SD-WAN Design PDF
Document Details
Uploaded by IssueFreeConstructivism
Tags
Related
Summary
This document details Software Defined Wide Area Network (SD-WAN) design, including architecture, components, and functionalities. It also discusses market opportunities for SD-WAN and its advantages over traditional WANs based on business needs. The document includes explanations of concepts like dynamic path selection, optimization, security, Zero-Touch Provisioning, and global coverage which enhances a wider reach.
Full Transcript
SD-WAN SD-WAN Agenda Why SD-WAN? Traditional WAN vs. SD-WAN MEF SD-WAN SD-WAN Components (Architecture – Controller, Edges, Orchestration) Dynamic Path Selection WAN Optimization SD-WAN Agenda De-duplication Forward Error Correction Quality of Service ZTP Cloud On--Ramp ZTP SD-WAN Software Defined W...
SD-WAN SD-WAN Agenda Why SD-WAN? Traditional WAN vs. SD-WAN MEF SD-WAN SD-WAN Components (Architecture – Controller, Edges, Orchestration) Dynamic Path Selection WAN Optimization SD-WAN Agenda De-duplication Forward Error Correction Quality of Service ZTP Cloud On--Ramp ZTP SD-WAN Software Defined Wide Area Network – What is SD-WAN ? SD-WAN is an acronym for software-defined networking in a wide area network (WAN) SD-WAN simplifies the management and operation of a WAN by decoupling the networking hardware from its control mechanism This concept is similar to how software-defined networking implements virtualization technology to improve data center management and operation SD-WAN Market and Estimated Market Size SD-WAN – Why SD-WAN ? A key reason of SD-WAN is to allow companies to build higherperformance WANs using lower-cost and commercially available Internet access, enabling businesses to partially or wholly replace more expensive private WAN connection technologies such as MPLS Lots of buzzwords! Which one is SD-WAN? Traditional WAN vs. SD-WAN Why SD-WAN – MEF Definition MEF’s SD-WAN service definition standard describes requirements for an application-aware, over-the-top WAN connectivity service that uses policies to determine how application flows are directed over multiple underlay networks regardless of the underlay technologies or service providers who deliver them MEF SD-WAN Service Definition SD-WAN Components – Common Architectural Elements SD-WAN 5 Common Elements: Edge Controller Gateway Orchestrator Web Portal SD-WAN Components – Common Architectural Elements- SD-WAN Edge SD-WAN Edge, which could either be formed by a physical device, such as a CPE, or by a virtual CPE that’s based on a virtual network function (VNF) The SD-WAN Edge performs several critical functions Source: cisco.com SD-WAN Components – Common Architectural Elements- SD-WAN Edge It acts as the security-policy enforcer and conducts WAN optimization tasks that include data deduplication, compression, and packet buffering It also creates and removes encrypted tunnels over underlay networks, whether it’s a wired or wireless connection SD-WAN Components – Common Architectural Elements- SD-WAN Edge Since SD-WAN Edges often connect to public Internet WANs, they would include, at a minimum, some NAT and firewall capabilities Most of the time actual cost of the deployment comes from SD-WAN Edges as there are much more Edge device in the network than Centralized Core Devices (Gateways , Controllers , Orchestrator) SD-WAN Controller SD-WAN Controller centralizes management to the SD-WAN Edge and to the SD-WAN Gateway The SD-WAN Controller provides physical or virtual device management for all SD-WAN Edges and SD- WAN Gateways associated with the controller This includes, but is not limited to, configuration and activation, IP address management, and pushing down policies onto SD-WAN Edges and SD-WAN Gateways SD-WAN Controller The SD-WAN controller maintains connections to all SD-WAN Edges and SDWAN Gateways to identify the operational state of SD- WAN tunnels across different WANs and retrieve QoS performance metrics for each SD-WAN tunnel These metrics are used by the Orchestrator SD-WAN Orchestrator The Service Orchestrator provides the service management of the SD-WAN service lifecycle including service fulfillment, performance, control, assurance, usage, analytics, security and policy For example, the Service Orchestrator is responsible for configuring the endto-end SD- WAN managed service between SD-WAN Edges and SD-WAN Gateways over one or more underlay WANs, e.g., Internet and MPLS, setting up application-based forwarding over WANs based on security, QoS or business or intent-based policies SD-WAN Gateway The SD-WAN Gateway is a special case of an SD- WAN Edge that also enables sites interconnected via the SD-WAN to connect to other sites interconnected via alternative VPN technologies, e.g., CE or MPLS VPNs SD-WAN Gateway There are two ways to deliver an SD-WAN service to sites connected via another VPN service. One way requires an SD- WAN Edge to be placed at each subscriber site connected to the VPN service so SD-WAN tunnels can be created over the VPN SD-WAN Gateway Another way is to use an SD-WAN Gateway In this scenario, an SD-WAN Gateway initiates and terminates the SD-WAN tunnels