SDWAN VIPTEL A TRAINING PPTX cisco SDWAN

adhyanr9 247 views 21 slides Jul 02, 2024
Slide 1
Slide 1 of 21
Slide 1
1
Slide 2
2
Slide 3
3
Slide 4
4
Slide 5
5
Slide 6
6
Slide 7
7
Slide 8
8
Slide 9
9
Slide 10
10
Slide 11
11
Slide 12
12
Slide 13
13
Slide 14
14
Slide 15
15
Slide 16
16
Slide 17
17
Slide 18
18
Slide 19
19
Slide 20
20
Slide 21
21

About This Presentation

viptela

Size: 208 KB
Language: en
Added: Jul 02, 2024
Slides: 21 pages

Slide Content

Agenda – Day3 OMP in detail Policy Architecture Centralized and Localized Policy Labs OMP Lab Multi Topology Hub and Spoke

Overlay Management Protocol

Overlay Management Protocol (OMP) Unified Control Plane TCP based extensible control plane protocol Runs between vEdge routers and vSmart controllers and between the vSmart controllers Inside TLS/DTLS connections Leverages address families to advertise reachability for TLOCs, unicast/multicast destinations (statically/dynamically learnt service side routes), service routes (L4-L7), BFD stats (TE and H-SDWAN) and Cloud onRamp for SaaS probe stats (gateway) Uses attributes Distributes IPSec encryption keys, and data and app-aware policies (embedded NETCONF) vSmart vSmart vSmart vEdge vEdge

Overlay Management Protocol Overview TCP based extensible control plane protocol Runs between vEdge routers and vSmart controllers and between the vSmart controllers Inside permanent TLS/DTLS connections Automatically enabled on bringup vSmarts create full mesh of OMP peers vEdge routers need not peer with all vSmarts vSmart1 vSmart3 vSmart2 vEdge vEdge OMP Peers

Overlay Routing: TLOC Routes INET MPLS vSmart Routes connecting locations to physical networks Advertised to vSmart controllers Most prominent attributes: Site-ID Encap -SPI Encap -Authentication Encap -Encryption Public IP Public Port Private IP Private Port BFD-Status Tag Preference Weight Connected Static Dynamic (OSPF/BGP) vEdge TLOCs OMP Update

Overlay Routing: OMP Routes INET MPLS vSmart Routes learnt from local service side Advertised to vSmart controllers Most prominent attributes: TLOC Site-ID Label VPN-ID Tag Preference Originator System IP Origin Protocol Origin Metric Connected Static Dynamic (OSPF/BGP) vEdge OMP Update Service Side

Overlay Routing: Network Service Routes INET MPLS vSmart Routes for advertised network services, i.e. Firewall, IDS, IPS, generic Advertised to vSmart controllers Most prominent attributes: VPN-ID Service-ID Label Originator System IP TLOC vEdge Firewall OMP Update NetworkService

Policy Framework

vManage vSmart vEdge Local Control Policy (OSPF/BGP) Local Data Policy ( QoS /Mirror/ACL) Centralized Control Policy (Fabric Routing) Centralized Data Policy (Fabric Data Plane) Centralized App-Aware Policy (Application SLA) Centralized Data Policy (Fabric Data Plane) Centralized App-Aware Policy (Application SLA) Centralized Policies Localized Policies Policy Framework VPN Membership (Fabric Routing+Segmentation )

10 Presentation ID Policy Distribution Data Policy App Aware Routing Policy vManage vEdge vSmart vSmart vSmart Control Policy VPN Membership Policy vManage vEdge vSmart Local Policies vManage vEdge vSmart vSmart NETCONF/YANG NETCONF/YANG NETCONF/YANG OMP OMP

app-list – list of DPI applications data-prefix-list – list of prefixes for data-policy prefix-list – list of prefixes for non-data policy color-list – list of TLOC colors site-list – list of site-id tloc -list – list of TLOCs vpn -list – list of VPNs app-route-policy ensures SLA complaint path control-policy controls OMP routing updates data-policy provides per-VPN policy-based routing controls vpn -membership-policy controls vpn membership across nodes cflowd -template configures the cflowd agents on the vEdge routers match statement – matching criteria for policy sequence action statement – actions applied based on the occurred match default-action – actions applied when no match occurs Policy Lists apply-policy is used in conjunction with a site-list to determine policy scope For control policy in or out direction must be specified Policy Types Policy Definition Centralized Policy Construction Policy Application

Control policies (control-policy) are configured on vManage , and enabled and enforced on vSmart controllers. They do not get forwarded to vEdge routers. Control policies operate on OMP routing information received from or sent to vEdge routers. They can filter OMP updates or modify various attributes. Control policies can be very powerful tool changing routing behavior of the entire SD-WAN fabric Control policies are used to enable many services, such as: Service Chaining Traffic Engineering Extranet VPNs Service and Path affinity Arbitrary VPN Topologies and more … Control Policies

Problem: Different VPNs must be provided with different connectivity based on applications being serviced in each VPN VPN 1: CRM System = Hub and Spoke, VPN 2: Voice = Full Mesh Solution: Employ Control Policy to control VPN topology VPN Topology Policy Control Policy Example – Arbitrary VPN Topologies Cisco SD-WAN VPN1 VPN2 VPN1 VPN1 VPN2 DC1 Site3 Site2 Site1 vSmart VPN1 DC2 VPN1 VPN2

policy lists site-list sites site-id 1-3 ! vpn -list CRM vpn 1 ! vpn -list voice vpn 2 ! tloc -list datacenters tloc 4-5 color public-internet control-policy ArbitraryTopology sequence 10 match route vpn -list CRM ! action accept set tloc -list datacenters ! sequence 20 match route vpn -list voice ! action accept ! ! ! default-action reject Control Policy Example – Arbitrary VPN Topologies apply-policy site-list sites control-policy ArbitraryTopology out vSmart overrides next hop attribute for routes advertised in VPN1 and sets it to Data Center TLOCs resulting in hub-and spoke topology. Routes in VPN2 are advertises as-is resulting in default full-mesh topology.

