cloud-ready wan for iaas & saas with cisco’s next · cloud-ready wan for iaas & saas with...

Cloud-Ready WAN For IAAS & SaaS With Cisco’s Next-Gen SD-WAN

Sumanth Kakaraparthi – Product Leader SD-WAN

Manan Shah – Director Of Product Management

BRKCRS-2113

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Spark

Questions? Use Cisco Spark to communicate with the speaker after the session

1. Find this session in the Cisco Live Mobile App

2. Click “Join the Discussion”

3. Install Spark or go directly to the space

4. Enter messages/questions in the space

How

cs.co/ciscolivebot#BRKCRS-2113

BRKCRS-2113 4© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco SD-WAN = Viptela

By end of this session you will learn how to address the

challenges for SaaS and IaaS deployments. You will also

learn how to configure, monitor and troubleshoot SaaS & IaaS

use cases using Cisco SD-WAN software.

Session Objectives

Introduction to Viptela design principle & architecture

Challenges with SaaS deployments

How to address these challenges with CloudExpress

Key challenges with hybrid cloud deployments

How to simplify hybrid cloud deployments with Cloud onRamp

Agenda

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 7BRKCRS-2113

Evolution of WAN

Apps

SD-WANCloud

Use-Cases…

WAN

USERS

DC

IaaS

SaaS

vDC

AnalyticsCloud Delivered

DEVICES

THINGS

Intent-based Network Infrastructure

DNA Center

AnalyticsPolicy Automation

I N T EN T C O N T EX T

S EC U RI T Y

L EA RN I N G

Transport Independent

WAN Fabric

Cloud delivered WAN with

operational simplicity & analyticsEnd-point flexibility:

• Physical or virtual

• Rich services or lite

• Branch, Agg, Cloud

Superior security architecture –

cloud based & on-prem

Application QOE

1

20

5

3

4


Cisco SD-WAN: Components

Data Center Campus Branch Home Office

Control Plane (Containers or VMs)

Data Plane(Physical or Virtual)

Management Plane(Multi-tenant or Dedicated)

Orchestration Plane

vManage

vSmartvBond

vEdgeISR4kASR1k

ENCS

vOrchestrator

vMonitor

API

4GINTERNET MPLS

CONTROL

ANALYTICSORCHESTRATION

MANAGEMENT

Policy, Security, Routing

On-boarding, life cycle management


SaaS Adoption & Key Challenges

SaaS Adoption

SaaS adoption in eneterprise is

growing at higher than

expected rate

SaaS spend in 2018 will

grow by 21%

Secuirty

Enterprise customers highlighted

security as a top roadblock for

SaaS adoption

30% of enterprise

customers

Performance

Enterprise customers highlighted

application performance & latency as

second roadblock for SaaS adoption

25% of enterprise

customers

BRKCRS-2113 9


How are customers accessing SaaS today

No DIA

Users have to back-haul for

internet access

Single DIA

SaaS applications can take the DIA

path from branch

Dual DIADual DIA paths for SaaS, providing

additional bandwidth and availability

BRKCRS-2113 10


SD-WAN solutions can leverage the best path for SaaS from branch to datacenter based performance metrics such as loss, jitter and delay

Sub-optimal optimization as it wont address the performance issues from datacenter to SaaS

Optimize SaaS with SD-WAN for No DIA

Regional

Hub

Best

Performing

MPLS4GMPLS

INET

ISP2


What is CloudExpress ?

CloudExpress is the Cisco’s SD-WAN

capability which delivers best application

experience for SaaS applications


One of the recommended designs, for vQoE deployments

CloudExpress continuously monitors the edge to SaaS performance on both the DIA paths

CloudExpress picks the best performing path based on the performance metrics (jitter, loss & delay)

Optimize SaaS with Cloud-Express for dual DIA

Regional

Hub

Remote Site

ISP1

Loss/

Latency

Best

Performing

4GMPLS

INET

ISP2


How does CloudExpress work for SaaS

DNS resolutionPerformance visibility Path selection


DNS servers are defined in VPN0, vedge

performs DNS resolution for the configured

SaaS application on each DIA circuits

Vedge router initiates periodic HTTP pings

toward the configured cloud onramp SaaS

application on each DIA circuits

Vedge router determines best performing

DIA circuit based on loss and latency

characteristics reported by the HTTP pings

Performance visibility for dual DIA

IF IF

ISP1

vEdge Router

(remote site)