like an SD-WAN Edge and initiates and terminates VPN connections to and from sites interconnected by the VPN This approach enables sites interconnected via SD-WAN and other VPN technology domains to intercommunicate SD-WAN Gateway This approach does not require SD-WAN Edges to be placed at each VPN site to achieve interconnectivity However, SD-WAN service capabilities such as application-based traffic forwarding over multiple WANs or QoS and Security policy management will not be available at the MPLS VPN sites because they do not have SD-WAN Edges which perform these functions SD-WAN Web Portal Subscriber Web Portal is added to the enterprise’s existing managed services portal It works in conjunction with the service orchestrator to monitor the SD-WAN as a service The MSP or CSP typically integrates the Subscriber Web Portal for the SDWAN managed service into their existing customer portal used for other managed services SD-WAN Key Characteristics 1. The ability to support multiple connection types, such as MPLS, Last Mile Fiber Optical Network or through high speed cellular networks e.g. 4G LTE and 5G wireless technologies 2. The ability to do dynamic application aware path selection, for load sharing and resiliency purposes 3. A simple interface that is easy to configure and manage 4. The ability to support VPNs, and third-party services such as WAN optimization controllers, firewalls and web gateways SD-WAN – Different Transport Mechanisms SD-WAN – Dynamic Path Selection This feature ensures traffic uses the best path depending on the business need, such as mission-critical and delay-sensitive applications SD-WAN – Dynamic Path Selection SD-WAN solution requires a path selection/control solution that allows for each application to dynamically switch their paths in real-time, in response to network conditions, rather than sticking to one particular underlay! SD-WAN – Simpler Management Compare to Legacy WAN GUI provides simpler management, reduced troubleshooting time, mass deployment and update , centralized monitoring and so on. Source : VeloCloud SD-WAN SD-WAN – Wan Optimization – Security and Other Services WAN optimization accelerates application traffic by overcoming latency and reducing the amount of data traversing the WAN by applying techniques like, deduplication, compression and caching to dramatically increase the amount of available bandwidth SD-WAN – Wan Optimization – Security and Other Services Most SD-WAN implementations offer a way to encrypt your branch-to-branch corporate traffic using IPSEC which protects the data in transit Because most SD-WAN vendors offer IPsec, it’s common to think that SDWANs are inherently secure SD-WAN – Wan Optimization – Security and Other Services It’s true that IPsec handles protecting the data as it traverses the network But it has no impact on DDOS protection, man-in-the-middle and malware for direct branch-to-cloud traffic Centralized security control should be re thought when it comes to SD-WAN security Source : ARYAKA SD-WAN – Wan Optimization – Security and Other Services For example, you still need stateful firewall capabilities between the public Internet and your WAN edge device to grant or deny access SD-WAN – Wan Optimization – Security and Other Services Most NGFWs also comes with a variety of UTM functions, including intrusion detection and prevention (IDS/IPS), quarantining or otherwise deflecting detected malware, and web filtering, which knows about risky Internet sites and prevents your users from visiting them Source : VERSA SD-WAN – Wan Optimization – Security and Other Services Since every branch constitutes a WAN edge with exposure to the Internet, you may need all these capabilities at each branch site! SD-WAN – Wan Optimization – Deduplication and Compression Deduplication analyzes blocks of data, looking for repetition It replaces multiple copies of data with references to a single, compressed copy, thereby reducing the amount of capacity needed SD-WAN – Wan Optimization – Deduplication and Compression Data Deduplication (dedupe) provides storage savings by eliminating redundant blocks of data Storage capacity reduction is accomplished only when there is redundancy in the data set This means the data set must be comprised of multiple identical files or files that contain a portion of data that is identical to the content found in other files SD-WAN – Wan Optimization – Deduplication and Compression Data compression reduces the number of bits required to represent the information Compressing large files into smaller bits allows users to store more data and also it makes data transmission much quicker and easier Compressed data must be decompressed so that the original data can be extracted and the amount a document is compressed is measured by something called the compression ratio SD-WAN – Wan Optimization – Deduplication and Compression Unlike deduplication, compression is not concerned with whether a second copy of the same block exists, it simply wants to store the most efficient block on the storage Examples of common file level compression that we use in our day-to-day lives include MP3 audio and JPG image files