VELOCLOUD SD-WAN 360 - Connectra Technologies · PROFILE—BUSINESS POLICY SETTINGS Quickly modify...
Transcript of VELOCLOUD SD-WAN 360 - Connectra Technologies · PROFILE—BUSINESS POLICY SETTINGS Quickly modify...
VELOCLOUD SD-WAN 360COMPONENTS , FEATURES,
DESIGN & WHAT’S NEWRohan Naggi
[email protected] Marketing Manager
VeloCloud Networks Proprietary & Confidential | © Copyright 20172
AGENDA
Multi-Tenant Orchestrator and Gateways
DMPO—Application Performance with
Business Policies
Cloud VPN Network Service Insertion— Cloud Web Security
Branch Configuration—ZTP, Profiles, IPAM High Availability
Overlay Flow Control
Components Interactions
Steering Traffic through Overlay
SDN Approach & Traffic Flows
Architecture Overview
Firewall and NAT
Core Features
Design & Deployment What’s NewBranch Broadband Deployment
SD-WAN Design
Connecting SD-WAN sites to Legacy/Non SD-WAN Sites
Enterprise and SP Architecture Model
Steering Traffic through Overlay
Traffic Flows
Architecture OverviewComponents Enterprise and SP
Architecture
VeloCloud Networks Proprietary & Confidential | © Copyright 20174
VELOCLOUD CLOUD-DELIVERED SD-WANVeloCloud’s Network Service Consists of 3 Key Components
1
2
3
VeloCloudOrchestrator
PrivateNetwork/MPLS
PublicInternet
SaaS
Branch Siteswith VeloCloud Edges
Dynamic Multi-PathOptimization
VeloCloudGateways
Enterprise Data Centervia Cloud Gateway
Enterprise Data Centerwith On-Premise VeloCloud Edge
Orchestrator
Cloud Gateway
1
2
Edge3
VeloCloud Networks Proprietary & Confidential | © Copyright 20175
ENTERPRISE/OVER THE TOP DEPLOYMENTS
“Site to site SD-WAN plus
benefits of cloud gateways
for SaaS”
Hub for SD-WAN to data center including private links
Hosted gateways for SD-WAN to SaaS/IaaS
Hub-less design for legacy data centers
Branch Site withVeloCloud Edge
VeloCloud Gateway withEmbedded ControllerPublic Internet
Legacy EnterpriseData Center
SD-WAN Enterprise Data Centerwith VeloCloud Edge Cluster
ProviderEdge
ProviderEdge
Internet
SAAS
VeloCloudOrchestrator
Private—MPLS
PrivateCircuit
VeloCloud Networks Proprietary & Confidential | © Copyright 20176
MANAGED SD-WAN ACCESS TO SP
Hub-less deployment in DCs and non-SD-WAN sites
Access to private network for mid mile
SD-WAN for last mile/access
Branch Site withVeloCloud Edge
VeloCloud Gateway withEmbedded Controller
Public Internet
Legacy EnterpriseData Center
ProviderEdge
ProviderEdge
Internet
Private—MPLS
Branch Site withVeloCloud Edge
Public Internet
Provider Cloud Data Centerwith Provider Gateways
Legacy EnterpriseData Center
Internet
Private/MPLS
SAAS
Provider Edgeand Gateways
PrivateCircuit
VeloCloudOrchestrator
ProviderEdge
Orchestrator with On-Premise or in the cloud option
True multi-tenant Gateways and Orchestrator
Multi-tier, role-based managementfor SPs
VeloCloud Networks Proprietary & Confidential | © Copyright 20177
SDN APPROACH
• Can be scaled independently• Segregated failure domains
• Edge, Cloud Network, Orchestrator
Client Hosts
• Physically interconnects clients & ISP links
• Ultimately responsible for packet steering
Enterprise DC, SaaS,
IaaS
• Policy management
• Visibility into network & element operation
• Source of intelligence
• Forward packets to their final destination
• Protection services through DMPO
• IPsec termination services
VeloCloud Orchestrator
VeloCloud Gateway
Separated Control & Data PlanesVeloCloud Service Consists of 3 Key Components
VeloCloud Edge
ControlPlane
DataPlane
VeloCloud Networks Proprietary & Confidential | © Copyright 20178
VELOCLOUD ARCHITECTURE—TRAFFIC FLOWS
udp/2426—VeloCloud Multi-Path Protocol
tcp/443• Only need to allow outgoing traffic
• VCE polls VCO periodically
• Provide management and control plane information
VeloCloud Networks Proprietary & Confidential | © Copyright 20179
TRAFFIC INSIDE OVERLAY TUNNELS(BETWEEN VCES)
Traffic between SD-WAN sitesbranch-to-branch and branch-to-hub
Internet backhaul
IPSec
VeloCloud Networks Proprietary & Confidential | © Copyright 201710
TRAFFIC INSIDE OVERLAY TUNNELS(SAAS THROUGH VCG)
Traffic to SaaS is Not Encrypted
IPSec
VeloCloud Networks Proprietary & Confidential | © Copyright 201711
TRAFFIC INSIDE OVERLAY TUNNELS(TO VPC AND NON-VC SITE)
Traffic to IaaS (VPC) or to Non-VeloCloud Site is Encrypted
IPSec
VeloCloud Networks Proprietary & Confidential | © Copyright 201712
TRAFFIC OUTSIDE OVERLAY TUNNELS