DNS Server(s)

ISP2


SaaS applications & vQoE scores

The vQoE value ranges from 0 to 10, with 0 being the worst quality and 10 being the best.

vQoE = desired metrics / actual metrics * 10

vQoE score is computed for each remote site application and per path


DNS resolution for dual DIA

Host performs DNS resolution for SaaS apps, Vedge router dpi engine intercepts user dnsquery

If host dns query is for SaaS, vedge router forwards it to the dns server defined under vpn0 over best performing dia circuit overriding user dns settings

Dns queries for non-SaaS are forwarded according to the routing table, user dnssettings are preserved

Host

DPI

VPN0

IF IF

ISP2 ISP1

DNS Server(s)

DNS Query

Intercepted

vEdge Router

4GMPLS

INET

Salesforce.c

om

Cisco.co

m


Path selection –first flow

vEdge router may choose sub-performing DIA circuit for the initial application flow as vEdgeDPI engine had not yet identified the SaaS application

Initial application flow is not rerouted, even if using sub-optimal DIA circuit as NAT changes will break TCP flow

First Flow For O365

Host A DPI

VPN0

IF IF

ISP2

Best

Performing

1

vEdge Router

NAT2

Host B

ISP1

AppQoE (3)

NAT1

Classified as

Unknown


Path selection –subsequent flow

Once vedge router DPI engine identifies cloud SaaS application, cache table is populated and all subsequent application flows are routed over best performing DIA circuit overriding routing decision

If the performance of isp2 degrades & isp1 gets better, existing flows continue on the current path as NAT changes will break TCP flow

New flows will select isp1 as appqoe score is better on isp1

Subsequent Flows - O365

Host BDPI

VPN0

IF IF

ISP2

Best

Performing

2

vEdge Router

NAT2

dstIP/dstPort SaaS App (ISP1 IF)

ISP1

NAT1


Configure settings for CloudExpress

Enable CloudExpress

Set DNS on VPN 0

Enable NAT


Select SaaS applications and vpn

Service VPN In Which Application RunsSTEP 1:


Identify the DIA sites

STEP 2:

Identify The DIA Sites


Monitor SaaS performance

Sites Experiencing Good Quality

Sites Experiencing Average Quality

Sites Experiencing Bad Quality


AppQoE

Optimize SaaS with cloud-express for single DIA & gateway


One of the recommended designs, for SaaS deployments

CloudExpress continuously monitors the edge to SaaS performance on both DIA path and the back-haul path

CloudExpress picks the best performing based on the performance metrics (jitter, loss & delay)

Optimize SaaS with cloud-express single DIA

Regional

HubISP1

Loss/

Latency

Best Performing

MPLS4GMPLS

INET

ISP2


Vedge at the remote site and the gateway perform DNS resolution for the configured cloud onramp SaaS application

Both vedge routers initiate periodic HTTP pings toward the configured cloud onramp SaaS application

Vedge router at the remote site determines best performing path toward the SaaS application based on loss and latency characteristics

Vedge compares SLA between local DIA and composite metric of HTTP ping + BFD through the gateway vedge

Performance visibility for single DIA

HTTP ping

IF

VPN0

IF

VPN0

ISP2

DNS Server(s)

DNS Server(s)

vEdge

(remote site)

vEdge

(gateway)

4GMPLS

INET

ISP1

BFD1

2

3

1


SaaS applications & vQoE scores

The vQoE value ranges from 0 to 10, with 0 being the worst quality and 10 being the best.

vQoE = desired metrics / actual metrics * 10

vQoE score is computed for each remote site application and per path


DNS resolution for single DIA

If local DIA circuit is the best path, vedgerouter forwards DNS query to the DNS server defined under VPN0 over local DIA circuit

If gateway vedge router is the best path, local vedge router forwards DNS query to the gateway vedge router, which in turn forwards it to the DNS server defined under VPN0 over it’s local DIA circuit.

