VELOCLOUD SD-WAN 360 - Connectra Technologies · PROFILE—BUSINESS POLICY SETTINGS Quickly modify...

VELOCLOUD SD-WAN 360COMPONENTS , FEATURES,

DESIGN & WHAT’S NEWRohan Naggi

[email protected] Marketing Manager

VeloCloud Networks Proprietary & Confidential | © Copyright 20172

AGENDA

Multi-Tenant Orchestrator and Gateways

DMPO—Application Performance with

Business Policies

Cloud VPN Network Service Insertion— Cloud Web Security

Branch Configuration—ZTP, Profiles, IPAM High Availability

Overlay Flow Control

Components Interactions

Steering Traffic through Overlay

SDN Approach & Traffic Flows

Architecture Overview

Firewall and NAT

Core Features

Design & Deployment What’s NewBranch Broadband Deployment

SD-WAN Design

Connecting SD-WAN sites to Legacy/Non SD-WAN Sites

Enterprise and SP Architecture Model

Steering Traffic through Overlay

Traffic Flows

Architecture OverviewComponents Enterprise and SP

Architecture


VELOCLOUD CLOUD-DELIVERED SD-WANVeloCloud’s Network Service Consists of 3 Key Components

1

2

3

VeloCloudOrchestrator

PrivateNetwork/MPLS

PublicInternet

SaaS

Branch Siteswith VeloCloud Edges

Dynamic Multi-PathOptimization

VeloCloudGateways

Enterprise Data Centervia Cloud Gateway

Enterprise Data Centerwith On-Premise VeloCloud Edge

Orchestrator

Cloud Gateway

1

2

Edge3


ENTERPRISE/OVER THE TOP DEPLOYMENTS

“Site to site SD-WAN plus

benefits of cloud gateways

for SaaS”

Hub for SD-WAN to data center including private links

Hosted gateways for SD-WAN to SaaS/IaaS

Hub-less design for legacy data centers

Branch Site withVeloCloud Edge

VeloCloud Gateway withEmbedded ControllerPublic Internet

Legacy EnterpriseData Center

SD-WAN Enterprise Data Centerwith VeloCloud Edge Cluster

ProviderEdge

ProviderEdge

Internet

SAAS


Private—MPLS

PrivateCircuit


MANAGED SD-WAN ACCESS TO SP

Hub-less deployment in DCs and non-SD-WAN sites

Access to private network for mid mile

SD-WAN for last mile/access


VeloCloud Gateway withEmbedded Controller

Public Internet


ProviderEdge

ProviderEdge

Internet

Private—MPLS


Public Internet

Provider Cloud Data Centerwith Provider Gateways


Internet

Private/MPLS

SAAS

Provider Edgeand Gateways

PrivateCircuit


ProviderEdge

Orchestrator with On-Premise or in the cloud option

True multi-tenant Gateways and Orchestrator

Multi-tier, role-based managementfor SPs


SDN APPROACH

• Can be scaled independently• Segregated failure domains

• Edge, Cloud Network, Orchestrator

Client Hosts

• Physically interconnects clients & ISP links

• Ultimately responsible for packet steering

Enterprise DC, SaaS,

IaaS

• Policy management

• Visibility into network & element operation

• Source of intelligence

• Forward packets to their final destination

• Protection services through DMPO

• IPsec termination services

VeloCloud Orchestrator

VeloCloud Gateway

Separated Control & Data PlanesVeloCloud Service Consists of 3 Key Components

VeloCloud Edge

ControlPlane

DataPlane


VELOCLOUD ARCHITECTURE—TRAFFIC FLOWS

udp/2426—VeloCloud Multi-Path Protocol

tcp/443• Only need to allow outgoing traffic

• VCE polls VCO periodically

• Provide management and control plane information


TRAFFIC INSIDE OVERLAY TUNNELS(BETWEEN VCES)

Traffic between SD-WAN sitesbranch-to-branch and branch-to-hub

Internet backhaul

IPSec


TRAFFIC INSIDE OVERLAY TUNNELS(SAAS THROUGH VCG)

Traffic to SaaS is Not Encrypted

IPSec


TRAFFIC INSIDE OVERLAY TUNNELS(TO VPC AND NON-VC SITE)