To non-SD-WAN MPLS site To services reachableonly through MPLS Internet off-load
IPSec
VeloCloud Networks Proprietary & Confidential | © Copyright 201713
Silver Site 2(CE Elimination)
Silver Site 1Single L3 Switch
Gold SiteDual L3 Switches
VELOCLOUD HYBRID WAN ARCHITECTURE
To Core Switch (Campus/DC)
Datacenter
Edge
Edge
Edge
Edge
NEWHub Cluster
Existing VPN hub
Legacy SiteMPLS with VPN Backup
Bronze SiteSingle/Dual Internet
NEW
Recap
VeloCloud Core FeaturesMulti-Tenant DMPO
Cloud VPNNetwork Service
Insertion
Branch Configuration—ZTP, Profiles, IPAM
High Availability
Overlay Flow ControlFirewall & NAT
VeloCloud Networks Proprietary & Confidential | © Copyright 201716
THREE-TIER MULTI-TENANTORCHESTRATION PLATFORM
Ope
rato
rsPa
rtne
rsC
usto
mer
s
Operator
Partner A Partner B Partner C
Customer A Customer B Customer C Customer D
Operator (ISP) Portalvco.velocloud.net/operator
MSP Portalvco.velocloud.net
Enterprise Portalvco.velocloud.net
VeloCloud Networks Proprietary & Confidential | © Copyright 201717
MULTI-TENANT & STATE-LESS GATEWAY
VRF-A
VRF-B
VRF-C
BGP
VRF-A
VRF-B
VRF-C
• Each customer goes into a dedicated VRF
Public IP
PE RouterVeloCloud Gateway
VeloCloud Networks Proprietary & Confidential | © Copyright 201718
VCG IS STATELESS, WHAT DOES IT MEAN AND WHY?
• Unlike typical CE-PE config, there is very little config on VCG(IP address, BGP peer, etc.)
• Biz policy is pushed to the VCE only
• VCE tells the VCG how to process each flow• Need more capacity, spin up another VCG & re-assign VCE
to new VCG
User configures policy, e.g. RTP = Real-time high, prefer MPLS link, etc.1
2Traffic Starts 3
Send Policy Sync
OK, now I know how to process this flow
VeloCloud Core Features
Dynamic Multi-Path Optimization
VeloCloud Networks Proprietary & Confidential | © Copyright 201720
CONCEPTS REVIEW
Dynamic Multi-Path Optimization
Steering& Remediation
LiveMeasurements
DARDPI + Prefix DB + Learning
VeloCloud Networks Proprietary & Confidential | © Copyright 201721
APPLICATION PERFORMANCE MONITORING & SCORING
VQS = 10 x % of time good app performance + 5 x % of time fair app performance
• The VeloCloud Quality Score (VQS) rate the application Quality of Experience (QoE) that the network can deliver for a given timeframe– Applications: Voice, Video, Transactional applications– QoE rating: Good, Fair, Poor
VeloCloud Networks Proprietary & Confidential | © Copyright 201722
DMPO ACTION THRESHOLDS
• Include assessment timeevery 100 msec
• Include reaction objective(sub second)
VeloCloud Networks Proprietary & Confidential | © Copyright 201723
VELCLOUD DEEP APPLICATION RECOGNITION (DAR)
VeloCloud Deep Application Recognition
Deep Packet InspectionApplication recognition & application metadata
Learning databaseCached DPI result to assist with first packet classification
Cloud service directoryUp-to-date database of cloud service IPs
2500+ Applications
VeloCloud Networks Proprietary & Confidential | © Copyright 201724
LINK STEERING & REMEDIATION
Assured Application performance over MPLS, Internet broadband and LTE circuits
Continuous MonitoringAutomatic capacity testing
Continuous link & path quality monitoring
Dynamic App SteeringApp aware per Packet SteeringVirtualized: apps not tied to links
Aggregated bandwidth for single flowsPolicies abstracted by service groups
Backup link policy
On Demand RemediationError & jitter correction
Automatic steering for brownouts/blackout
Case Study: Retail Hybrid WAN• MPLS packet loss and outage• Performance issues on CABLE
VeloCloud Delivers Excellent VoIP Quality• Sub-sec steering of VOIP without call drops• On-demand mitigation of packet loss & jitter
VeloCloud Networks Proprietary & Confidential | © Copyright 201725
LINK STEERING OPTIONS
• Prefer application on a path but steer away if the link fails– Example: Web Browsing
Available
• Prefer application on a path but steer away if cannot meet SLA– Example: VoIP
Preferred
• Pin an application to a path even when the link fails– Example: PCI
Mandatory
PCI
VolP
Web Browsing
Link A: Private Wired
Link A: Private Wired
Link B
Link A: Private Wired
Link B
Link B
VeloCloud Networks Proprietary & Confidential | © Copyright 201726
PROFILE—BUSINESS POLICY SETTINGS
Quickly modify rules with a drag and drop enabled,
in-view editor
Traffic definition
Rules for application priority, bandwidth allocation, service insertion, link-remediation etc.
