思科軟件定義廣域網：從這里開始.pdf

1、#CiscoLive#CiscoLiveLars Granberg,Technical Marketing EngineerlarsliljaBRKENT-2108Cisco Catalyst SD-WAN:Start Here 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter your personal notes hereCisco Webex App 3Questions?Use Cisco Webex App to chat with the speaker after th

2、e sessionFind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces will be moderated by the speaker until June 9,2023.12343https:/ 2023 Cisco and/or its affiliates.All righ

3、ts reserved.Cisco PublicBRKENT-2108Agenda 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicSD-WAN RecapWhere are we coming fromSolution ArchitectureWhat is it,how does it all come together?Software FeaturesLets scratch the surfaceLearn MoreWhere to go and whenBRKENT-21084 2023 Cisco

4、and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAbout me5BRKENT-2108Copenhagen,DenmarkTechincal Marketing Engineer SDWAN And Routing Business Unit Before that:Systems ArchitectTechnical Solutions ArchitectSystems Engineer Cisco since 2014Cisco Live SpeakerIT and networking since 2003

5、SD-WAN This is it.SD-WAN Recap 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveThe Hardware Based WAN of Yesterday Doesnt Keep up with the Needs of Today8BRKENT-2108Cloud ProvidersBranchCloud ApplicationsBranchBranchBranchBranchBranchData Center/HQ 2023 Cisco and/or its af

6、filiates.All rights reserved.Cisco Public#CiscoLiveCisco SD-WAN:Software Approach9BRKENT-2108InternetInternetCloud ProvidersCloud ApplicationsBranchBranchBranchBranchBranchBranchData Center/HQ4G/LTEMPLSENCSCatalyst 8300 SeriesCatalyst 8500 SeriesISR 4000 SeriesISR 1100 SeriesASR 1000 SeriesCatalyst

7、8000vVPN 10 PCIVPN 10 PCIVPN 20 CorporateVPN 20 CorporateCatalyst 8200 SeriesLearn more watchBRKENT-2139 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSD-WAN Recap10BRKENT-2108Any TransportAny ServiceAny DeploymentAny LocationMulti-Layer SecurityBranchColocationCloudOn-p

8、remise|Cloud|Multi-tenantAutomation|Network Insights|Machine Learning|AIOpen|Programmable|ScalableInternet5G/LTEMPLSSatelliteManagement&AnalyticsMulti-Domain IBN Policy AnalyticsMulticloudOptimization VoiceRemote WorkSDCI*Software Defined Cloud InterconnectSD-WANRECAP 2023 Cisco and/or its affiliate

9、s.All rights reserved.Cisco Public#CiscoLiveSD-WAN Benefits.$Savings on WAN provision and TCO Expedited Provisioning Operations efficiency(centralized mgmt.)Inherent Hardening(Encryption)Improved Visibility Segregation Flexible physical and logical topologies Application Aware Routing(ARR)Applicatio

10、n Aware Routing(ARR)Lets Rewind 5 years 201811BRKENT-2108SD-WANRECAP 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive.and back to today 202312BRKENT-2108“Application AnalyticsApplication AnalyticsApplication visibility and analytics are becoming more important to get bette

11、r feedback as to the applications running on the network and informing network decisions.specific applicationperformance/quality of experience(QoE)is being delivered for end users.Increasingly,we see demand for end-user experience metrics from the end user to the actual application,which may be host

12、ed in a CSP.”From Garrtner Magic Quadrant for WAN Edge Infrastructure 2021SD-WANRECAPSolution Architecture 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveNew Naming:Cisco Catalyst SD-WAN14BRKENT-2108Old NameNew Name(rebranding)DocumentationDisplayed on ScreensAPI/CLI-Docu

13、mentationCisco SD-WANCisco Catalyst SD-WANCisco Catalyst SD-WANCisco Catalyst SD-WANCisco Catalyst SD-WANvManageCisco Catalyst SD-WAN ManagerSD-WAN ManagerManagervManagevAnalyticsCisco Catalyst SD-WAN AnalyticsSD-WAN AnalyticsAnalyticsvAnalyticsvBondCisco Catalyst SD-WAN ValidatorSD-WAN ValidatorVal