SD-WAN – Wan Optimization – How Data Compression Work? Entropy Encoding is one of the techniques for compression You might start with a string like: AABCABBCABACBAAACBCCAABAAACBAA You might notice that some letters appear more than others - A appears about 2x as much as B and C, and the other letters don't appear at all Using that information, you can choose an encoding that represents the characters in the string with less information, e.g., A may be encoded using binary 0, while B and C are assigned 10 and 11respectively. If you were originally using 8 bits per character, that is a big savings SD-WAN – Wan Optimization – How Data Compression Work? Another encoding schema can be Run-length encoding SD-WAN – Wan Optimization – Security and Other Services Packet loss occurs when network congestion or problems in the physical infrastructure cause packets to be lost during transmission It’s expressed as a percentage of packets SD-WAN – Wan Optimization – Security and Other Services Packet loss is addressed by some WAN optimization appliances using forward error correction (FEC) that allows receiving stations to automatically regenerate lost packets without requiring transmission Let’s have a look at Forward Error Correction SD-WAN - Forward Error Correction For some applications it is necessary to have good error protection Sometimes, it will be impossible for the receiver to communicate back with the sender to check for errors in the received packages SD-WAN - Forward Error Correction Some algorithms are made for this kind of situation as for example in a multiple receiver communication They use a forward error correction, which is based on the addition of redundant bits over the bit stream of data SD-WAN - Forward Error Correction A simple example of forward error correction is (3,1) repetition code. In this example, each bit of data is sent three times and the value or meaning of the message is decided upon majority vote. The most frequently sent bit is assumed to be the value of the message (see table below) SD-WAN - Good to have capabilities with SD-WAN Some of these features might be good to have for some companies and must have for others depends on the application requirements and the constraints Quality of Service , Zero Touch Deployment , Global Coverage , Vendor POC support , Cloud Enablement SD-WAN - Quality of Service Internet connectivity is one of the cheapest and most widely available bandwidth options However, when it comes to building a corporate wide area network (WAN), Internet connectivity is still not seen as a reliable medium for important business data SD-WAN - Quality of Service Quality of service (QoS) refers to the ability of a network to provide higher levels of service using traffic prioritization and control mechanisms Source : WanDynamics SD-WAN - Quality of Service Some SD-WAN vendors market their Forward Error Correction (FEC) and Dynamic Path Selection/Control features as QOS but they are not QOS mechanisms Although these features improve the network performance, they shouldn’t marketed as QOS features! Some SD-WAN vendors support Traffic Shaping , Rate Limiting , Policying as QoS features as well SD-WAN - Quality of Service QoS simply prioritization some traffic and punishing others! SD-WAN - Zero-touch Deployment/Provisioning With this capability, IT teams can bring up services without the need to interact with physical equipment, resulting in fast and efficient deployment of services ZTP can be found in switches, wireless access points, SD-WAN nodes, NFVplatforms , firewalls and many other networking devices Not all ZTP implementations are truly ‘Zero Touch’ though, so sometimes you will also come across terms like ‘minimal touch provisioning’ or ‘one touch provisioning’ SD-WAN - Zero-touch Deployment/Provisioning Below steps usually included in a ZTP process 1. Making the device reachable 2. Firmware upgrade 3. Base configuration (DNS, NTP, RADIUS...) 4. Specific configuration (VLANs, interfaces, routing protocols...) SD-WAN How ZTP Works? As the name Zero Touch Provisioning would suggest, the goal is to install a networking appliance somewhere without someone needing to configure it locally A new or replacement device can be sent to a site, physically installed and powered up by a locally present employee without IT skills SD-WAN How ZTP Works? Most ZTP implementations are DHCP driven Some vendors use ZTP-USB Some vendors gives ability to execute scripts (Python or Bash) Some vendors retrieves a configuration file via HTTP or TFTP Internet connectivity is required in the first place SD-WAN How ZTP Works? More and more vendors are offering a cloud service to support the configuration and ZTP process Cisco Meraki, Riverbed, Citrix and Juniper Networks are among those SD-WAN How ZTP Works? All that is required is registering the serial numbers of the devices purchased and the vendor will ensure the devices are correctly registered and visible under your management portal account The device can then be fully configured and managed via the cloud SD-WAN - Global Coverage If your business requires international connectivity, you may need to analyze the provider's