Traffic to IaaS (VPC) or to Non-VeloCloud Site is Encrypted

IPSec


TRAFFIC OUTSIDE OVERLAY TUNNELS

To non-SD-WAN MPLS site To services reachableonly through MPLS Internet off-load

IPSec


Silver Site 2(CE Elimination)

Silver Site 1Single L3 Switch

Gold SiteDual L3 Switches

VELOCLOUD HYBRID WAN ARCHITECTURE

To Core Switch (Campus/DC)

Datacenter

Edge

Edge

Edge

Edge

NEWHub Cluster

Existing VPN hub

Legacy SiteMPLS with VPN Backup

Bronze SiteSingle/Dual Internet

NEW

VeloCloud Core FeaturesMulti-Tenant DMPO

Cloud VPNNetwork Service

Insertion

Branch Configuration—ZTP, Profiles, IPAM

High Availability

Overlay Flow ControlFirewall & NAT


THREE-TIER MULTI-TENANTORCHESTRATION PLATFORM

Ope

rato

rsPa

rtne

rsC

usto

mer

s

Operator

Partner A Partner B Partner C

Customer A Customer B Customer C Customer D

Operator (ISP) Portalvco.velocloud.net/operator

MSP Portalvco.velocloud.net

Enterprise Portalvco.velocloud.net


MULTI-TENANT & STATE-LESS GATEWAY

VRF-A

VRF-B

VRF-C

BGP

VRF-A

VRF-B

VRF-C

• Each customer goes into a dedicated VRF

Public IP

PE RouterVeloCloud Gateway


VCG IS STATELESS, WHAT DOES IT MEAN AND WHY?

• Unlike typical CE-PE config, there is very little config on VCG(IP address, BGP peer, etc.)

• Biz policy is pushed to the VCE only

• VCE tells the VCG how to process each flow• Need more capacity, spin up another VCG & re-assign VCE

to new VCG

User configures policy, e.g. RTP = Real-time high, prefer MPLS link, etc.1

2Traffic Starts 3

Send Policy Sync

OK, now I know how to process this flow

VeloCloud Core Features

Dynamic Multi-Path Optimization


CONCEPTS REVIEW

Dynamic Multi-Path Optimization

Steering& Remediation

LiveMeasurements

DARDPI + Prefix DB + Learning


APPLICATION PERFORMANCE MONITORING & SCORING

VQS = 10 x % of time good app performance + 5 x % of time fair app performance

• The VeloCloud Quality Score (VQS) rate the application Quality of Experience (QoE) that the network can deliver for a given timeframe– Applications: Voice, Video, Transactional applications– QoE rating: Good, Fair, Poor


DMPO ACTION THRESHOLDS

• Include assessment timeevery 100 msec

• Include reaction objective(sub second)


VELCLOUD DEEP APPLICATION RECOGNITION (DAR)

VeloCloud Deep Application Recognition

Deep Packet InspectionApplication recognition & application metadata

Learning databaseCached DPI result to assist with first packet classification

Cloud service directoryUp-to-date database of cloud service IPs

2500+ Applications


LINK STEERING & REMEDIATION

Assured Application performance over MPLS, Internet broadband and LTE circuits

Continuous MonitoringAutomatic capacity testing

Continuous link & path quality monitoring

Dynamic App SteeringApp aware per Packet SteeringVirtualized: apps not tied to links

Aggregated bandwidth for single flowsPolicies abstracted by service groups

Backup link policy

On Demand RemediationError & jitter correction

Automatic steering for brownouts/blackout

Case Study: Retail Hybrid WAN• MPLS packet loss and outage• Performance issues on CABLE

VeloCloud Delivers Excellent VoIP Quality• Sub-sec steering of VOIP without call drops• On-demand mitigation of packet loss & jitter


LINK STEERING OPTIONS

• Prefer application on a path but steer away if the link fails– Example: Web Browsing

Available

• Prefer application on a path but steer away if cannot meet SLA– Example: VoIP

Preferred

• Pin an application to a path even when the link fails– Example: PCI

Mandatory

PCI

VolP

Web Browsing

Link A: Private Wired


Link B


Link B

Link B


PROFILE—BUSINESS POLICY SETTINGS

Quickly modify rules with a drag and drop enabled,

in-view editor

Traffic definition

Rules for application priority, bandwidth allocation, service insertion, link-remediation etc.