14、idatorvBondvSmartCisco Catalyst SD-WAN ControllerSD-WAN ControllerControllervSmartSelf Service PortalCisco Catalyst SD-WAN PortalCisco Catalyst SD-WAN PortalCisco Catalyst SD-WAN PortalSD-WAN PortalCloud-Delivered Cisco SD-WANCloud-Delivered Cisco Catalyst SD-WANCloud-Delivered Cisco Catalyst SD-WAN

15、Cloud-Delivered Cisco Catalyst SD-WANNA 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Catalyst SD-WAN Solution Overview15BRKENT-2108APIs3rdPartyAutomationManagerValidator4GMPLSINETAnalyticsData CenterCampusBranchCoLoCloudWAN Edge RoutersManagement/Orchestration Pla

16、neControl PlaneData PlaneSDSD-WAN ControllersWAN Controllers 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveManagement PlaneManagement PlaneSingle pane of glass for Day0,Day1 and Day2 operationsMultitenant with web scaleCentralized provisioningPolicies and TemplatesTroubl

17、eshooting and MonitoringSoftware upgradesGUI with RBACProgrammatic interfaces(REST,NETCONF)Highly resilientSDSD-WAN ControllersWAN ControllersAnalyticsAnalytics3 3rdrdPartyPartyAutomationAutomationManagerManagerData CenterCampusBranchSOHOCloudValidatorValidator4GMPLSINETAPIsCisco Catalyst SD-WAN Sol

18、ution Elements16BRKENT-2108WAN Edge WAN Edge RoutersRoutersCisco CatalystSD-wan Manager 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAPIsSDSD-WAN ControllersWAN ControllersAnalyticsAnalytics3 3rdrdPartyPartyAutomationAutomationManagerManagerData CenterCampusBranchSOHOCl

19、oudValidatorValidator4GMPLSINETOrchestrates control and management planeFirst point of authentication(white-list model)Distributes list of Controllers/Manager to all WAN Edge routersFacilitates NAT traversalRequires public IP Address could sit behind 1:1 NATHighly resilientOrchestration PlaneOrchest

20、ration PlaneCisco Catalyst SD-WAN ValidatorCisco Catalyst SD-WAN Solution Elements17BRKENT-2108WAN Edge WAN Edge RoutersRouters 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveControl PlaneControl PlaneFacilitates fabric discoveryDissimilates control plane information betw

21、een WAN Edge RoutersDistributes data plane and app-aware routing policies to the WAN Edge routersImplements control plane policies,such as service chaining,multi-topology and multi-hopDramatically reduces control plane complexityHighly resilientSDSD-WAN ControllersWAN ControllersAnalyticsAnalytics3

22、3rdrdPartyPartyAutomationAutomationManagerManagerData CenterCampusBranchSOHOCloudValidatorValidatorWAN Edge WAN Edge RoutersRouters4GMPLSINETAPIsCisco Catalyst SD-WAN Solution Elements18BRKENT-2108Cisco Catalyst SD-WAN Controller 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Cisc

23、oLiveData PlaneData PlanePhysical/VirtualWAN edge routerProvides secure data plane with remote WAN Edge routersEstablishes secure control plane with vSmart controllers(OMP)Implements data plane and application aware routing policiesExports performance statisticsLeverages traditional routing protocol

24、s like OSPF,BGP,and EIGRPSupport Zero Touch DeploymentPhysical or Virtual form factor(100Mb,1Gb,10Gb,40Gb,100Gb)APIsSDSD-WAN ControllersWAN ControllersAnalyticsAnalytics3 3rdrdPartyPartyAutomationAutomationManagerManagerData CenterCampusBranchSOHOCloudValidatorValidator4GMPLSINETCisco Catalyst SD-WA