point-of-presence (POP) coverage to understand the effect on application performance Certain providers and vendors operate a significant global network presence that includes specific POPs for both private and internet traffic SD-WAN - Global Coverage SD-WAN features are focused on application performance, but latency and jitter challenges can arise when deploying international services SD-WAN Vendor POC Support The proof of concept for SD-WAN is an excellent way to understand and verify the capability of an SD-WAN offering Some vendors offer demo hardware for a period of time, often with presales resources to assist with the configuration SD-WAN Cloud Connection Some SD-WAN products have the ability to program “cloud breakout” based on applications, allowing direct access to trusted sites (like SalesForce.com), while tunneling traffic to unknown sites to either cloud-based or centrallybased inspection services This ensures improved productivity, minimizes unnecessary inspection of trusted traffic and provides better security than traditional hub-spoke MPLS solutions SD-WAN Cloud Connection - SAAS Enterprises today face major user experience problems for SaaS applications because of networking problems The centralized Internet exit architecture can be inefficient and results in poor SaaS performance And branch sites are running out of capacity to handle Internet traffic which is a concern because more than 50% of branch traffic is destined to the cloud SD-WAN Cloud Connection- SAAS Common network designs consolidates application and service controls at centralized DMZs and the data centers As a result, enterprise traffic destined for the Internet or public clouds must be backhauled through a centralized DMZ facility This causes the traffic to trombone or hairpin, creating an inefficient route that increases the distance between the user and the application Traditional WAN vs SD-WAN Comparison Cisco SD-WAN Why SD-WAN? Traditional WAN is not capable to handle today’s application and WAN requirements Adoption of Services like SaaS (Software as a Service) & IaaS (Infrastructure as a Service) Why SD-WAN? Exposing an enterprise to the internet can introduce threat and compliance issues Limited Application Visibility and understanding to networks Expensive WAN Circuits with limited features Value Proposition by SD-WAN Solution Increasing bandwidth through the activation of idle backup links and dynamic load-balancing Delivering faster cloud access by enabling direct internet access at the branch Value Proposition by SD-WAN Solution Reducing operational and management costs through centralized management that was commonly cloud-based Lowering WAN costs through the use of cheaper internet or LTE connectivity as an alternative to MPLS Cisco SD-WAN Cloud Scale Architecture Component and Architecture of Cisco SD-WAN The Cisco SD-WAN solution is a cloud-delivered Wide Area Network (WAN) overlay architecture that extends the principles of software-defined networking (SDN) into the WAN Cisco SD-WAN is broken into four parts: Data Plane Control Plane Management Plane Orchestration Plane Component and Architecture of Cisco SD-WAN Cisco SD-WAN consist of four main components: vManage vBond vSmart vEdge or WAN Edge vManage In the Management Plane, vManage represent the user interface of the solution Network administrators and operators perform configuration, provisioning, troubleshooting, and monitoring activity here vManage provides single pane of glass for management of all the SD-WAN components vBond Cisco vBond resides in Orchestration Plane The vBond controller is largely responsible for the Zero-Touch Provisioning process as well as first-line authentication, control/management information distribution, and facilitating vBond Network Address Translation (NAT) traversal vBond is responsible for onboarding the device into the SD-WAN fabric Cisco vSmart Cisco vSmart is the "brain" of the solution and exists within the control plane As policies are created on vManage, vSmart is the component responsible for enforcing these policies centrally Routing Decisions are made by vSmart only and it act like a BGP ’RR’ for propagating routes using OMP (Overlay Management Protocol) Cisco WAN Edge or vEdge WAN Edge comes under the Data Plane and used for forwarding Cisco WAN Edge routers come in multiple forms, virtual and physical The WAN Edge routers form Internet Protocol Security (IPSec) tunnels with each other to form the SD-WAN overlay Cisco SD-WAN Fabric Components Cisco SD-WAN Viptela Control Plane OMP (Overlay Management Protocol) OMP Works as BGP in Traditional Routing Exchanges Routing Information via vSmart vSmart acts like BGP RR All WAN Edge builds up the OMP Session with vSmart only TLOC (Transport Locator) TLOC is Transport Locator use to identify transport path TLOC replaces the next-hop information MP LS INE T Color: MPLS One WAN Edge can be configured up to 8 colors E0 Color: INET E1 TLOC Entry consist of following items: System IP MP LS Color Encapsulation Protocol INE T Color: MPLS E1 GRE IPSEC Color: INET E0 Types of Route OMP Route TLOC Route Service Route vRoute or OMP Route OMP Route is