Gateway vedge router dpi engine intercepts dns query for SaaS applications only, dnsqueries for non-cloud applications are forwarded according to the routing table

IF

VPN0

ISP2

DNS Server(s)

vEdge Router

(remote site)

DPI

VPN0

DPI

IF

Host

1

2

DNS Query

Intercepted

DNS Query

Intercepted

vEdge

Router

(gateway)

1DNS Query for Cloud

onRamp SaaS

application

2 DNS Query for

application

Best

Performing

ISP1

4GMPLS

INET

Loss/

Latency


Path selection –first flow

Host initiates communication with the SaaS application

Local site vedge router may choose sub-performing path for the initial application flow as vedge DPI engine had not yet identified the SaaS application

Initial application flow is not rerouted, even if using sub-optimal path as NAT changes will break TCP flow

IF

VPN0

DPI

VPN0

DPI

IF

Host A

1

vEdge Router

(remote site)

Best

Performing

4GMPLS

INET

ISP1

NAT2

NAT1

ISP2


Path selection –subsequent flow

Host initiates communication for subsequent flows to SaaS application, as the cache table is already populated and application flows are routed over best performing path, overriding the routing decision.

If the performance of chosen path degrades while the flow is still active, existing flows continue on the current path, as nat changes will break tcp flow

New flows will select, new optimal path based on the appqoe score for that particular application

IF

VPN0

DPI

VPN0

DPI

IF

vEdge

Router

(gateway)

2

dstIP/dstPort -> SaaS App (ISP2 IF)

vEdge Router

(remote site)

Best

Performing

4GMPLS

INET

ISP1

NAT2

NAT1

ISP2

dstIP/dstPort SaaS App (ISP1 IF)

Configuration


Service VPN In Which Application Runs

STEP 1:

34BRKCRS-2113

Identify the SaaS applications


Identify client sites for CloudExpress

STEP 2:

Identify Sites That You Want SaaS Optimization Enabled


Identify sites that will be used as gateways

STEP 3: Identify Sites That You Want SaaS

Optimization Enabled

Troubleshooting


Troubleshooting application metrics

Local /Gateway

End To End Metrics


Troubleshooting OMP metrics

Metrics From Gateway To SaaS


Troubleshooting CloudExpress on local exit

Metrics To SaaS From Local Exit


Troubleshooting CloudExpress on gateway exit

Remote Exit Information

Hybrid Cloud & SD-WAN


New use cases accelerate adoption

• Multi-Cloud adoption

• Container-based applications

• Serverless Compute

• Machine learning / AI

• IoT

IaaS Adoption & Key Trends

IaaS spend in 2018 will grow by 22% CAGR


Hybrid Cloud Connectivity - Today

Branch

MPLS/Internet

Branch

DC

Internet

IaaS instance

Inet

IaaS instance

Inet

IaaS instance

Inet DC

Public Cloud Provider 1 Region 1




Challenges with Hybrid Cloud Migrations

46BRKCRS-2113

Traffic trombones through DC

IaaS is extension of DC

Multi-Transport access

DIA : Protecting branch users & branch router

Consistency across multi-cloud deployments

User experience

Branch to cloud connectivity

Resiliency

Security

Operational model

Cloud connectivity consumable through a single

pane

Transport independent any-to-any connectivity

End-to-end VPN segmentation/isolation

Visibility into IaaS application usage

Consistent policy across branch, DC and Cloud sites

Cisco Cloud ready WAN


What is Cloud onRamp ?

Cloud onRamp is Cisco’s SD-WAN capability

to simplify hybrid cloud connectivity, by

extending WAN fabric to public cloud


Public Cloud Providers - Terminology

Description AWS Azure

Virtual Private Cloud/IaaS instance Virtual Private Cloud (VPC) VNET

Redundancy construct Availability Zone Availability set

Private Circuit Direct Connect Express Route

Internet Gateway IGW Internet Gateway

IPSec VPN Gateway VGW VPN Gateway

Security Security Groups / ACLs Network Security Groups (NSG)

48BRKCRS-2113


Public Cloud Connectivity Options

Internet

IaaS/PaaS

Internet only for connectivity.