Add a new Business Policy
Single-click policy updates for a group of Edges
VeloCloud Networks Proprietary & Confidential | © Copyright 201727
APPLICATION AWARE OVERLAY QOS SCHEDULING
No dynamic error correction
Enterprises or SPs can specify guaranteed andmax BW for each class
Offer 9 traffic classes
Each rule in business policy maps to a traffic class
Bulk
Transactional
Real-Time
Business Collaboration
Remote Desktop, Business App
Audio/Video
Infrastructure, Authentication, Management,
Network Services, Tunneling
File Sharing
IM, Web, Proxies, Games, Media,
Social
Storage/Backup, P2P
High Normal Low
Bulk
Transactional
Real-Time
35
20
15
15
7
5
1
1
1
High Normal Low
VeloCloud Networks Proprietary & Confidential | © Copyright 201728
APPLICATION AWARE OVERLAY QOS MARKING
IPSec HDRDSCP=CS4
Copy from inner to outer
Mark or re-mark inner DSCP tag
Mark the outer so it matches SP CoS
Data IP HDRDSCP=EF Data IP HDR
DSCP=EFVCMPHDR
IPSEC HDRDSCP=EF Data IP HDR
DSCP=EF
Data IP HDRDSCP=CS3 Data IP HDR
DSCP=CS3VCMPHDR
IPSEC HDRDSCP=CS4 Data IP HDR
DSCP=CS3
VeloCloudEdge
VeloCloudEdge
VeloCloud Core Features
CLOUD VPN
VeloCloud Networks Proprietary & Confidential | © Copyright 201730
ONE-CLICK VPN DEPLOYMENT
• To enterprise DC hub with dynamic branch to branch• Eliminates N x N manual tunnels to cloud with cloud gateway
aggregation• Interoperable IPsec for no touch legacy DC
End to end encryption
Automatic VPN setup
BranchSite
Non-VeloCloudEnterprise DC
Enterprise DC
VeloCloud Networks Proprietary & Confidential | © Copyright 201731
DYNAMIC EDGE-TO-EDGE VPN TRAFFIC FLOWS
• Leverage distributed VCGs to facilitate E2E traffic• VCG used for both data/control plane
• Initial traffic go through VCG while dynamic E2E tunnel is built
• For security conscious and hybrid sites• Define list of hubs to facilitate E2E traffic
• VCG used for control plane only
• Initial traffic hairpins to hub while dynamic E2E tunnel is built
E2E with HubE2E with VCG
After dynamic E2E is up
Initial traffic
VeloCloud Networks Proprietary & Confidential | © Copyright 201732
CLOUD VPN—EDGE-TO-EDGE VPN (HUB)
Hubs are configured in the VCO. VCO notifies all the VCEs about hubs
VCEs build static multi-path tunnels to hub
VCEs still use VCG to distribute routes
E2E traffic is first sent to the hub based on routing table.If dynamic E2E is configured, VCEs establish direct tunnelsSubnet BSubnet A
Dynamic E2E
Hub 2Hub 1
List of hubsto connect to
VeloCloud Networks Proprietary & Confidential | © Copyright 201733
VELOCLOUD HUB CONFIGURATION
Configure > Edges > New Edge: Create the VeloCloud Hub Edge with the appropriate Model and configuration Profile1
Configure > Profiles > Device: Select the appropriate Profile and enable Cloud VPN and Edge to VeloCloud Hubs connectivity under the Device tab
2
Configure > Profiles > Device > Cloud VPN: Select the VeloCloudHub site defined in Step 13
Configure > Profile > Business Policy: You can now configure Business Policy for traffic to VeloCloud Hub4
VeloCloud Networks Proprietary & Confidential | © Copyright 201734
NON-VELOCLOUD SITE: CONFIGURATION STEPSAccess to non-VeloCloud sites can be configured as follows
Configure the non-VeloCloud site in the Orchestrator by specifying the Primary (and Secondary if present)VPN Gateway IP address and device type
1
Specify Site subnet(s) for the non-VeloCloud site2
Configure the non-VeloCloud site with IPsec tunnel configuration generated by the Orchestrator3
Enable Cloud VPN and configure the VeloCloud Edge to routeto the non-VeloCloud site4
(Optional) Enable Redundant VeloCloud Cloud VPN5
You can now set business policies and firewall rules for trafficto the non-VeloCloud site. Use the Monitor > Network Service tabto monitor status of the VPN tunnel to the non-VeloCloud site
6
Edge Site 1
Edge Site 2
Primary VPN GW(12.12.12.21)
Secondary VPN GW(12.12.12.22)
Site subnets10.100.100.0/24
Route-based or policy-based IPsec tunnels with DPD negotiated through IKEv1
Primary VCG
Secondary VCG (available for route-based VPN)
2
4 5
1
Non-VeloCloud Site
3
VeloCloud Core Features
Network Service Insertion
VeloCloud Networks Proprietary & Confidential | © Copyright 201736
EASE OF SERVICE INSERTION
PublicInternet
SaaS
Enterprise Data Centervia Cloud Gateway
Enterprise Data Centerwith On-Premise VeloCloud Edge
VeloCloudGateways
VeloCloudOrchestrator
Private/MPLS
Service Insertion Point
Service Insertion Point
