MPLS/Internet
Branch
DC
Internet
IaaS instance
Inet
IaaS instance
Inet
IaaS instance
Inet DC
Public Cloud Provider 1 Region 1
Public Cloud Provider 1 Region 2
Public Cloud Provider 2 Region 1
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Challenges with Hybrid Cloud Migrations
46BRKCRS-2113
Traffic trombones through DC
IaaS is extension of DC
Multi-Transport access
DIA : Protecting branch users & branch router
Consistency across multi-cloud deployments
User experience
Branch to cloud connectivity
Resiliency
Security
Operational model
Cloud connectivity consumable through a single
pane
Transport independent any-to-any connectivity
End-to-end VPN segmentation/isolation
Visibility into IaaS application usage
Consistent policy across branch, DC and Cloud sites
Cisco Cloud ready WAN
BRKCRS-2113 47© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
What is Cloud onRamp ?
Cloud onRamp is Cisco’s SD-WAN capability
to simplify hybrid cloud connectivity, by
extending WAN fabric to public cloud
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Public Cloud Providers - Terminology
Description AWS Azure
Virtual Private Cloud/IaaS instance Virtual Private Cloud (VPC) VNET
Redundancy construct Availability Zone Availability set
Private Circuit Direct Connect Express Route
Internet Gateway IGW Internet Gateway
IPSec VPN Gateway VGW VPN Gateway
Security Security Groups / ACLs Network Security Groups (NSG)
48BRKCRS-2113
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Public Cloud Connectivity Options
Internet
IaaS/PaaS
Internet only for connectivity.
Option 1: Internet connection to Public cloud
Public Cloud
Provider
vEdge
Option 2: Direct Connect to Public Cloud through SP
MPLS carrier (ATT & Verizon) offers direct connect into public cloud provider
vEdge
SP
Carrier PE
Public Cloud
Provider IaaS/PaaS
Enterprise collocated with public cloud carriers in meet me locations
Option 3: Direct Connect to Public Cloud through meet-me locations
Colo vEdge
IaaS/PaaS
Public Cloud
Provider
vEdge
Internet MPLS
BRKCRS-2113 49
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cloud onRamp
SD-WAN
Fabric
vManage Cloud onRamp for IaaS: vManage application that orchestrates connectivity to IaaS instances across multiple cloud and multiple regions. Provides visibility into cloud instances.
vEdge Cloud Router: A virtualized version of the vEdgerouter. Available on the AWS and Azure marketplace.
Key Components
BRKCRS-2113 50
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 51BRKCRS-2113
Cloud onRamp – 3 Simple Steps
1
Discover Applications
2
Provide GW Information
3
Map Applications to
Segments
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 52BRKCRS-2113
Cloud onRamp for IaaSHow it works
Internet
Branch
DC
MPLS
Public Cloud (AWS & Azure) connectivity solution consumable through the vManage platform
vManagePlatform
Public cloud credentials added to
vManage
vManage invokes instantiation of vEdge
instances in users accounts & connects
IaaS instances to vEdgeGW VPN segments
IaaS instances are discovered from users account in a region.
User selects instances to operate on
New instances can be discovered and mapped to VPN segments later
Public Cloud Provider 1 Region 1
IaaS instances
IaaS instancesvEdge GW
User defines vEdgegateway parameters and maps IaaS instances to VPN segments in the
overlay
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 53BRKCRS-2113
Cloud onRamp for IaaS AWS solution detail
Direct Connect
VGW
AZ1
AZ2
R
Architectural advantages – Cloud onRamp
• Share transport (Direct connect and Internet) & vEdge Gateways across multiple spoke VPCs in a region
• Share one gateway VPC for all host VPCs in a region.
• Leverage AWS components (IGW, VGW, VPC router) for redundancy.
• Utilize dynamic routing for fast failover times.
• Gateway VPC can host firewall for security compliance.
• End – End security and segmentationVGW
Standard IPSecoverlay + BGP to
vEdge GW
vEdge GW
vEdge GW
AZ1
AZ2
R
Host VPC
vManage instantiated and managed
Transit VPC
IGW
AWS Region
VGW
AZ1
AZ2Host VPC
Demo
Configuration
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 56BRKCRS-2113
ApplicationsCloud onRamp – Discover Applications
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 57BRKCRS-2113
Cloud onRamp – GW Information
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 58BRKCRS-2113
Cloud onRamp – Map Application to Segments
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 59BRKCRS-2113
Cloud onRamp – Dashboard
Monitoring & Troubleshooting
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 61BRKCRS-2113
Cloud onRamp – Monitoring & Troubleshooting
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 62BRKCRS-2113
Cloud onRamp – Monitoring & Troubleshooting
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 63BRKCRS-2113
Cloud onRamp – Monitoring & Troubleshooting
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cloud onRamp for IaaSSD-WAN value proposition
Branch
Internet
Branch
DC
MPLS
IaaS instances
Public Cloud Provider 1 Region 1
DC
IaaS instances
vEdge GW
IaaS instances
Public Cloud Provider 1 Region 2
IaaS instances
vEdge GW
IaaS instances
Public Cloud Provider 2 Region 1
IaaS instances
vEdge GW
1. Direct branch to cloud connectivity
2. Consistent Policy management & network visibility for branch & cloud
3. Resilient & hybrid access from cloud
4. Application steering
5. Multi-cloud solution
BRKCRS-2113 64
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Questions? Use Cisco Spark to communicate with the speaker after the session
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
How
cs.co/ciscolivebot#BRKCRS-2113
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Please complete your Online Session Evaluations after each session
• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt
• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/.
Complete Your Online Session Evaluation
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Tech Circle
• Meet the Engineer 1:1 meetings
• Related sessions
67BRKCRS-2113
Thank you