Cisco SD-WAN powered by Meraki - Session Presentation

#CLUS

Jeffry Handal, Lead Consulting Systems Engineer@IPv6pilotBRKCRS-1579

Cisco SD-WAN powered by Meraki

SD-WAN Deep Dive:

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS

Agenda

• What is SD-WAN?

• Business Drivers for SD-WAN

• The Value of Data

• Routing Innovations

• Security

• Performance Monitoring

BRKCRS-1579 3

Questions? Use Cisco Webex Teams to chat with the speaker after the session

Find this session in the Cisco Live Mobile App

Click “Join the Discussion”

Install Webex Teams or go directly to the team space

Enter messages/questions in the team space

How

Webex Teams will be moderated by the speaker until June 16, 2019.

1

2

3

4


Cisco Webex Teams

cs.co/ciscolivebot#

4

BRKCRS-1579


Powered By

Easiest to deploy SD-WAN available

Advanced routing and segmentation

ViptelaPowered By

A Complete Market Leading Solution

5BRKCRS-1579

Hybrid

Branch + HQ/DC

Cisco SD-WANS E C U R E


TECHNOLOGY THAT SIMPLY WORKS

Simplifying powerful technology to free passionate people to focus on their mission.

BRKCRS-1579 6


Simplifying across IT with Cloud Management

A complete cloud managed IT solution.

Wireless, switching, security, SD-WAN, intelligent network insights, endpoint management, and security cameras.

Integrated hardware, software, and cloud services.

550k+ 6M+ 30M+API requestper day

Devicesonline

Uniquecustomers

BRKCRS-1579 7


A Comprehensive Cloud Platform

POWERED BY MERAKI

INTEGRATIONS & BUSINESS SOLUTIONS

{ APIs }

OUT-OF-THE-BOXMANAGEMENT & ANALYTICS

BRKCRS-1579 8


Out of Band Cloud Management

Scalable• Unlimited throughput, no bottlenecks• Add devices or sites in minutes

Reliable• Highly available cloud with multiple datacenters• Network functions even if connection to cloud is

interrupted 99.99% uptime SLA

Secure• No user traffic passes through cloud• Create and maintain HIPAA & PCI compliant networks • 3rd party security audits, daily penetration testing• Automatic firmware and security updates (user-

scheduled)Reliability and security information at meraki.cisco.com/trust

BRKCRS-1579 9

http://meraki.cisco.com/trust


MSP Portal

Dashboard Structure

MSP Portal: aides Managed Service Providers by providing increased visibility, management, and administrative access to multiple organizations with a single set of credentials

Dashboard Account

Organization 1 Organization 2

Site A

Network

Site B

Network

Site C

Network

Site D

Network

LicensingInventory

LicensingInventory

BRKCRS-1579 10

What is SD-WAN?


Is this how your site connects to the WAN?

https://www.techrepublic.com/pictures/real-world-server-room-nightmares/ BRKCRS-1579 12

https://www.techrepublic.com/pictures/real-world-server-room-nightmares/


BGP

BRKCRS-1579 13


OSI Model

Application

Presentation

Session

Transport

Network

Data-Link

Physical

TCP/IP

Application

Transport

Internet

Network Interface

Software-defined?

BRKCRS-1579 14


What is SD-WAN? (Research Company)

“SD-WAN solutions provide a replacement for traditional WAN routers and are agnostic to WAN transport technologies. SD-WAN provides dynamic, policy-based, application path selection across

multiple WAN connections and supports service chaining for additional services such as WAN optimization and firewalls.” (Gartner

IT Glossary)

BRKCRS-1579 15


What is SD-WAN? (Media Company)

“The software-defined wide-area network is a specific application of software-defined networking (SDN) technology applied to WAN…”

BRKCRS-1579 16


What is SD-WAN? (Standards Group)

1. Auto (discovery + provisioning + asset registration)2. Common DevOps/NetOps Configuration and change

management tools3. Control Mechanism for (physical + virtual) (Switches and Routers)4. Baseline Policy – enforced by common controller environment5. State Management: (Vendor a…z (p+v) switch)6. Integrated Monitoring of Underlay and Overlay…

BRKCRS-1579 17


What is SD-WAN? (Cisco Meraki)

“Software-defined WAN (SD-WAN) is a suite of features designed to allow the network to dynamically adjust to changing WAN conditions

without the need for manual intervention by the network administrator.” – Cisco Meraki

BRKCRS-1579 18

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco SD-WAN (powered by Meraki)

2 WAN connections

Policy-based routing (PbR)

Dynamic path selection (PfR)

BRKCRS-1579 19


Why is SD-WAN Emerging now? (1)

Better, cheaper compute

Sources: Domingos, Ibid.; Mary Meeker, “Internet Trends 2014”, Kleiner Perkins Caufield Byers, 28May2014

BRKCRS-1579 20


Why is SD-WAN Emerging now? (2)

The Internet

• Uptime (99.99999%)

• Redundancy

• Protocol (e.g., VRRP, Anycast)

• Speed

• 400Gbps standard ratified

BRKCRS-1579 21

Business Drivers for SD-WAN


User Experience

BRKCRS-1579 23


Why is the home experience better?