Dynamic Multi-Path Optimization Service Insertion
Point
VeloCloud Networks Proprietary & Confidential | © Copyright 201737
Direct: Traffic can be steered by Service Group,Interface or WAN Link
Cloud Proxy: Traffic steered• Via specific Interface/
WAN Link• Mandatory only
Internet Backhaul: Traffic backhauled to either VeloCloud site (Hub) or a non-VeloCloud site (non-VeloCloud DC) via Service Groups or via Interface/WAN Link
Steer by interfaceand WAN Link can only be enabled at the Edge level not Profile level
Direct traffic notsent via VCG
Direct traffic sentvia VCG
BUSINESS POLICIES—SERVICE INSERTION
1 2
3
VeloCloud Networks Proprietary & Confidential | © Copyright 201738
Use Case: Backhaul traffic to box.com througha Customer Data Center to have control over this trafficprior to handing it to the Internet
VeloCloudEdge Site
Internet
CustomerData Center
VeloCloud Edge(Hub)
box.com Next GenFirewall
Data Center Hubto backhaul traffic
USE CASE—BACKHAUL BOX.COM TO DC
1
VeloCloud Networks Proprietary & Confidential | © Copyright 201739
CLOUD WEB SECURITY—ZSCALER
Use Case: Forward all HTTP, Port 80 traffic to Zscaler except traffic to Salesforce which is considered secure
Configure > Network Services > Non-VeloCloud Sites:Add a new Non-VeloCloud site of type “Zscaler” as shown
Enter for Zscaler authentication using “Advanced” button, “Enable” the tunnel and save the site configuration
All otherHTTP traffic
Salesforce
Internet
VCGVCE
Configure > Profile > Device: Enable Edge to non-VeloCloud site VPN for traffic to Zscaler
1
2
3
VeloCloud Networks Proprietary & Confidential | © Copyright 201740
CLOUD WEB SECURITY—ZSCALER
Configure > Profile > Business Policy: Define business policies to
• Send all salesforce traffic direct to the Internet • Send all other Port 80, HTTP traffic to the Zscaler site
Configure > Profile > Business Policy: Make sure that the business policy rule for Port 80,HTTP traffic to salesforce.com has higher precedencethan the catch-all rule for all other Port 80,HTTP traffic
4
5
VeloCloud Core Features
Branch Configuration
VeloCloud Networks Proprietary & Confidential | © Copyright 201742
PROVISION A NEW VELOCLOUD EDGE
Create Config & Send Key
1 Device Ships2 Install, Authenticate &Pull Config
3
IT Admin adds a new VeloCloud Edge in the customer account.
IT Admin generates an activation key and emails it to the Installer.
VeloCloud Edge with factory default config is shipped to the remote site.
Office Admin powers up the device and connects it to the Internet.
Office Admin plugs in the device and connects to the Internet through VeloCloud Edge WLAN/LAN.
Office admin clicks on activation link in the email. Edge is activated.
VeloCloud Networks Proprietary & Confidential | © Copyright 201743
PROVISION A NEW VELOCLOUD EDGE
Create the required Profile and Network configurations for the VeloCloud Edge1 Edge is now provisioned with an activation key and
the configuration profile3
Configure > Edge > New Edge: Add new VeloCloud Edge2
Customer Contact(Optional) Specify HAand VCE Serial No.
Specify Site name, Edge type and Profile to use
Note: When a VCE Serial Number is specified, the activation key generatedin Step 3 can only be used to activate the Edge
Note: Static WAN IP can also be assigned at the time of activationfrom the Edge’s local UI. Any such manual changes are auto-updatedin the Edge’s configuration in the VCO
(Optional) Configure any Edge specific parameters(if applicable) including4
• LAN IP addressing
• Business policy rules
• Firewall rules
• Static WAN IP addressing
VeloCloud Networks Proprietary & Confidential | © Copyright 201744
PROVISION A NEW VELOCLOUD EDGE
Send the Edge activation email to the customer and drop-ship Edge hardware to the site4
Customer connects to the Edge’s Wi-Fi network and follows instructions from Step 4 to activate the Edge5
Activation linkwith DHCP WAN
(DHCP WAN) (Static WAN)
Activation link with embedded static WAN IP
VeloCloud Networks Proprietary & Confidential | © Copyright 201745
PROFILE OVERVIEW
Profiles enable a simplified workflow for centralized configuration managementof a VeloCloud deployment
Quickly create and modify LAN/WAN,
VPN, Routing, business policy,
firewall rules etc.
VeloCloud Networks Proprietary & Confidential | © Copyright 201746
PROFILE: ADVANTAGES
1 2Centralized policy-based configuration managementby grouping the Edges logically by function,geography etc.