Add a new Business Policy

Single-click policy updates for a group of Edges


APPLICATION AWARE OVERLAY QOS SCHEDULING

No dynamic error correction

Enterprises or SPs can specify guaranteed andmax BW for each class

Offer 9 traffic classes

Each rule in business policy maps to a traffic class

Bulk

Transactional

Real-Time

Business Collaboration

Remote Desktop, Business App

Email

Audio/Video

Infrastructure, Authentication, Management,

Network Services, Tunneling

File Sharing

IM, Web, Proxies, Games, Media,

Social

Storage/Backup, P2P

High Normal Low

Bulk

Transactional

Real-Time

35

20

15

15

7

5

1

1

1

High Normal Low


APPLICATION AWARE OVERLAY QOS MARKING

IPSec HDRDSCP=CS4

Copy from inner to outer

Mark or re-mark inner DSCP tag

Mark the outer so it matches SP CoS

Data IP HDRDSCP=EF Data IP HDR

DSCP=EFVCMPHDR

IPSEC HDRDSCP=EF Data IP HDR

DSCP=EF

Data IP HDRDSCP=CS3 Data IP HDR

DSCP=CS3VCMPHDR

IPSEC HDRDSCP=CS4 Data IP HDR

DSCP=CS3

VeloCloudEdge

VeloCloudEdge


CLOUD VPN


ONE-CLICK VPN DEPLOYMENT

• To enterprise DC hub with dynamic branch to branch• Eliminates N x N manual tunnels to cloud with cloud gateway

aggregation• Interoperable IPsec for no touch legacy DC

End to end encryption

Automatic VPN setup

BranchSite

Non-VeloCloudEnterprise DC

Enterprise DC


DYNAMIC EDGE-TO-EDGE VPN TRAFFIC FLOWS

• Leverage distributed VCGs to facilitate E2E traffic• VCG used for both data/control plane

• Initial traffic go through VCG while dynamic E2E tunnel is built

• For security conscious and hybrid sites• Define list of hubs to facilitate E2E traffic

• VCG used for control plane only

• Initial traffic hairpins to hub while dynamic E2E tunnel is built

E2E with HubE2E with VCG

After dynamic E2E is up

Initial traffic


CLOUD VPN—EDGE-TO-EDGE VPN (HUB)

Hubs are configured in the VCO. VCO notifies all the VCEs about hubs

VCEs build static multi-path tunnels to hub

VCEs still use VCG to distribute routes

E2E traffic is first sent to the hub based on routing table.If dynamic E2E is configured, VCEs establish direct tunnelsSubnet BSubnet A

Dynamic E2E

Hub 2Hub 1

List of hubsto connect to


VELOCLOUD HUB CONFIGURATION

Configure > Edges > New Edge: Create the VeloCloud Hub Edge with the appropriate Model and configuration Profile1

Configure > Profiles > Device: Select the appropriate Profile and enable Cloud VPN and Edge to VeloCloud Hubs connectivity under the Device tab

2

Configure > Profiles > Device > Cloud VPN: Select the VeloCloudHub site defined in Step 13

Configure > Profile > Business Policy: You can now configure Business Policy for traffic to VeloCloud Hub4


NON-VELOCLOUD SITE: CONFIGURATION STEPSAccess to non-VeloCloud sites can be configured as follows

Configure the non-VeloCloud site in the Orchestrator by specifying the Primary (and Secondary if present)VPN Gateway IP address and device type

1

Specify Site subnet(s) for the non-VeloCloud site2

Configure the non-VeloCloud site with IPsec tunnel configuration generated by the Orchestrator3

Enable Cloud VPN and configure the VeloCloud Edge to routeto the non-VeloCloud site4

(Optional) Enable Redundant VeloCloud Cloud VPN5

You can now set business policies and firewall rules for trafficto the non-VeloCloud site. Use the Monitor > Network Service tabto monitor status of the VPN tunnel to the non-VeloCloud site

6

Edge Site 1

Edge Site 2

Primary VPN GW(12.12.12.21)

Secondary VPN GW(12.12.12.22)

Site subnets10.100.100.0/24

Route-based or policy-based IPsec tunnels with DPD negotiated through IKEv1

Primary VCG

Secondary VCG (available for route-based VPN)