BRKCRS-1579 24


Need for Speed

BRKCRS-1579 25


The Branch is Becoming Faster

Broadband speeds growing

In next 5 years

2x2020

2021

2019

20182017

20162015

2014

50 Mbps

25 Mbps

Cisco 12th annual Mobile VNI Forecast

BRKCRS-1579 26


Out-of-ControlCosts

BRKCRS-1579 27


High Costs

$600PE R MBPS PE R MONTH

AVERAGE COST OF MPLS

[Source: Network World, Next-Generation Enterprise WANs, 2012]

BRKCRS-1579 28


Expanded Options

RE

DU

CIN

G C

OS

T

[Source: Network World, Next-Generation Enterprise WANs, 2012]

BRKCRS-1579 29


Shifting Workloads

BRKCRS-1579 30


Business SaaS Trends

Percentage of enterprises (1,000+

employees) estimating the majority of

their apps will be SaaS by 2021

Global SaaS spending is

forecast to increase by

over 95% to $75.7B

[Source: BetterCloud 2017 State of the SaaS-Powered Workplace]

95%I N C R E A S E

S a a S S P E N D I N G F O R E C A S T , 2 0 1 6 – 2 0 2 0

[Source: BetterCloud 2017 State of the SaaS-Powered Workplace][Source: Gartner, 2017]

PERCENTAGE OF ENTERPRISES ESTIMATING WHEN 8 0% OF THEIR B USINESS APPS WILL B E S aaS

AVG. NUMBER OF S aaS APPS PER ORGANIZATION

BRKCRS-1579 31


Global SD-WAN traffic

growth outpaces site-to-

site business traffic

growth

Globally, Business IP traffic is predicted to grow 3-fold from

2016 to 2021 at a compound annual growth rate of 21%

2.5x 21% CAGR

Business TrafficGLOBAL B USINESS IP TRAFFIC

[PB per month]

[Source: Cisco VNI, 2017]

GLOBAL S ITE-TO-SITE B USINESS TRAFFIC

[Source: Cisco VNI, 2017]

BRKCRS-1579 32


Other Challenges

BRKCRS-1579 33


Conventional WAN Challenges

Single points of failure Unused bandwidth Accountability issues

https://hackernoon.com/sla-benefits-why-do-you-need-

sla-and-what-does-it-cover-c02301afc34e

BRKCRS-1579 34

https://hackernoon.com/sla-benefits-why-do-you-need-sla-and-what-does-it-cover-c02301afc34e


Configurations

• Long

• Inconsistent (L8)

• Hard-to-follow

BRKCRS-1579 35


Let’s take the business to the next level together.

BRKCRS-1579 36

The Value of Data

#CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Sherlock Holmes

“It is a capital mistake to theorize before one has data.”

BRKCRS-1579 38


Big Data has Matured to Deliver Real Business Value

BRKCRS-1579 39


Data is the New Currency

Est. value: $26.2B*

2016 revenue : $960MRatio: 27 : 1

Est. value: $922B+2017 revenue: $177BRatio: 5 : 1

Est. value: $526B+2017 revenue: $40.6BRatio: 13 : 1

Est. value: $25B2017 revenue: $2.44BRatio: 10 : 1

Est. value: $59B+2017 revenue: $11.7B+Ratio: 5 : 1

[Source: 2011 Booz & Company; Statista; Aug 2017 Company Earnings Reports and market capitalization data]

Est. value: $1T+2017 revenue: $229BRatio: 4 : 1

*acquisition price

Modern cloud technologies are valued on more than revenue. They’re valued on their ability to leverage data as part of their products and services

BRKCRS-1579 40


Changing the Way Solutions Work Together

By interconnecting different systems, organizations now have an opportunity to solve problems in ways that wouldn’t previously have been possible

DATA SOURCES

Network Elements

Ticketing Systems

LoggingApplications

AnalyticsPlatforms

BRKCRS-1579 41


Creating and Finding the Data

BRKCRS-1579 42


It’s alive in the network

BRKCRS-1579 43


The Cisco Meraki Dashboard

Site-wide search

Client location

L7 application visibilityReal-time

control

Client fingerprints

Single pane of glass ITmanagement

Remote tools

BRKCRS-1579 44


Network-as-a-Sensor (Live)

Security & SD-WAN > Appliance Status > Summary

BRKCRS-1579 45


Network-as-a-Sensor (Historical)

Security & SD-WAN > Appliance Status > Uplink

BRKCRS-1579 46


Tools

Security & SD-WAN > Appliance Status > Tools

BRKCRS-1579 47


The VPN Experience (Historical)

Security & SD-WAN > VPN Status

BRKCRS-1579 48


VPN Performance Monitoring (~Real-time)