By creating multiple profiles, a customer can
Plan a phased rollout of a new configurationby assigning a subset of sites to the new profile before deploying the changes at scale
Switch site configuration/deployment typeby the Edge
Quickly provision VeloCloud service at a new siteby creating an Edge and assigning the appropriate profile
VeloCloud Networks Proprietary & Confidential | © Copyright 201747
PROFILE: ADVANTAGES
3 4Single-click configuration updates for a groupof Edges
5
Networks and network services can be shared across multiple profiles
After assigning Edges belonging to the same deployment type to a common profile,individual site-specific configuration changescan be made on a per-Edge basis
If an Edge is offline, it connects to the Orchestratorand gets its configuration updates the next time it comes online—configuration updates are never missed
Changes made at a Profile level are immediatelypushed down to the Edges that are online at that time
VeloCloud Networks Proprietary & Confidential | © Copyright 201748
IP ADDRESS MANAGEMENT (IPAM) OVERVIEW
VeloCloud zero-touch deployment provides automatic calculation and assignment of IP addressing,
VLAN and DHCP configuration• Overlapping: The same IP Address space is deployed at every Edge site
• Non-overlapping: A unique range of IP addresses is deployedat each Edge site
VeloCloud IP Address Management (IPAM)provides two basic methods of IP address assignment
VeloCloud Networks Proprietary & Confidential | © Copyright 201749
IPAM: OVERLAPPING ADDRESSES GREENFIELD INTERNET DEPLOYMENT
Corporate VLANs: 2Corporate1 Address: 10.0.2.0/21Corporate3 Address: 10.1.2.0/20Guest VLAN: 192.168.2.0/22DHCP: Yes, Option 150
Corporate VLANs: 2Corporate1 Address: 10.0.2.0/21Corporate3 Address: 10.1.2.0/20Guest VLAN: 192.168.2.0/22DHCP: Yes, Option 150
Corporate VLANs: 1Corporate Address: 10.0.2.0/21Guest VLAN: 192.168.2.0/22DHCP: Yes, no options
Corporate VLANs: 1Corporate Address: 10.0.2.0/21Guest VLAN: 192.168.2.0/22DHCP: Yes, no options
Edge 1Profile 1, Network 1
Edge 2Profile 1, Network 1
Edge 3Profile 2, Network 2
Edge 4Profile 2, Network 2
All sites on the same Profile/Network use the same address space
Corporate LANs: 1 or more
Guest LANs: 1 or more
DHCP can be enabled/disabled; options can be specified if needed
The start address, subnet mask and # of wired/Wi-Fi VLANsis configurable
Best Practices• Simple, auto-generated• Greenfield sites with no VPN• Can be used in conjunction with pre-existing sites, or VPN sites,
by using different Profile/Network templates for the pre-existing sites
VeloCloud Networks Proprietary & Confidential | © Copyright 201750
IPAM: NON-OVERLAPPING ADDRESSES GREENFIELD VPN DEPLOYMENT
Corporate VLANs: 2Corporate1 Address: 10.1.0.0/26Corporate2 Address: 10.1.0.64/26Guest VLAN: 192.168.2.0/22DHCP: Yes, Option 150
Corporate VLANs: 2Corporate1 Address: 10.129.0.0/26Corporate2 Address: 10.129.0.64/26Guest VLAN: 192.168.2.0/22DHCP: Yes, Option 150
Corporate VLANs: 1Corporate Address: 10.0.128.0/24Guest VLAN: 192.168.2.0/22DHCP: Yes, no options
Corporate VLANs: 1Corporate Address: 10.0.0.0/24Guest VLAN: 192.168.2.0/22DHCP: Yes, no options
Edge 1Profile 1, Network 1
Edge 2Profile 1, Network 1
Edge 3Profile 2, Network 2
Edge 4Profile 2, Network 2
All sites on the same Profile/Network have non-overlapping blocksof addresses from the same base address space, e.g. 11.0.0.0/16
Applies to Corporate LANs only—Guest LANs always useoverlapping addresses
Corporate LANs: 1 or more
The start address, subnet mask and # of wired/Wi-Fi VLANsis configurable
Guest LANs: 1 or more
Best Practices• Fairly simple, auto-generated• Greenfield sites with VPN• Cannot configure Edge1 with an address already assigned to Edge2
DHCP can be enabled/disabled; options can be specified if needed
VeloCloud Networks Proprietary & Confidential | © Copyright 201751
DHCP CONFIGURATION: BEST PRACTICE OVERVIEW
• Greenfield site • VCE as DHCP server
• Existing network with L2 switch• Existing router remains as DHCP
server
• VCE can become the DHCP server, but this requiresrouter re-configuration
• Existing network with oneor more L3 switches
• Existing L3 switch remainsthe DHCP server
• VCE as DHCP relay agent(per VLAN)
• Support DHCP server acrossthe WAN or on another VLAN
1
2
3
4
VeloCloud Networks Proprietary & Confidential | © Copyright 201752
Up to 32 VLANs
DHCP CONFIGURATION: NETWORK LEVEL > VLANWhen configuring VLANs at the Network Level, DHCP parameters can be specified
DHCP with No Options
DHCP with Options
VeloCloud Networks Proprietary & Confidential | © Copyright 201753
WAN DHCP CONFIGURATION
DHCPISP
When connecting the VCE to an ISP, the WAN portmay get its address via DHCP from the ISP
If not, a static public IP address or PPPoE credentialscan be assigned
VeloCloud Core Features
Firewall & NAT
VeloCloud Networks Proprietary & Confidential | © Copyright 201755
FIREWALL
Edge• Integrated with the VCE at the branch
• Application-aware bi-directional firewall
Pre-existing perimeter firewall at the branch