2

4 5

1

Non-VeloCloud Site

3


Network Service Insertion


EASE OF SERVICE INSERTION

PublicInternet

SaaS

Enterprise Data Centervia Cloud Gateway

Enterprise Data Centerwith On-Premise VeloCloud Edge

VeloCloudGateways


Private/MPLS

Service Insertion Point

Service Insertion Point

Dynamic Multi-Path Optimization Service Insertion

Point


Direct: Traffic can be steered by Service Group,Interface or WAN Link

Cloud Proxy: Traffic steered• Via specific Interface/

WAN Link• Mandatory only

Internet Backhaul: Traffic backhauled to either VeloCloud site (Hub) or a non-VeloCloud site (non-VeloCloud DC) via Service Groups or via Interface/WAN Link

Steer by interfaceand WAN Link can only be enabled at the Edge level not Profile level

Direct traffic notsent via VCG

Direct traffic sentvia VCG

BUSINESS POLICIES—SERVICE INSERTION

1 2

3


Use Case: Backhaul traffic to box.com througha Customer Data Center to have control over this trafficprior to handing it to the Internet

VeloCloudEdge Site

Internet

CustomerData Center

VeloCloud Edge(Hub)

box.com Next GenFirewall

Data Center Hubto backhaul traffic

USE CASE—BACKHAUL BOX.COM TO DC

1


CLOUD WEB SECURITY—ZSCALER

Use Case: Forward all HTTP, Port 80 traffic to Zscaler except traffic to Salesforce which is considered secure

Configure > Network Services > Non-VeloCloud Sites:Add a new Non-VeloCloud site of type “Zscaler” as shown

Enter for Zscaler authentication using “Advanced” button, “Enable” the tunnel and save the site configuration

All otherHTTP traffic

Salesforce

Internet

VCGVCE

Configure > Profile > Device: Enable Edge to non-VeloCloud site VPN for traffic to Zscaler

1

2

3


CLOUD WEB SECURITY—ZSCALER

Configure > Profile > Business Policy: Define business policies to

• Send all salesforce traffic direct to the Internet • Send all other Port 80, HTTP traffic to the Zscaler site

Configure > Profile > Business Policy: Make sure that the business policy rule for Port 80,HTTP traffic to salesforce.com has higher precedencethan the catch-all rule for all other Port 80,HTTP traffic

4

5


Branch Configuration


PROVISION A NEW VELOCLOUD EDGE

Create Config & Send Key

1 Device Ships2 Install, Authenticate &Pull Config

3

IT Admin adds a new VeloCloud Edge in the customer account.

IT Admin generates an activation key and emails it to the Installer.

VeloCloud Edge with factory default config is shipped to the remote site.

Office Admin powers up the device and connects it to the Internet.

Office Admin plugs in the device and connects to the Internet through VeloCloud Edge WLAN/LAN.

Office admin clicks on activation link in the email. Edge is activated.



Create the required Profile and Network configurations for the VeloCloud Edge1 Edge is now provisioned with an activation key and

the configuration profile3

Configure > Edge > New Edge: Add new VeloCloud Edge2

Customer Contact(Optional) Specify HAand VCE Serial No.

Specify Site name, Edge type and Profile to use

Note: When a VCE Serial Number is specified, the activation key generatedin Step 3 can only be used to activate the Edge

Note: Static WAN IP can also be assigned at the time of activationfrom the Edge’s local UI. Any such manual changes are auto-updatedin the Edge’s configuration in the VCO

(Optional) Configure any Edge specific parameters(if applicable) including4

• LAN IP addressing

• Business policy rules

• Firewall rules

• Static WAN IP addressing



Send the Edge activation email to the customer and drop-ship Edge hardware to the site4

Customer connects to the Edge’s Wi-Fi network and follows instructions from Step 4 to activate the Edge5

Activation linkwith DHCP WAN

(DHCP WAN) (Static WAN)

Activation link with embedded static WAN IP


PROFILE OVERVIEW

Profiles enable a simplified workflow for centralized configuration managementof a VeloCloud deployment

Quickly create and modify LAN/WAN,

VPN, Routing, business policy,

firewall rules etc.


PROFILE: ADVANTAGES

1 2Centralized policy-based configuration managementby grouping the Edges logically by function,geography etc.

