sdwan 2.0 working group update · thousandeyes dogu narin –versa sal rannazzizi –merck shafeeq...
TRANSCRIPT
SDWAN 2.0 Working Group Update
Neil Danilowicz – Versa
Linda Dunbar - Huawei
Mike Elrom – Itential
Shane Jenkins – First Republic
David Mann – McGraw-Hill
Angelique Medina –ThousandEyes
Dogu Narin – Versa
Sal Rannazzizi – Merck
Shafeeq Shaikh – PwC
Steve Wood – Cisco
Contributors
The ONUG SD-WAN 2.0 Working Group is working to define a reference architecture for optimal enterprise multi-cloud integration. The working group is developing reference solutions for these use cases:
(1) Branch directly accessing SaaS/IaaS(2) Multi-cloud attachment to SD-WAN fabric(3) Security for Branch and Cloud (4) Automated cloud-edge integration to SDWAN(5) SDWAN Client for End-users
Architectural scenarios and functional requirements have been documented for each of the use cases.
ONUG SDWAN 2.0 WG Wiki
10/25/2019
Mobile User
SD-WAN 2.0 Architecture
Cloud Security
Proxy
Remote Site
Cloud Edge Layer
SD-WAN Cloud
Gateway
SD-WAN Overlays
Branch to SaaS/Int. – Internet Breakout
Branch/remote user to Security Proxy
CSP direct connectivity
Vnet/VPC
Vnet/VPC
= SDWAN Fabric Edge
SD-WAN Cloud
Gateway
Core/DC
CoLo Facility or IXP Peering Point
IaaS/PaaS
SaaS
Public
Internet
= SDWAN client
Internet
Private
Mobile
SDWAN Fabric
21
3
2 APP-to-APP
App-to-app traffic
Remote Site2
1
2
5
SDWAN
Controller
4
AP
Is
2
Multicloud Attach via Fabric Extension to CSP Environment
6
CSP Region SDWAN Fabric
SDWAN Controller
SDWAN Site 1
Orchestrator
Site-to-Site FabricInterconnect
AppPolicy
DeviceConfig
TrafficPolicy
SDWAN Site N
INET
VPC
Apps
VPC
Apps
vHub
CSP Hub/Gateway
SDWAN Edge Gateway
SDWAN
SDWAN
HubPeering
VPC
VNET/VPC Peering
VNET/VPCPeering
DX/ER
ctrl/mgmtctrl/mgmt
Controller APIs
Multicloud Attach to Cloud via Cloud Gateway Service
7
CSP Region SDWAN Fabric
SDWAN Controller
SDWAN Site 1
Orchestrator
Site-to-Site FabricInterconnect
AppPolicy
DeviceConfig
TrafficPolicy
SDWAN Site N
INET
VPC
Apps
VPC
Apps
vHub
CSP Hub/Gateway
SDWAN Cloud Gateway aaS
SDWAN
SDWAN
IPSec
VPC
VNET/VPC Peering
VNET/VPCPeering
MPLS
ctrl/mgmtctrl/mgmt./APIs
Controller APIs
IPSec
SDWAN 2.0 Security Use Cases Summary
• Finalize Use Case requirements for “RFP”
• Define low-level design requirements and setup for reference solution testing and outcomes
• Liasons:
• Orchestration & Automation WG: API service definitions and use case abstractions at enterprise policy layer
• Observability WG: controller APIs for telemetry sharing and collection from SDWAN
• Security WG: security requirements for APP-to-APP flows across hybrid multicloud
• MEF: OSE SDWAN reference model, APIs and use case requirements
What’s Next for SDWAN 2.0?
10 10/25/2019
Thank You
ONUG SDWAN 2.0 Working Group
SD-WAN Security – Use Case 1: PCI Compliance
VPN1
Employee 1
Data Center
Applications
SD-WAN
HQ Destined Traffic
Employee Internet TrafficEmployee 2
PCI Compliance
Internet
IPSEnt. FW App Aware
11
ONUG SDWAN 2.0 Working Group
SD-WAN Security - Use Case 2: Guest Access
GuestEmployee
VPN2 Data CenterApplications
SD-WAN
HQ Destined Traffic
Employee Internet Traffic
VPN1
Guest Internet Traffic
Guest Access
Ent. FW App Aware
URL Filtering
Internet
12
ONUG SDWAN 2.0 Working Group
SD-WAN Security – Use Case 3: Direct Cloud Access
GuestEmployee
VPN2 Data Center
Applications
SD-WAN
HQ Destined Traffic
Employee Internet Traffic
VPN1
Direct Cloud Access
Employee SAAS Traffic
SaaS
Guest Internet Traffic
Internet
DNS/web layer security
Ent. FW App Aware
IPS URL Filtering
13
ONUG SDWAN 2.0 Working Group
GuestEmployee
VPN2 Data Center
Applications
SD-WAN
HQ Destined Traffic
Employee Internet Traffic
VPN1
Direct Internet Access
Employee SAAS Traffic
SaaS
SD-WAN Security - Use Case 4: Direct Internet Access
Internet
DNS/web layer security
Ent. FW App Aware
IPS URL Filtering AMP TG
14