25、N Solution Elements19BRKENT-2108WAN Edge WAN Edge RoutersRoutersCisco SD-WANWAN Edge 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveController Deployment Methodology20BRKENT-2108ESXi or KVMPhysical ServersManagerController ControllerValidatorAWS or AzureManagerController

26、ControllerValidatorOn-PremiseCisco or MSP/Customer HostedVMCertified Cloud(PCI,SOC2/ISO/C5)*Gov.Cloud(FedRAMP)*Only Cisco hosted 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivevAnalytics Architecture21BRKENT-2108SD-WAN FabricTelemetry Repository(AWS S3 Bucket)Flow Informa

27、tionSAIEEventsInventorySecure APITCP/443On-Prem or Cloud-Hosted SD-WAN(vManage)Cloud-Hosted vAnalyticsSD-WAN ManagerSD-WAN AnalyticsApplication ExperienceNetwork PerformanceAutomated ReportingAutomated ReportingLearn more attendBRKENT-2469 2023 Cisco and/or its affiliates.All rights reserved.Cisco P

28、ublic#CiscoLiveSD-WAN Manager UX22BRKENT-2108Demo 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKENT-210824SD-WAN Features 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSignificance of TLOC ColorColor is an abstraction used to identify indi

29、vidual WAN transportColors are KEYWORDS not just LABELSPolicy is written based on theseTLOC maps to a physical WAN interfaces“Color”dictates the use of private-ip vs public-ip(dest)for Tunnel Establishment when there is NAT presentExample:If two ends have a private color:private IP address/port used

30、 for DTLS/TLS or IPSec If endpoint has publicpublic color:Public IP is used for DTLS/TLS or IPSec26BRKENT-2108System IP10.0.0.1Private WANIPSECPublic WANIPSECG0/0G0/1SysIP:10.0.0.1Color:InternetEncap:IPSecTLOCSysIP:10.0.0.1Color:MPLSEncap:IPSecTLOCPrivate ColorsMetro-ethernetmplsprivate1private2priv

31、ate3private4private5private6Public Colors3gltebiz-internetpublic-internetbluegreenredgoldsilverbronze26 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTransport Locator(TLOC)OMPIPSec TunnelMPLSINETWAN EdgeWAN EdgeWAN EdgeWAN EdgeWAN EdgeControllerLocal TLOCs(System IP,Col

32、or,Encap)TLOCs advertised to ControllersThe Controller advertise TLOCs to all WAN Edges*(Default)Full Mesh SD-WAN Fabric(Default)*Can be influenced by the control policiesTransport Locators(TLOCs)27BRKENT-2108 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveT1,T3 Public Co

33、lorT2,T4 Private ColorColor restrict will prevent attempt to establish IPSec tunnel to TLOCs with different colorT1T3T2T4T1T4T2T3PublicPrivateWANEdgeWANEdgeT1T2T3T4T3T4T1T2PublicPrivateT1,T3 Public ColorT2,T4 Private ColorWANEdgeWANEdgeDMZT3T4T1T2T3T4T1T2T1T3T2T4T1T4T2T3Transport Colors28BRKENT-2108

34、 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOverlay Management Protocol(OMP)TCP-based extensible control plane protocolRuns between WAN Edge routers and vSmartcontrollers and between the vSmart controllers-Inside authenticated TLS/DTLS connectionsAdvertises control pl

35、ane context and policiesDramatically lowers control plane complexity and raises overall solution scaleControllerControllerControllerWAN EdgeWAN EdgeVSSD-WANTraditionalO(n)Control ComplexityO(n2)Control ComplexityOverlay Management Protocol(OMP)29BRKENT-2108 2023 Cisco and/or its affiliates.All right

36、s reserved.Cisco Public#CiscoLivePer-Session Load-sharingActive/ActivePer-Session WeightedActive/ActiveApplication PinningActive/StandbyApplication Aware RoutingSLA CompliantSLASLACoreMulti-Region FabricSingle-hop FabricFabric Communication30BRKENT-2108 2023 Cisco and/or its affiliates.All rights re