By creating multiple profiles, a customer can

Plan a phased rollout of a new configurationby assigning a subset of sites to the new profile before deploying the changes at scale

Switch site configuration/deployment typeby the Edge

Quickly provision VeloCloud service at a new siteby creating an Edge and assigning the appropriate profile


PROFILE: ADVANTAGES

3 4Single-click configuration updates for a groupof Edges

5

Networks and network services can be shared across multiple profiles

After assigning Edges belonging to the same deployment type to a common profile,individual site-specific configuration changescan be made on a per-Edge basis

If an Edge is offline, it connects to the Orchestratorand gets its configuration updates the next time it comes online—configuration updates are never missed

Changes made at a Profile level are immediatelypushed down to the Edges that are online at that time


IP ADDRESS MANAGEMENT (IPAM) OVERVIEW

VeloCloud zero-touch deployment provides automatic calculation and assignment of IP addressing,

VLAN and DHCP configuration• Overlapping: The same IP Address space is deployed at every Edge site

• Non-overlapping: A unique range of IP addresses is deployedat each Edge site

VeloCloud IP Address Management (IPAM)provides two basic methods of IP address assignment


IPAM: OVERLAPPING ADDRESSES GREENFIELD INTERNET DEPLOYMENT

Corporate VLANs: 2Corporate1 Address: 10.0.2.0/21Corporate3 Address: 10.1.2.0/20Guest VLAN: 192.168.2.0/22DHCP: Yes, Option 150


Corporate VLANs: 1Corporate Address: 10.0.2.0/21Guest VLAN: 192.168.2.0/22DHCP: Yes, no options


Edge 1Profile 1, Network 1




All sites on the same Profile/Network use the same address space

Corporate LANs: 1 or more

Guest LANs: 1 or more

DHCP can be enabled/disabled; options can be specified if needed

The start address, subnet mask and # of wired/Wi-Fi VLANsis configurable

Best Practices• Simple, auto-generated• Greenfield sites with no VPN• Can be used in conjunction with pre-existing sites, or VPN sites,

by using different Profile/Network templates for the pre-existing sites


IPAM: NON-OVERLAPPING ADDRESSES GREENFIELD VPN DEPLOYMENT









All sites on the same Profile/Network have non-overlapping blocksof addresses from the same base address space, e.g. 11.0.0.0/16

Applies to Corporate LANs only—Guest LANs always useoverlapping addresses

Corporate LANs: 1 or more

The start address, subnet mask and # of wired/Wi-Fi VLANsis configurable

Guest LANs: 1 or more

Best Practices• Fairly simple, auto-generated• Greenfield sites with VPN• Cannot configure Edge1 with an address already assigned to Edge2

DHCP can be enabled/disabled; options can be specified if needed


DHCP CONFIGURATION: BEST PRACTICE OVERVIEW

• Greenfield site • VCE as DHCP server

• Existing network with L2 switch• Existing router remains as DHCP

server

• VCE can become the DHCP server, but this requiresrouter re-configuration

• Existing network with oneor more L3 switches

• Existing L3 switch remainsthe DHCP server

• VCE as DHCP relay agent(per VLAN)

• Support DHCP server acrossthe WAN or on another VLAN

1

2

3

4


Up to 32 VLANs

DHCP CONFIGURATION: NETWORK LEVEL > VLANWhen configuring VLANs at the Network Level, DHCP parameters can be specified

DHCP with No Options

DHCP with Options


WAN DHCP CONFIGURATION

DHCPISP

When connecting the VCE to an ISP, the WAN portmay get its address via DHCP from the ISP

If not, a static public IP address or PPPoE credentialscan be assigned


Firewall & NAT


FIREWALL

Edge• Integrated with the VCE at the branch

• Application-aware bi-directional firewall

Pre-existing perimeter firewall at the branch

Firewalling can be implemented at

VCG

Cloud Edge

Remote Login

VCE

VCE

VPN

VPN

Internet


CONFIGURE VCE FIREWALL RULES

VCE FW and logging enable/disable• Outbound and Edge Access FW rules can be configured

at both Profile and Edge level

• Inbound FW rules (Port Forwarding or 1:1 NAT) can onlybe defined at the Edge level