used to provide the destination prefix reachability along with the TLOC Information It is shared via vSmart in OMP update OMP Route Contains the below information: Destination Prefix TLOC Prefix Attributes 10.1.1.0/24 vRoute or OMP Route, which is learned from WAN Edge 2 via vSmart using OMP Protocol TLOC Route It Provides the further TLOC reachability information to the WAN Edge WAN Edge does recursive lookup here, first it looks for OMP Route to get the TLOC information based on the destination prefix, and then look for TLOC route to get the destination WAN edge reachability based on the TLOC information received from OMP Route Once the WAN Edge have both OMP Route and TLOC Route, then only it will establish the IPSEC VPN with respective WAN Edge TLOC Route contains the following information: TLOC WAN IP Attributes Service Route It contains the information about the reachability of any Service Device (Firewall, Load Balancer or IPS/IDS) The WAN Edge which is connected to any of these device will be generating the Service Route Service Routes Cisco SD-WAN Viptela Data Plane VPN VPN 512 VPN Plays a major role in the SD-WAN data Plane operations VPN is alternative of VRF on Viptela Hardware All the VPN can be configured only with number not name unlike VRF Each VPN have its own routing table. There are two types of VPN configure by default: VPN0 VPN512 VPN 1.. VPN n VPN 0 VPN 512 By Default Configured VPN Used for Out of Band Management only Equivalent to default VRF Management Only Used for Management Traffic VPN0 VPN0 is known as Transport VPN Used for Initiate and terminate IPSEC VPN All the Transport Interfaces should be configured under VPN0 Used as front door VRF for terminating VPN Traffic System IP is part of VPN0 by default Used for making communication to other controllers Secondly can be used for management and control traffic as well VPN1 to VPNn All the VPN from VPN1 to the limit of VPN’s are known as Service VPN Used as regular VRF’s on the WAN Edge devices for communicating to LAN Side services VPN1 to VPNn All the traffic originated from Service VPN, will be having VPN tag on it and sent through the same IPSEC tunnel between the WAN Edge devices VPN Tag will be used on the destination WAN edge for landing the traffic into appropriate VPN IPSEC VPN IPSEC tunnel will be configured between all the WAN Edges in full mesh manner by default One IPSEC tunnel will be used to carry multiple VPN traffic By Default using AES Encryption type IPSEC Key Exchange For scalability purpose, SD-WAN is not using IKE (Either IKEv1 or IKEv2) for key exchange between the WAN Edges WAN Edges will be using there DTLS/SSL secure channel with vSmart for key exchange process IPSEC Key Exchange All the WAN Edges will share there keys along with OMP update to vSmart and vSmart will be responsible for exchanging the keys Bidirectional Forwarding Detection (BFD) BFD Probes will sent by all the the WAN Edges to other WAN Edges through all the transports BFD probes send over the IPSEC tunnel BFD probes makes sure the TLOC reachability, if BFD Probes fails, the that TLOC will be considered as invalid Bidirectional Forwarding Detection (BFD) BFD probes also be used for checking the circuit quality, by checking the following parameters: Drop Counts Jitter Latency Bandwidth Cisco SD-WAN Viptela Management Plane Device Templates vManage is used for management plane and pushing configuration to the WAN Edges Device templates is the combination of multiple feature templates Device Templates Feature templates are used to enable specific global configuration to the WAN edge device The other half of the configuration is policy other than templates Type of Policy in SD-WAN Centralized Control Policy Centralized Data Policy Localized Control Policy Localized Data Policy Centralized Control Policy It’s a Central policy and defined on vSmart It defines how routing (Route learning and Advertisement ) will take place in SD-WAN through vSmart Centralized Control Policy Similar like Route-map in traditional routing It also defines the topology between the WAN edges (by default it’s full mesh) Centralized Data Policy This policy is used to match the data packet based on IP and port This can be used as ACL in traditional routing This policy is managed by vSmart and downloaded to WAN Edge Centralized Data Policy This use to match the QoS Parameters This policy also used to change the next-hop of the packet This can be applied to Transport VPN as well as Service VPN incoming packets Localized Control Policy This policy locally stored on WAN Edge router This is used for manipulating or filtering the routing information Localized Control Policy This mainly used for routing information configured on service side VPN It works as filter list or route-map for the routing protocol (OSPF or BGP) configured on service VPN (Interface) Localized Data Policy This policy is similar like Centralized Data Policy but stored locally on the WAN Edge This policy also used for matching data packet but mainly used for QOS deployment This policy can be applied in individual interface unlike the Centralized Data Policy which is applied on per VPN basis