Option 1: Internet connection to Public cloud

Public Cloud

Provider

vEdge

Option 2: Direct Connect to Public Cloud through SP

MPLS carrier (ATT & Verizon) offers direct connect into public cloud provider

vEdge

SP

Carrier PE

Public Cloud

Provider IaaS/PaaS

Enterprise collocated with public cloud carriers in meet me locations

Option 3: Direct Connect to Public Cloud through meet-me locations

Colo vEdge

IaaS/PaaS

Public Cloud

Provider

vEdge

Internet MPLS

BRKCRS-2113 49


Cloud onRamp

SD-WAN

Fabric

vManage Cloud onRamp for IaaS: vManage application that orchestrates connectivity to IaaS instances across multiple cloud and multiple regions. Provides visibility into cloud instances.

vEdge Cloud Router: A virtualized version of the vEdgerouter. Available on the AWS and Azure marketplace.

Key Components

BRKCRS-2113 50


Cloud onRamp – 3 Simple Steps

1

Discover Applications

2

Provide GW Information

3

Map Applications to

Segments


Cloud onRamp for IaaSHow it works

Internet

Branch

DC

MPLS

Public Cloud (AWS & Azure) connectivity solution consumable through the vManage platform

vManagePlatform

Public cloud credentials added to

vManage

vManage invokes instantiation of vEdge

instances in users accounts & connects

IaaS instances to vEdgeGW VPN segments

IaaS instances are discovered from users account in a region.

User selects instances to operate on

New instances can be discovered and mapped to VPN segments later


IaaS instances

IaaS instancesvEdge GW

User defines vEdgegateway parameters and maps IaaS instances to VPN segments in the

overlay


Cloud onRamp for IaaS AWS solution detail

Direct Connect

VGW

AZ1

AZ2

R

Architectural advantages – Cloud onRamp

• Share transport (Direct connect and Internet) & vEdge Gateways across multiple spoke VPCs in a region

• Share one gateway VPC for all host VPCs in a region.

• Leverage AWS components (IGW, VGW, VPC router) for redundancy.

• Utilize dynamic routing for fast failover times.

• Gateway VPC can host firewall for security compliance.

• End – End security and segmentationVGW

Standard IPSecoverlay + BGP to

vEdge GW

vEdge GW

vEdge GW

AZ1

AZ2

R

Host VPC

vManage instantiated and managed

Transit VPC

IGW

AWS Region

VGW

AZ1

AZ2Host VPC

Configuration


ApplicationsCloud onRamp – Discover Applications


Cloud onRamp – GW Information


Cloud onRamp – Map Application to Segments


Cloud onRamp – Dashboard

Monitoring & Troubleshooting


Cloud onRamp – Monitoring & Troubleshooting


Cloud onRamp for IaaSSD-WAN value proposition

Branch

Internet

Branch

DC

MPLS

IaaS instances


DC

IaaS instances

vEdge GW

IaaS instances


IaaS instances

vEdge GW

IaaS instances


IaaS instances

vEdge GW

1. Direct branch to cloud connectivity

2. Consistent Policy management & network visibility for branch & cloud

3. Resilient & hybrid access from cloud

4. Application steering

5. Multi-cloud solution

BRKCRS-2113 64


Cisco Spark

Questions? Use Cisco Spark to communicate with the speaker after the session

1. Find this session in the Cisco Live Mobile App

2. Click “Join the Discussion”

3. Install Spark or go directly to the space

4. Enter messages/questions in the space

How

cs.co/ciscolivebot#BRKCRS-2113


• Please complete your Online Session Evaluations after each session

• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt

• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/.

Complete Your Online Session Evaluation

http://ciscolive.com/Online

http://www.ciscolive.com/global/on-demand-library/


Continue Your Education

• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• Tech Circle

• Meet the Engineer 1:1 meetings

• Related sessions

67BRKCRS-2113

Thank you

cloud-ready wan for iaas & saas with cisco’s next · cloud-ready wan for iaas & saas with...

Documents