Precedence (ordering) of the rules by list position

FW rules configured at the Profile or Edge level

Rules include applications and application categories, source IP

address/port, destination IP address/port,and protocol


PORT FORWARDING

ISP1 ISP2

PC-ATo IP-Address1 port

80

PC-BTo IP-Address2

port 8081

PC-CTo IP-Address2

port 25

Server1192.168.10.21

Server2192.168.10.22

Server3192.168.10.23

PC-Cport 25

PC-Aport 80

PC-Bport 8081

Port Forwarding allows the VeloCloud Edge to forward TCP/UDP requeststo specific WAN ports to specific LAN IP addresses/ports

You can also configure a range of ports for traffic forwarding using a “-”


1:1 NAT

ISP1 ISP2

PC-A170.10.1.14

port 80

PC-B170.10.1.15

port 8081

PC-C170.10.1.16

port 25

Server1192.168.1.21

Server2192.168.1.22

Server3192.168.1.23

PC-Cport 25

PC-Aport 80

PC-Bport 8081

ISP routes traffic to 67.22.51.X to VCE

Leave blank to allow any traffic

1:1 NAT maps a specific public IP address (outside FW) to a specific LAN(inside FW) IP address

1:1 NAT can translate outside IP addresses in different subnets from the WAN interface address if the ISP routes traffic for the subnet towards the VeloCloud Edge

Specific ports to be forwarded to the inside IP address can also be defined


High Availability


VELOCLOUD EDGE HA OVERVIEW

• Ensure continuous uptime with active/standby deployment• Maintain all active flows during failover

• One click to enable HA• Devices automatically discover and establish

active/standby relationship

Failover link

I am active

Simple to ConfigureSub-Second Stateful Failover

I am on standby


EDGE CLUSTERING

Each hub reports usage and load stats to the VeloCloudController (VCC) periodically. VCC maintains a listof hubs in an increasing order of their load

Enterprise DC Hub Cluster Id 1

Tunnel setup to Hub1

L3 Switch

Branch Edge

VCC

Branch VCE requests VCC for hub IP address

VCC assigns least loaded hub to the branch VCE

There will be no state sync between the hubsin the cluster

Branch VCE sets up tunnel to the assigned hub

1

Data plane session from Branch VCE to Hub cluster over MPLS/Internet

Control plane session from Branch and Hub VCEs to the Controller

2

3

4

5

1

2

3

4

4

A


Overlay Flow Control


OVERLAY FLOW CONTROLRoute Learning—Enterprise Architecture


OSPF EnterpriseDC-West

EnterpriseDC-East

VeloCloud Hub Edge

VeloCloud Hub Edge

VeloCloud Controller

Network routes learnt via standard routing Visibility and Control simplified with an enterprise-wide consolidation of route information

Silver SiteSingle L2/L3 Switch

Legacy SiteMPLS with

VPN Backup

Bronze SiteSingle/

Dual Internet

VeloCloud Edge

VeloCloud Edge

OSPF


OVERLAY FLOW CONTROLRoute Distribution and Programmability


VeloCloud Edge

OSPF

VeloCloud Edge OSPF


Automatic traffic re-direction into SD-WANvia dynamic routing

One-click route changes distributed enterprise-widevia redundant controllers



VPN Backup

Bronze SiteSingle/

Dual Internet

EnterpriseDC-West

EnterpriseDC-East


OVERLAY FLOW CONTROLRoute Learning—Service Provider Architecture




VPN Backup

Bronze SiteSingle/

Dual Internet

OSPF SP POP #1

SP POP #2

Partner Gateway

PE Router

Partner Gateway


Subnet PreferredExit RouteTypeOverlayFlowControl

BGP

PE RouterBGP

One E-BGP session per customer BGP Inbound and Outbound policy control per VRFusing RFC1998 outbound and local pref inbound

MPLS Core

172.30.0.0/24 VCG-WEST E-BGP

172.30.0.0/24 VCG-EAST E-BGP

VeloCloud Edge

VeloCloud Edge

Design & Best PracticesBranch Broadband

DeploymentVeloCloud SD-WAN

Design

High Availability Connecting SD-WAN with Legacy Sites

BRANCH BROADBAND

DEPLOYMENT


ACHIEVING ACCEPTABLE PERFORMANCE

• Recommends at least two diverse stable Internet links - two different carriers utilizing two different last mile infrastructures