37、served.Cisco Public#CiscoLiveWhat is Multi Region Fabric(MRF)?US regionEMEA regionCore regionSP/CSP/SDCICSP/SDCI/Private backboneIntuitive user-defined site grouping.E.g.based on geoFiner grouping using sub-regionsAuto restrict overlay tunnelsbetween regionsDifferent topologies per regionMix access

38、transportsacross regionsScale up control-planeper region(s)BR/regional hubER/branchCSP=Cloud Service Provider(AWS,Azure,GCP)SDCI=Software Defined Cloud InterconnectBRKENT-210832 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAccess Region 2Access Region1Border RoutersSD-W

39、AN CPEOMPINETMPLSBorder RoutersSD-WAN CPEOMPINETMPLSSD-WAN Tunnels/TLOCsLegendDistributed Distributed vSmartsMiddle-mileBackbone RoutingCore RegionSD-WAN TunnelsInter Region ConnectivityMicrosoft AzureGoogle CloudAWSMegaportMSPEquinixMiddle-milewithMulti-Region FabricEdge RoutersEdge RoutersThe Netw

40、ork,with Multi-Region Fabric33BRKENT-2108Learn more attendMigration to Multi-Region Fabric-BRKENT-2651Lets bring it up 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAutomated,Zero-Touch Onboarding35BRKENT-2108I IWANI ICisco PNPIPsec Fabric4123SD-WAN appliance will onboar

41、d itself into the SD-WAN fabric automatically with no administrative intervention.Connect the SD-WAN appliance to a WAN transport that can provide a dynamic IP address,default-gateway and DNS information.If no DHCP service is available then bootstrap file is an option either on USB or Bootflash 2023

42、 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOMP Update:Reachability IP Subnets,TLOCsSecurity Encryption KeysPolicy Data/App-route PoliciesBGP,OSPF,EiGRP,Rip,Connected,StaticBFDIPSec TunnelOMPDTLS/TLS TunnelTransport1Transport2VPN1AVPN2BVPN1CVPN2DBGP,OSPF,EiGRP,Rip,Connecte

43、d,StaticvSmartOMPUpdateOMPUpdateWAN EdgeWAN EdgeSubnetsSubnetsTLOCsTLOCsPoliciesOMPUpdateOMPUpdateFabric Operation Walk-Through36BRKENT-2108 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIPSec/GRELANData Plane Privacy(Pairwise)39BRKENT-2108Controller(vSmart)Edge-AEdge-BE

44、dge-CDTLSMPLSEach WAN edge will create separate session key for each transport and for each peerSession keys will be advertised through vSmartusing OMPWhen Edge-A needs to send traffic to Edge-B,it will use session key“AB”(B will use key“BA”)Backward compatible with non PWK devicesPWK should be enab

45、ledAB-As Encryption Key for BBABAABABABABBABACACAACACACACCACABA-Bs Encryption Key for ACA-Cs Encryption Key for AAC-As Encryption Key for CABABBABAACACCACA 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTransport1Transport2 vBond discovers WAN Edge public IP address,even

46、if traverses NAT vBond communicates public IP to the WAN EdgeSD-WANControllersWAN EdgeWAN EdgeData Plane Integrity40BRKENT-2108OMPUpdateOMPUpdate20IP8UDP36ESPDataEncryptedAuthenticatedNetwork Address Translation WAN Edge computes AH value based on the post NAT public IP Packet integrity(+IP headers)

47、is preserved across NATControl PlaneAES256-GCM 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSliding WindowDropAccept RangeAdvance WindowPacketSequence NumbersEncrypted packets are assigned sequence numbers.WAN Edge routers drop packets with duplicate sequence numbers-Re

48、played packetWAN Edge routers drop packets with sequence numbers lower than the minimal number of the sliding window-Maliciously injected packetIPsec Anti-Replay Protection41BRKENT-2108Upon receipt of a packet with higher sequence number than received thus far,WAN Edge router will advance the slidin

49、g windowSliding window is CoS aware to prevent low priority traffic from“slowing down”high priority traffic 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMPLSINETTransport(VPN0)Service(VPNn)Management(VPN512)IFVPNs are isolated from each other,with each VPN has its own f