Firewalling can be implemented at
VCG
Cloud Edge
Remote Login
VCE
VCE
VPN
VPN
Internet
VeloCloud Networks Proprietary & Confidential | © Copyright 201756
CONFIGURE VCE FIREWALL RULES
VCE FW and logging enable/disable• Outbound and Edge Access FW rules can be configured
at both Profile and Edge level
• Inbound FW rules (Port Forwarding or 1:1 NAT) can onlybe defined at the Edge level
Precedence (ordering) of the rules by list position
FW rules configured at the Profile or Edge level
Rules include applications and application categories, source IP
address/port, destination IP address/port,and protocol
VeloCloud Networks Proprietary & Confidential | © Copyright 201757
PORT FORWARDING
ISP1 ISP2
PC-ATo IP-Address1 port
80
PC-BTo IP-Address2
port 8081
PC-CTo IP-Address2
port 25
Server1192.168.10.21
Server2192.168.10.22
Server3192.168.10.23
PC-Cport 25
PC-Aport 80
PC-Bport 8081
Port Forwarding allows the VeloCloud Edge to forward TCP/UDP requeststo specific WAN ports to specific LAN IP addresses/ports
You can also configure a range of ports for traffic forwarding using a “-”
VeloCloud Networks Proprietary & Confidential | © Copyright 201758
1:1 NAT
ISP1 ISP2
PC-A170.10.1.14
port 80
PC-B170.10.1.15
port 8081
PC-C170.10.1.16
port 25
Server1192.168.1.21
Server2192.168.1.22
Server3192.168.1.23
PC-Cport 25
PC-Aport 80
PC-Bport 8081
ISP routes traffic to 67.22.51.X to VCE
Leave blank to allow any traffic
1:1 NAT maps a specific public IP address (outside FW) to a specific LAN(inside FW) IP address
1:1 NAT can translate outside IP addresses in different subnets from the WAN interface address if the ISP routes traffic for the subnet towards the VeloCloud Edge
Specific ports to be forwarded to the inside IP address can also be defined
VeloCloud Core Features
High Availability
VeloCloud Networks Proprietary & Confidential | © Copyright 201760
VELOCLOUD EDGE HA OVERVIEW
• Ensure continuous uptime with active/standby deployment• Maintain all active flows during failover
• One click to enable HA• Devices automatically discover and establish
active/standby relationship
Failover link
I am active
Simple to ConfigureSub-Second Stateful Failover
I am on standby
VeloCloud Networks Proprietary & Confidential | © Copyright 201761
EDGE CLUSTERING
Each hub reports usage and load stats to the VeloCloudController (VCC) periodically. VCC maintains a listof hubs in an increasing order of their load
Enterprise DC Hub Cluster Id 1
Tunnel setup to Hub1
L3 Switch
Branch Edge
VCC
Branch VCE requests VCC for hub IP address
VCC assigns least loaded hub to the branch VCE
There will be no state sync between the hubsin the cluster
Branch VCE sets up tunnel to the assigned hub
1
Data plane session from Branch VCE to Hub cluster over MPLS/Internet
Control plane session from Branch and Hub VCEs to the Controller
2
3
4
5
1
2
3
4
4
A
VeloCloud Core Features
Overlay Flow Control
VeloCloud Networks Proprietary & Confidential | © Copyright 201763
OVERLAY FLOW CONTROLRoute Learning—Enterprise Architecture
VeloCloudOrchestrator
OSPF EnterpriseDC-West
EnterpriseDC-East
VeloCloud Hub Edge
VeloCloud Hub Edge
VeloCloud Controller
Network routes learnt via standard routing Visibility and Control simplified with an enterprise-wide consolidation of route information
Silver SiteSingle L2/L3 Switch
Legacy SiteMPLS with
VPN Backup
Bronze SiteSingle/
Dual Internet
VeloCloud Edge
VeloCloud Edge
OSPF
VeloCloud Networks Proprietary & Confidential | © Copyright 201764
OVERLAY FLOW CONTROLRoute Distribution and Programmability
VeloCloud Orchestrator
VeloCloud Edge
OSPF
VeloCloud Edge OSPF
VeloCloud Controller
Automatic traffic re-direction into SD-WANvia dynamic routing
One-click route changes distributed enterprise-widevia redundant controllers
Silver SiteSingle L2/L3 Switch
Legacy SiteMPLS with
VPN Backup
Bronze SiteSingle/
Dual Internet
EnterpriseDC-West
EnterpriseDC-East
VeloCloud Networks Proprietary & Confidential | © Copyright 201765
OVERLAY FLOW CONTROLRoute Learning—Service Provider Architecture
VeloCloud Orchestrator
Silver SiteSingle L2/L3 Switch
Legacy SiteMPLS with
VPN Backup
Bronze SiteSingle/
Dual Internet
OSPF SP POP #1
SP POP #2
Partner Gateway
PE Router
Partner Gateway
VeloCloud Controller
Subnet PreferredExit RouteTypeOverlayFlowControl
BGP
PE RouterBGP
One E-BGP session per customer BGP Inbound and Outbound policy control per VRFusing RFC1998 outbound and local pref inbound
MPLS Core
172.30.0.0/24 VCG-WEST E-BGP
172.30.0.0/24 VCG-EAST E-BGP
VeloCloud Edge
VeloCloud Edge
Design & Best PracticesBranch Broadband
DeploymentVeloCloud SD-WAN
Design
High Availability Connecting SD-WAN with Legacy Sites
BRANCH BROADBAND
DEPLOYMENT
VeloCloud Networks Proprietary & Confidential | © Copyright 201768
ACHIEVING ACCEPTABLE PERFORMANCE
• Recommends at least two diverse stable Internet links - two different carriers utilizing two different last mile infrastructures
• Ideally, two wired links using Fiber, EoC, Coaxial Cable, or DSL• Acceptable link performance defined by VeloCloud’s DMPO (Dynamic Multiple Path Optimization) as