• Ideally, two wired links using Fiber, EoC, Coaxial Cable, or DSL• Acceptable link performance defined by VeloCloud’s DMPO (Dynamic Multiple Path Optimization) as

shown by QoE on Orchestrator:

• Measurements are taken between the Edge and the closest VeloCloud Gateway for broadband links• 4G wireless connection should be used as an alternative link type

SD-WAN DESIGN& Best Practices for WAN Optimization


Silver Site 2(CE Elimination)

Silver Site 1Single L3 Switch

Gold SiteDual L3 Switches

VELOCLOUD HYBRID WAN ARCHITECTURE

To Core Switch (Campus/DC)

Datacenter

Edge

Edge

Edge

Edge

Hub Cluster

Existing VPN hub

Legacy SiteMPLS with VPN Backup

Bronze SiteSingle/Dual Internet


• Easy if branch uses DHCP so readdressing is simple• Traffic will stop if the VCE fails

• Propose HA if availability is a concern

• L3 switch redirects traffic to SD-WAN overlay based on E-BGP or OSPF routes. IP SLA with static routes to track the availability of VCE.

• Redirection stops if VCE fails and traffic follows original path (MPLS)

VCE is off path and is default gatewayfor L3 switch

VCE is in path and is default gatewayfor all the traffic

HYBRID BRANCH INSERTION OPTIONS

L2/L3 SW

L3 SW

Pro: Automatic fallback to MPLS when VCE fails. HA not required for survivability

Pro: Simple. Recommend & common when branchhas only L2/L3 switch

E-BGPE-BGPE-BGP

E-BGP/OSPF

E-BGP/OSPF


• Simple and no CE needed• Have PE advertise the network between the

PE and the VCE

• During transition, use the hub to reach non SD-WAN sites

• Ideal for small deployment or large concentration of sites

• Advertise SD-WAN routes to/from underlay • Typically done at hub site SD-WAN

migration to advertise routes between SD-WAN and non SD-WAN sites

• Care must be taken to avoid making branch a transit

• Advertise SD-WAN routes to/from underlay• Recommended if SD-WAN sites are to

to advertise its routes directly into underlay

• ‘Uplink’ feature to make branch non-transit site

HYBRID SITES—PE CONNECTIVITY OPTION

VCE and PE Are Directly Connected VCE Uses OSPF with CECE Uses BGP with PE VCE Uses BGP with PE

PE

CE PE

OSPF/BGP BGP BGP

PE


• Recommended for simplicity of Hub connectivity from branches

• One overlay (WAN) link per physical interface

• Require new subnet between VCE and Firewall for routing to the DC prefixes

• Interface to the internet side to be configured in the DMZ

• One overlay (WAN) link perphysical interface

• Require new VLAN between VCE and L3 switch

• Firewall point all traffic to internal subnet through VCE for congestion control

• Single physical interface, multiple overlay (WAN) links

• VCE to use different next-hop IP address or VLAN to establish separate Overlays

• Firewall should point all traffic to internal subnet through VCE for congestion control

FLEXIBLE DC INSERTION OPTIONS

Two-Arm Mode Parallel to FW Two-Arm Mode behind FW One-Arm Deployment Mode


• Offload internet traffic at the VCE and send it direct.Otherwise firewall sees just VeloCloud Multi-Path tunnel traffic

• Disable NAT on VCE

• Firewall can NAT or PAT the traffic

• VCE terminates the internet connectivity, perform NAT, etc.• Commonly used unless there is specific application that requires

firewall ALG features

• Firewall has full visibility into all traffic including Internet traffic going to the VeloCloud Gateways

BRANCH FIREWALL PLACEMENT WITH VCE

VCE in Front of the FirewallVCE Behind the Firewall

MoreCommon


• Use VCE built-in firewall• Trusted SaaS traffic is sent through

the VCG

• Backhaul internet traffic to HQ

• Use dedicated branch firewall (need to allow inbound UDP/2426 allowed into the firewall from VCE IP)

• Trusted SaaS traffic is sent through the VCG

• Send the internet traffic direct

• Use VCE built-in firewall in conjunction with cloud-based Web security (CWS) such as Zscaler