Cisco SD-WAN Problem: Certain departments require Firewall protection when interacting with data center networks, while other departments do not. Solution: Employ a Service Chained Firewall Service per VPN VPN1 - Protected VPN20 - Open VPN1 - Protected VPN20 - Open Advertise Firewall Service Control Policy to enable Service Chain Control Policy Example – Service Insertion Firewall Regional Hub Data Center Site Site vSmart VPN1 - Protected VPN2 - Open

policy lists vpn -list ProtectedVPNs vpn 1-10 ! site-list RemoteSites site-id 1-10 ! site-list DataCenter site-id 100 control-policy RemoteSites -to-DC sequence 10 match route vpn -list ProtectedVPNs ! action accept set service netsvc1 Advertised from Reginal Hub Send all traffic originating from remote sites with site-id in the range of 1-10 in VPNs 1-10 to Firewall interface marked as netsvc1. Send all returning traffic from the data center to Firewall interface marked as netsvc2. Netsvc1 and netsvc2 are advertiwed from vEdge router in the Regional Hub. apply-policy site-list RemoteSites control-policy RemoteSites -to-DC out ! site-list DataCenter control-policy DC-to- RemoteSites out Control Policy Example – Service Insertion control-policy DC-to- RemoteSites sequence 10 match route vpn -list ProtectedVPNs ! action accept set service netsvc2 Advertised from Reginal Hub

Problem: Traffic carried to certain sites should prefer a path that avoids a certain carrier Solution: Employ a traffic engineering control-policy Control Policy to enable TE Best path to Carrier 4 Preferred path to Carrier 4 Viptela SEN Overlay Control Policy Example – Traffic Engineering Carrier 1 Carrier 3 Carrier 2 Carrier 4

Problem: Local Internet exit needs to be provided from branches and needs to be centrally managed Solution: Employ a data-policy with a network address translation Data Policy Example – DIA with NAT Cisco SD-WAN VPN1 – Private Only VPN2 – Private and Internet VPN1 – Private Only VPN2 – Private and Internet Data policy to enable NAT Site Site vSmart Policy Enforcement Policy Enforcement Policy Enforcement Data Center VPN1 – Private Only VPN2 – Private and Internet Internet NAT NAT NAT DIA DIA DIA

policy lists data- prefix -list InternetBound ip-prefix 1.1.1.0/24 ip-prefix 2.2.2.0/24 ! vpn -list PublicVPN vpn 2 ! site-list RemoteSites site-id 1-3 apply-policy site-list RemoteSites data-policy InternetNAT from-service Data Policy Example – DIA with NAT data-policy InternetNAT vpn -list PublicVPN sequence 10 match source-data-prefix-list InternetBound ! action accept nat use- vpn set policer InternetRate NAT defined on DIA interface Traffic sourced from 1.1.1.0/24 and 2.2.2.0/24 prefixes originated in public VPN2 on remote site vEdge routers is NATed to DIA interface IP and is subjected to a policer enforcing the rate of 100Mb. policer InternetRate rate 100000

Application Aware Routing policies (app-route-policy) are configured on vManage , enabled on vSmart controllers and enforced on vEdge routers Application Aware Routing policies ensure SLA compliant path through the SD-WAN fabric A functional app-route-policy is defined through the following steps: Configure the required sla -classes Configure the app-route-policy and match on application/traffic of interest Apply the app-route-policy towards the sites of interest The SLA-class defines loss, latency and jitter thresholds The app-route-policy matches on the application traffic of interest. Match can be based on 5-tuple matching or DPI signature. The app-route-policy is enforced in VPNs and sites of interest Application Aware Routing Policies

Cisco SD-WAN Problem: Critical applications traffic needs to take SLA compliant path through the network to achieve better user quality of experience Solution: Employ Application Aware Routing Critical Application Non-Critical Application Application Aware Routing Policy Application Aware Routing Policy Example Site Site Site vSmart Non-Critical Application Critical Application Critical Application Non-Critical Application Policy Enforcement Policy Enforcement Policy Enforcement
Tags
sdwan
Categories
General
Download
Download Slideshow Get the original presentation file
Quick Actions
Statistics
  • Views 247
  • Slides 21
  • Age 516 days
Related Slideshows
Pray For The Peace Of Jerusalem and You Will Prosper 22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
30 views
Don_t_Waste_Your_Life_God.....powerpoint 26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
32 views
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf 31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
30 views
Fertility awareness methods for women in the society 14
Fertility awareness methods for women in the society
Isaiah47
29 views
Chapter 5 Arithmetic Functions Computer Organisation and Architecture 35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
26 views
syakira bhasa inggris (1) (1).pptx....... 5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
28 views
View More in This Category