shown by QoE on Orchestrator:
• Measurements are taken between the Edge and the closest VeloCloud Gateway for broadband links• 4G wireless connection should be used as an alternative link type
SD-WAN DESIGN& Best Practices for WAN Optimization
VeloCloud Networks Proprietary & Confidential | © Copyright 201770
Silver Site 2(CE Elimination)
Silver Site 1Single L3 Switch
Gold SiteDual L3 Switches
VELOCLOUD HYBRID WAN ARCHITECTURE
To Core Switch (Campus/DC)
Datacenter
Edge
Edge
Edge
Edge
Hub Cluster
Existing VPN hub
Legacy SiteMPLS with VPN Backup
Bronze SiteSingle/Dual Internet
VeloCloud Networks Proprietary & Confidential | © Copyright 201771
• Easy if branch uses DHCP so readdressing is simple• Traffic will stop if the VCE fails
• Propose HA if availability is a concern
• L3 switch redirects traffic to SD-WAN overlay based on E-BGP or OSPF routes. IP SLA with static routes to track the availability of VCE.
• Redirection stops if VCE fails and traffic follows original path (MPLS)
VCE is off path and is default gatewayfor L3 switch
VCE is in path and is default gatewayfor all the traffic
HYBRID BRANCH INSERTION OPTIONS
L2/L3 SW
L3 SW
Pro: Automatic fallback to MPLS when VCE fails. HA not required for survivability
Pro: Simple. Recommend & common when branchhas only L2/L3 switch
E-BGPE-BGPE-BGP
E-BGP/OSPF
E-BGP/OSPF
VeloCloud Networks Proprietary & Confidential | © Copyright 201772
• Simple and no CE needed• Have PE advertise the network between the
PE and the VCE
• During transition, use the hub to reach non SD-WAN sites
• Ideal for small deployment or large concentration of sites
• Advertise SD-WAN routes to/from underlay • Typically done at hub site SD-WAN
migration to advertise routes between SD-WAN and non SD-WAN sites
• Care must be taken to avoid making branch a transit
• Advertise SD-WAN routes to/from underlay• Recommended if SD-WAN sites are to
to advertise its routes directly into underlay
• ‘Uplink’ feature to make branch non-transit site
HYBRID SITES—PE CONNECTIVITY OPTION
VCE and PE Are Directly Connected VCE Uses OSPF with CECE Uses BGP with PE VCE Uses BGP with PE
PE
CE PE
OSPF/BGP BGP BGP
PE
VeloCloud Networks Proprietary & Confidential | © Copyright 201773
• Recommended for simplicity of Hub connectivity from branches
• One overlay (WAN) link per physical interface
• Require new subnet between VCE and Firewall for routing to the DC prefixes
• Interface to the internet side to be configured in the DMZ
• One overlay (WAN) link perphysical interface
• Require new VLAN between VCE and L3 switch
• Firewall point all traffic to internal subnet through VCE for congestion control
• Single physical interface, multiple overlay (WAN) links
• VCE to use different next-hop IP address or VLAN to establish separate Overlays
• Firewall should point all traffic to internal subnet through VCE for congestion control
FLEXIBLE DC INSERTION OPTIONS
Two-Arm Mode Parallel to FW Two-Arm Mode behind FW One-Arm Deployment Mode
VeloCloud Networks Proprietary & Confidential | © Copyright 201774
• Offload internet traffic at the VCE and send it direct.Otherwise firewall sees just VeloCloud Multi-Path tunnel traffic
• Disable NAT on VCE
• Firewall can NAT or PAT the traffic
• VCE terminates the internet connectivity, perform NAT, etc.• Commonly used unless there is specific application that requires
firewall ALG features
• Firewall has full visibility into all traffic including Internet traffic going to the VeloCloud Gateways
BRANCH FIREWALL PLACEMENT WITH VCE
VCE in Front of the FirewallVCE Behind the Firewall
MoreCommon
VeloCloud Networks Proprietary & Confidential | © Copyright 201775
• Use VCE built-in firewall• Trusted SaaS traffic is sent through
the VCG
• Backhaul internet traffic to HQ
• Use dedicated branch firewall (need to allow inbound UDP/2426 allowed into the firewall from VCE IP)
• Trusted SaaS traffic is sent through the VCG
• Send the internet traffic direct
• Use VCE built-in firewall in conjunction with cloud-based Web security (CWS) such as Zscaler
• Trusted SaaS traffic is sent through VCG
• Internet traffic is chained through ZScaler via the VCG
DESIGN OPTIONS FOR SECURING INTERNET TRAFFIC
No Split Tunnel for Untrusted Internet Traffic Split Tunnel Traffic from Branch Internet Traffic Is Sent to the CWS,
e.g. ZScaler
VeloCloud Networks Proprietary & Confidential | © Copyright 201776
• Port transparency—expose original port numberand not original IP
• Full transparency—expose both original port number and original IP
BEST PRACTICE WITH WAN OPTIMIZATION
Application recognition may fail to recognize optimizedtraffic but IP/port will still work
No impact to non-optimized traffic
Need to run the Riverbed in transparent addressing mode
PE
CONNECTING SD-WAN WITH NON SD-WAN/Legacy Sites
VeloCloud Networks Proprietary & Confidential | © Copyright 201778
• Traffic to/from non SD-WAN sites go through hubs to reach SD-WAN sites
• Simple to control policy. Eliminate BGP from branch.