50、orwarding tableReachability within VPN is advertised by OMPVPN0 is reserved for WAN uplinks(Transport)VPN512 is reserved for Management interfacesVPNn represents user-defined LAN segments(Service)IF,Sub-IFIF,Sub-IFIF,Sub-IFIF,Sub-IFCisco SD-WAN VPNs(VRFs)42BRKENT-2108 2023 Cisco and/or its affiliate

51、s.All rights reserved.Cisco Public#CiscoLiveApplication Aware Routing43BRKENT-2108Path1:10ms,1%loss,5ms jitterPath2:200ms,3%loss,10ms jitterPath3:140ms,1%loss,10ms jitterSD-WAN ManagerApp Aware Routing PolicySLA Class for App ALatency 150msLoss 2%Jitter 10msInternetMPLS4G LTESD-WAN TunnelRemote Site

52、Data CenterPath 2If multiple paths meet SLA,traffic is hashedIf path is defined as preferred AND it meets the SLA,it is chosen 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveUnderlay Measurement and Tracing Service(UMTS)44BRKENT-2108HighlightsHighlightsBenefitsBenefitsGai

53、n visibility into the exact underlay path*against SD-WAN tunnel(including hop-by-hop metrics)Zoom into the specific time period showcasing drop in application health(QoE)trend lineView the hop-by-hop underlay path along with loss and latency metrics at every hopView associated loss,latency besides u

54、nderlay pathUnderlay visibility available with vManage as well for on-demand troubleshootingGain additional insights w/ThousandEyes:Underlay visualization for DIA paths to SaaS AppsDiscover multiple candidate underlay pathsGranular statistics-from 1-min thru 1-hour*Requires vManage 20.10+and IOS-XE

55、17.10.1123 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDRE,LZConfiguration Management SystemTCP OptimizationByte Level Caching&CompressionvManage-Virtualized|Scalable|Network InsightsWindow ScalingLarge Initial WindowsSelective AcknowledgementKey Building Blocks of App

56、QoE45BRKENT-2108Protocol AgnosticForward Error Correction Packet DuplicationBBR2 Congestion AlgorithmSecurity features 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSegment connectivity across the SD-WAN fabric without reliance on underlay transportWAN Edge routers maint

57、ain per-VPN routing table for complete control plane separationABCABCWAN Edge RouterWAN Edge RoutervSmartRouteTablesFull MeshHub and SpokePartial MeshPoint to PointSingle TunnelEnd-to-End Segmentation with Multi-Topology47BRKENT-2108 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#

58、CiscoLiveHow SD-WAN Exposes New Security Challenges48BRKENT-2108Branch/CampusData CenterSD-WAN FabricCorporateSoftwareUsers Internal&External ThreatsExternal Exposure to malware&phishing due to direct internet and cloud access Data breaches Guest access liabilityInternal Untrusted access(malicious i

59、nsider)Compliance(PCI,HIPPA,GDPR)Lateral movements(breach propagation)BASIC/NO SECURITYNO SECURITYInternetIaaS/SaaSExisting Security Stack in DMZWAN Edge Device 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRelevant Security Models.Driving towards SASE49BRKENT-2108Securi

60、ty servicesOnOn-Prem SecurityPrem SecurityRegional HubRegional HubThick branch with Routing and SecuritySecurity Services on a Regional HubSaaS/IaaSApplicationSaaS/IaaSApplicationBranch SecurityCloud SecurityCloud SecurityCloud SecurityThin branch with security in the cloudSaaS/IaaSApplication 2023

61、Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnterprise FirewallEnterprise FirewallLayer 3 to 7 apps classified with User IdentityIntrusion Protection SystemIntrusion Protection SystemMost widely deployed IPS engine in the worldURLURL-FilteringFilteringWeb reputation score u