• Trusted SaaS traffic is sent through VCG

• Internet traffic is chained through ZScaler via the VCG

DESIGN OPTIONS FOR SECURING INTERNET TRAFFIC

No Split Tunnel for Untrusted Internet Traffic Split Tunnel Traffic from Branch Internet Traffic Is Sent to the CWS,

e.g. ZScaler


• Port transparency—expose original port numberand not original IP

• Full transparency—expose both original port number and original IP

BEST PRACTICE WITH WAN OPTIMIZATION

Application recognition may fail to recognize optimizedtraffic but IP/port will still work

No impact to non-optimized traffic

Need to run the Riverbed in transparent addressing mode

PE

CONNECTING SD-WAN WITH NON SD-WAN/Legacy Sites


• Traffic to/from non SD-WAN sites go through hubs to reach SD-WAN sites

• Simple to control policy. Eliminate BGP from branch.

• If non-SD-WAN sites are high BW, allow SD-WAN sites to use combined link BW

• May introduce latency due to backhauling

• Traffic to/from non SD-WAN sites go directly to MPLS• May be preferred if there is a lot of communications between

SD-WAN and non-SD-WAN sites

• Avoid primary/secondary/tertiary design

OPTIONS FOR CONNECTING SD-WAN WITH NON-SD-WAN SITES

Directly from SD-WAN Branch SiteThrough SD-WAN Hub Site

SD-WANOverlay

MPLS

Non SD-WAN sites

SD-WAN hybrid sites

MPLS

SD-WANOverlay

Non SD-WAN sites

SD-WANhybrid sites

What’s New

Release 3.0

• 3.0 Release1.Segmentation2. Virtual Edge in Public Cloud3. MSP Gateway Management4. SNMP traps for VCO Alerts5. Platforms Update6. VRRP (Rel 2.5)


USE CASE - ENTERPRISE SCENARIOSUse Cases: Security, M&A, PCI

• Segment aware policies• Segment aware topology insertion • Overlapping IP in different segments

Corp

Guest

PCI

Corp

Corp


SEGMENTATION - “MULTI-TENANT” CPE

Tenant ATenant BTenant C

Per Tenant QoS and DMPO

Shared Tenant Site Use Case

• Per tenant management portal view• Per tenant QoS and Dynamic Multi-Path Optimization• Overlay Bandwidth Cap


VIRTUAL EDGE ON AWS VPC

Deploy on AWS VPC • Available from AWS Marketplace• BYOL• Single Instance for <1G• Clustering for multi-gig

Single Edge Option

Hub Clustering Option


SNMP TRAPS

● SNMP traps can be enabled under “Alerts & Notifications”

● SNMP v2c and v3 are both supported

SNMP v2c ConfigurationRequired attributes:

- Hostname / IP Address- Port- Community (Optional)

Note: when Community Attribute is not included, ‘snmptrap’ willsend the trap to the ‘public’ community by default.

SNMP v3 ConfigurationRequired Attributes:

- Hostname / IP Address- Port- Username- Authentication (MD5/SHA)- Privacy (DES/AES)


MSP GATEWAY MANAGEMENT

● Partner can Add New Gateway Pool and Clone existing Gateway but can not delete Gateway pool added by Operator

● Partner can Delete any Gateway pool added by them


MULTI-GIGABIT PERFORMANCE AND SCALE

100 Mbps 200 Mbps 1 Gbps 2 Gbps 5 Gbps Multi-Gigabit

Edge 510Aug 2017 Edge 520 Edge 540 Edge 840 Edge 1000 Edge 2000

Aug 20175Gbps Edge

Sep 2017 Edge Cluster

4-Port GE2-USB—LTE

WiFi

10-Port GE2-Port SFP

4-USB—LTEWiFi

10-Port GE2-Port SFP

4-USB—LTEWiFi

6-Port GE2-Port SFP+



NEW

Rel 2.5

NEW

87 © 2017 Company Name

DMPO Setup

87


Video Streaming Service

Speedtest

Client 1

Client 2

VeloCloud Optimized

VCG

DMPO Demo :: Before/After Demo Topology

THANK YOU

VELOCLOUD SD-WAN 360 - Connectra Technologies · PROFILE—BUSINESS POLICY SETTINGS Quickly modify...

Documents

Transcript of VELOCLOUD SD-WAN 360 - Connectra Technologies · PROFILE—BUSINESS POLICY SETTINGS Quickly modify...