• If non-SD-WAN sites are high BW, allow SD-WAN sites to use combined link BW
• May introduce latency due to backhauling
• Traffic to/from non SD-WAN sites go directly to MPLS• May be preferred if there is a lot of communications between
SD-WAN and non-SD-WAN sites
• Avoid primary/secondary/tertiary design
OPTIONS FOR CONNECTING SD-WAN WITH NON-SD-WAN SITES
Directly from SD-WAN Branch SiteThrough SD-WAN Hub Site
SD-WANOverlay
MPLS
Non SD-WAN sites
SD-WAN hybrid sites
MPLS
SD-WANOverlay
Non SD-WAN sites
SD-WANhybrid sites
What’s New
Release 3.0
• 3.0 Release1.Segmentation2. Virtual Edge in Public Cloud3. MSP Gateway Management4. SNMP traps for VCO Alerts5. Platforms Update6. VRRP (Rel 2.5)
VeloCloud Networks Proprietary & Confidential | © Copyright 201781
USE CASE - ENTERPRISE SCENARIOSUse Cases: Security, M&A, PCI
• Segment aware policies• Segment aware topology insertion • Overlapping IP in different segments
Corp
Guest
PCI
Corp
Corp
VeloCloud Networks Proprietary & Confidential | © Copyright 201782
SEGMENTATION - “MULTI-TENANT” CPE
Tenant ATenant BTenant C
Per Tenant QoS and DMPO
Shared Tenant Site Use Case
• Per tenant management portal view• Per tenant QoS and Dynamic Multi-Path Optimization• Overlay Bandwidth Cap
VeloCloud Networks Proprietary & Confidential | © Copyright 201783
VIRTUAL EDGE ON AWS VPC
Deploy on AWS VPC • Available from AWS Marketplace• BYOL• Single Instance for <1G• Clustering for multi-gig
Single Edge Option
Hub Clustering Option
VeloCloud Networks Proprietary & Confidential | © Copyright 201784
SNMP TRAPS
● SNMP traps can be enabled under “Alerts & Notifications”
● SNMP v2c and v3 are both supported
SNMP v2c ConfigurationRequired attributes:
- Hostname / IP Address- Port- Community (Optional)
Note: when Community Attribute is not included, ‘snmptrap’ willsend the trap to the ‘public’ community by default.
SNMP v3 ConfigurationRequired Attributes:
- Hostname / IP Address- Port- Username- Authentication (MD5/SHA)- Privacy (DES/AES)
VeloCloud Networks Proprietary & Confidential | © Copyright 201785
MSP GATEWAY MANAGEMENT
● Partner can Add New Gateway Pool and Clone existing Gateway but can not delete Gateway pool added by Operator
● Partner can Delete any Gateway pool added by them
VeloCloud Networks Proprietary & Confidential | © Copyright 201786
MULTI-GIGABIT PERFORMANCE AND SCALE
100 Mbps 200 Mbps 1 Gbps 2 Gbps 5 Gbps Multi-Gigabit
Edge 510Aug 2017 Edge 520 Edge 540 Edge 840 Edge 1000 Edge 2000
Aug 20175Gbps Edge
Sep 2017 Edge Cluster
4-Port GE2-USB—LTE
WiFi
10-Port GE2-Port SFP
4-USB—LTEWiFi
10-Port GE2-Port SFP
4-USB—LTEWiFi
6-Port GE2-Port SFP+
8-Port GE2-Port SFP+
6-Port GE2-Port SFP+
NEW
Rel 2.5
NEW
87 © 2017 Company Name
DMPO Setup
87
VeloCloudOrchestrator
Video Streaming Service
Speedtest
Client 1
Client 2
VeloCloud Optimized
VCG
DMPO Demo :: Before/After Demo Topology
THANK YOU