62、sing 82+web categoriesUmbrella Cloud Security Umbrella Cloud Security DNS Security/Cloud FW with Cisco UmbrellaCisco SecurityCisco Catalyst SD-WAN Security&SASE SolutionConsistent across on-prem and cloud50BRKENT-2108Adv.Malware ProtectionAdv.Malware ProtectionWith File Reputation and Sandboxing(TG)

63、Cisco Cisco SDSD-WANWANSSL ProxySSL ProxyDetect Threats in Encrypted Traffic 8G Ram 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTransitioning towards a Cloud security model51BRKENT-2108Cisco SD-WAN+UmbrellaCloud&InternetCisco SD-WANDNS-layer securitySecure Web GatewayC

64、loud-delivered firewallCloud-delivered security broker(CASB)Interactive threat intelCloud OnRamp for SaaS 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSaaS Optimization Challenges53BRKENT-2108RegionalHubRemote SiteISP1Loss/LatencyBest Performing4GMPLSINETISP2Internet ci

65、rcuits performance is unreliable.How to get performance visibility for each available path?When specific path is having performance issues,How to automatically steer traffic?2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCloud onRamp for SaaS Internet DIA54BRKENT-2108Regi

66、onalData CenterRemote SiteISP2ISP1SD-WANFabricLoss/Latency!Data CenterWAN Edge router at the remote site performs quality probing for selected SaaS applications across each local DIA exit-Simulates client connection using HTTP pingResults of quality probing are quantified as vQoE score(combination o

67、f loss and latency)Local DIA exit with better vQoE score is chosen to carry the traffic for the selected SaaS application-Initial application flow may choose sub-optimal path until DPI identification is complete and cache table is populatedQuality Probing 2023 Cisco and/or its affiliates.All rights

68、reserved.Cisco Public#CiscoLiveCloud onRamp for SaaS Regional Gateway55BRKENT-2108Data CenterRegionalData CenterRemote SiteSD-WANFabricISP1Loss/LatencyMPLSWan Edge routers at the remote site and regional hub perform quality probing for selected SaaS applications across their local Internet exits-Sim

69、ulate client connection using HTTP pingResults of quality probing are quantified as vQoE score(combination of loss and latency)-HTTP ping for local DIA and App-Route+HTTP ping for regional Internet exitInternet exit with better vQoE score is chosen to carry the traffic for the selected SaaS applicat

70、ion-Initial application flow may choose sub-optimal path until DPI identification is complete and cache table is populatedISP2Quality Probing!Custom Apps 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCloud OnRamp for SaaSOptimized Connectivity to Cloud Applications56BRKE

71、NT-2108Local breakout policies(DIA)from remote siteVisibility on quality of experience metricsOptimal path selection through proactive link probingSaaSMicrosoft 365SalesforceG SuiteSAP ConcurIntuitZendeskSugarCRMOracleWebexBoxGoToMeetingZohoDropboxAny Apps(Custom/NBAR)Branch/campusUsers Cisco SD-WAN

72、 fabricvQoE=10vQoE=8vQoE=7Data centerCorporatesoftwareRegional data centerCloud OnRamp for MultiCloud 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveExtending SD-WAN into Public Cloud(AWS as example)Automated provisioning of SD-WAN Transit VPC and TGW,route exchange for s

73、ite to cloud and site to site traffic over AWS backboneFull Visibility into inter-regional transit traffic and telemetry with TGW Network ManagerConsistent Policy and Segmentation across branch and cloud for enterprise class securityBenefitsBranch siteAWS Transit GatewayCisco SD-WANIPsec VPNAWS VPCA

74、WS VPCAWS VPCCisco SD-WAN FabricCisco SDWAN ManagerAWS TGW Network ManagerWAN/Event TelemetryBranch Site Data58BRKENT-210858 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTwo Major Use Cases:site-to-site and site-to-cloudUS West BranchSD-WAN RouterCSP us-west regionPubli

75、c InternetCSP BackboneApp 1:USSite-to-cloud:branch to cloud-based AppSD-WAN RouterCSP ap-east regionApp 2:APACUS West BranchSD-WAN RouterCSP us-west regionPublic InternetCSP BackboneSite-to-site:US branch to APAC branchSD-WAN RouterCSP ap-east regionAPAC BranchCommon questions:Cloud designPerformanc

76、e and auto scaleSecurity:Integration with virtual firewall and SIGAutomation:Cloud OnRamp and custom(Terraform,Ansible)59BRKENT-2108 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveHigh Level Design OptionsCSP-generic,AWS used as example60VPC/VNETUS-West-1US Branch US Bran

77、ch SiteSiteHost VPCsUS Branch US Branch SiteSiteUS Branch US Branch SiteSiteUS-West-1Cloud GatewaySD-WAN Transit VPCVPC/VNETUS Branch US Branch SiteSiteSD-WAN Router in every VPC/VNET.Not scalable,but okay for one VPC.No built-in automation in Cloud onRamp,custom automation possibleCloud OnRamp for

78、IaaSCloud OnRamp for MulticloudTransit VPC with SD-WAN routers.IPSec to host VPCs/VNETS via VGWCloud networks learnt via BGP,redistributed into OMP.AWS and Azure automation on vManage known as Cloud OnRamp for IaaSSD-WAN Transit VPCAmazon VPCAmazon VPCAWS TGWUS-West-1US Branch US Branch SiteSite17.5

79、US Branch US Branch SiteSiteUS Branch US Branch SiteSiteAWS TGW or Azure vWAN is usedIPSec to AWS TGW,BGP on top of IPSecCloud networks learnt via BGP,redistributed into OMP.AWS(17.3),Azure(17.4)and Google Cloud(17.5)automation on vManage known as Cloud onRamp for MulticloudBranch Connect-Traditiona

80、l IPsec to AWS TGW(17.5)Cloud WAN coming in 2022BRKENT-2108 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAutomation(CSP-generic)Different Automation optionsCloud OnRamp(CoR)for Multicloud Automation built in vManageCustom Automation with 3rdparty tools like Terraform an

81、d AnsibleProsProsConsConsCloud OnRamp AutomationSingle UI in vManage for the whole workflowDiscovers host VPCs/VNETS and connects public-cloud with SD-WAN within minutesNot possible to add own customization for design changes i.e.,virtual firewallNo built-in auto scale capabilities(yet)Custom Automa

82、tionWill do exactly what customer wantsCan be changed in case of any design changesTakes time and money to develop and test(customer,Cisco CX or Partner)61BRKENT-2108 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco SD-WAN Cloud OnRamp for Multicloudwith Microsoft Azu

83、re62BRKENT-2108Cisco SD-WAN on-premises routerCisco SD-WAN cloud router-Catalyst 8000V vHUBWorkloadvNetWorkloadvNetvWANCisco SD-WANFrance CentralvManageBGP 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco SD-WAN Cloud Hub and Google Cloud Network Connectivity Center 6

84、3BRKENT-2108Google Cloud servicesSaaSSaaSCisco SD-WAN Cloud Hub with Google Cloud Google CloudNetwork Connectivity CenterEnterprise site Enterprise site Enterprise site=Cisco SD-WAN router on-premises=Cisco SD-WAN cloud router at Google Cloud PoPvManage API Cisco SD-WANFabricCisco SD-WANFabric 2023

85、Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco SD-WAN Middle-Mile Optimization 64BRKENT-2108Public cloud Cisco SD-WAN fabric Cloud-to-cloud Site-to-site Site-to-cloud Enterprise site Enterprise site SaaS IaaS Public cloud Cloud WANFlexibilityAll or selective traffic sent

86、 based on type or appReliabilityReliable,high-speed connectivity between sitesSecurityEnd-to-end encryption over middle mile global backboneOn-demandAutomated connectivity via vManage central dashboardNCCMiddle-Mile Network=Cisco SD-WAN router on-premises=Cisco SD-WAN virtual router 2023 Cisco and/o

87、r its affiliates.All rights reserved.Cisco Public#CiscoLiveKey TakeawaysCisco SD-WANPredictable and actionable insightsPervasive Security Optimized for Cloud accessSingle pane of glass AutomationBRKENT-210865SD-WAN This is it.2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiv

88、e67BRKENT-2108NetworkingSD-WANLearn how to confidently deploy and operateCiscos SD-WAN solution in a new or existingnetwork.These sessions provide a journey fromthe foundation to latest Cisco SD-WANinnovations focusing on design,innovations,andintegrations with Cloud,SASE,andAssurance/Analytics.Mond

89、ay,June 5|8:00 a.m.STARTBRKENT-2108Cisco SD-WAN:Start HereMonday,June 5|1:00 p.m.BRKENT-1104Creating a Secure DigitalExperience with Cisco SD-WANpowered by MerakiTuesday,June 6|1:00 p.m.BRKENT-2651Migration to Multi-Region Fabric-Transform and SimplifyMiddle-mile Based NetworkDesigns for Large Scale

90、,Cloudand Colo based SD-WANNetworksTuesday,June 6|4:00 p.m.BRKENT-21263 Steps to Gain ActionableVisibility in the Cisco SD-WANUsing ThousandEyesWednesday,June 7|1:00 p.m.BRKENT-2006Optimizing and OrchestratingEnd-Users Connections to Publicand Private Clouds in a SASEWorldThursday,June 8|1:00 p.m.BR

91、KENT-2313Making SD-WAN easy:Operational Simplification andUser ExperienceThursday,June 8|1:00 p.m.FINISHBRKENT-2469How Cisco SD-WAN Analytics&Insights Powers Faster Time toResolution?If you are unable to attend a live session,you can watch it in the On-Demand Library after the event.NetworkingSD-WAN

92、Learn how to confidently deploy and operateCiscos SD-WAN solution in a new or existingnetwork.These sessions provide a journey fromthe foundation to latest Cisco SD-WANinnovations focusing on design,innovations,andintegrations with Cloud,SASE,andAssurance/Analytics.Monday,June 5|8:00 a.m.STARTBRKENT

93、-2108Cisco SD-WAN:Start HereMonday,June 5|1:00 p.m.BRKENT-1104Creating a Secure DigitalExperience with Cisco SD-WANpowered by MerakiTuesday,June 6|1:00 p.m.BRKENT-2651Migration to Multi-Region Fabric-Transform and SimplifyMiddle-mile Based NetworkDesigns for Large Scale,Cloudand Colo based SD-WANNet

94、worksTuesday,June 6|4:00 p.m.BRKENT-21263 Steps to Gain ActionableVisibility in the Cisco SD-WANUsing ThousandEyesWednesday,June 7|1:00 p.m.BRKENT-2006Optimizing and OrchestratingEnd-Users Connections to Publicand Private Clouds in a SASEWorldThursday,June 8|1:00 p.m.BRKENT-2313Making SD-WAN easy:Op

95、erational Simplification andUser ExperienceThursday,June 8|1:00 p.m.FINISHBRKENT-2469How Cisco SD-WAN Analytics&Insights Powers Faster Time toResolution?If you are unable to attend a live session,you can watch it in the On-Demand Library after the event.2023 Cisco and/or its affiliates.All rights re

96、served.Cisco Public#CiscoLiveFill out your session surveys!Attendees who fill out a minimum of four session surveys and the overall event survey will get Cisco Live-branded socks(while supplies last)!68BRKENT-2108These points help you get on the leaderboard and increase your chances of winning daily

97、 and grand prizesAttendees will also earn 100 points in theCisco Live Challenge for every survey completed.2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicContinue your educationVisit the Cisco Showcase for related demosBook your one-on-oneMeet the Engineer meetingAttend the interac

98、tive education with DevNet,Capture the Flag,and Walk-in LabsVisit the On-Demand Library for more sessions at www.CiscoL you#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive71Gamify your Cisco Live experience!Get points Get points for attending this session!for attending this session!Open the Cisco Events App.Click on Cisco Live Challenge in the side menu.Click on View Your Badges at the top.Click the+at the bottom of the screen and scan the QR code:How:123471 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKENT-2108#CiscoLive