Security & SD-WAN > VPN Status> Specific peer

BRKCRS-1579 49


APIs

https://developer.cisco.com/meraki/

BRKCRS-1579 50

https://developer.cisco.com/meraki/


Automationwith AI/ML

BRKCRS-1579 51


Automation in the Network

• Anomaly detection

• Patterns

• Performance

• Root cause analysis

• Cross correlations

• Long-term trending

• Find behaviors https://www.dataversity.net/artificial-neural-networks-overview/

BRKCRS-1579 52

Save Time!

https://www.dataversity.net/artificial-neural-networks-overview/


Anomaly Detection

Organization > Summary report

BRKCRS-1579 53


Configuration Assistance - AutoVPN

Security & SD-WAN > Site-to-site VPN

BRKCRS-1579 54


Configuration Assistance - QoS

Security & SD-WAN > SD-WAN & traffic shaping

BRKCRS-1579 55


Security Updates

Security & SD-WAN > SD-WAN & traffic shaping

• Malware• IDS/IPS• Country IP Space• Content Filtering

BRKCRS-1579 56


Network Assurance

Insight > WAN Health

Game shift: reactive to proactive

BRKCRS-1579 57


Other Data Generation

• SNMP

• Netflow

• Syslog

• API

BRKCRS-1579 58


Data-Driven Decision Making & Automation - The New IT

BRKCRS-1579 59

Demo - Data Found

Routing Innovations


Hardware

BRKCRS-1579 62


SD-WAN Delivered by Powerful Hardware

Hardware highlights across all MX models

×2 WAN ports

3G / 4G / LTE USB as single-WAN or failover

Additional Ethernet ports with PoE/PoE+ options

Models with embedded LTE modem

High availability mode

MERAKI MX SD-WAN & SECURITY APPLIANCES

AUTOMATIC WAN FAILOVER

BRKCRS-1579 63


Medium Branch

Small Branch

*Available with wireless models(MX64W, MX65W, MX67W, MX68W, MX68CW)

Z3C not available in Japan

Large Branch, Campus or Concentrator Virtual

Teleworker

Z3 Z3C

~5 users802.11ac Wave 2 Wireless & PoE

FW throughput: 100 Mbps

CAT 3 LTE (Z3C)

MX64/65 MX67/68 MX67C/68CW

~50 users802.11ac Wireless* & PoE


~50 users802.11ac Wave 2* & PoE


~50 users802.11ac Wave 2* & PoE


CAT 6 LTE

MX84 MX100

~200 usersFW throughput: 500 Mbps

~500 usersFW throughput: 750 Mbps

MX250 MX450

~2,000 usersFW throughput: 4 Gbps

~10,000 usersFW throughput: 6 Gbps

vMX100 for AWS & Azure

FW throughput: 750 MbpsVPN & SD-WAN features

Security and SD-WAN Portfolio

BRKCRS-1579 64


AutoVPN

BRKCRS-1579 65


VPN RegistryHelp > Firewall info

BRKCRS-1579 66


New VPN Registry

• New default

• Does not apply to China shards

• Is backported to older orgs

209.206.48.0/20

BRKCRS-1579 67


Auto VPN Orchestration

Establishing the VPN connection:

• With unique pre-shared keys

• Try Uplink IP first (private link?)

• Try Public IP second

1New MX registers its Uplink IP, Public IP, and local subnets

2New route is propagated to all MX peers automatically

3New MX establishes site-to-site VPN connection

Subnet Uplink IP Public IP

10.0.1.0/24 10.1.1.1 184.23.135.1

10.0.2.0/24 10.1.1.2 184.23.135.2

10.0.3.0/24 10.1.1.3 184.23.135.3

VPN Registry

BRKCRS-1579 68


Topologies – Hub and Spoke

Data Center

MPLS(primary)

Internet(backup)

BRKCRS-1579 69


Topologies – Full Mesh

Internet(backup)

MPLS(primary)

Consult MX Sizing Guide

BRKCRS-1579 70


Topologies – Inline Hub and Spoke (uncommon)

Data Center

Internet(backup)

MPLS(primary)

BRKCRS-1579 71


Topologies - Advanced

• Geographical

• Hierarchical

Consult with your Cisco Meraki CSE

BRKCRS-1579 72


Tunnel Math – Full Mesh

Total Tunnel Count = ((N x (N-1)) / 2)xL

Where N is the number of MXs and L is the number of uplinks each MX has.

BRKCRS-1579 73

For Guidance Only


Tunnel Math – Hub and Spoke

Total Tunnel Count = (H x (H-1) / 2)xL1+ (S x N)xL2

Where H is the number of hubs, S is the number of spokes, N is the number of hubs each spoke has and L is the number of uplinks the MX has (L1 for the hubs, L2 for the spokes).

BRKCRS-1579 74

For Guidance Only


Routing

BRKCRS-1579 75


OSPFv2 – Concentrator Mode

Hello packets on WAN only

BRKCRS-1579 76


OSPFv2 – NAT Mode

Hello packets on LAN side

InternalNetwork

Internet

VLANs must be disabled

BRKCRS-1579 77


OSPFv2 – Cisco IOS Setup

router ospf 20router-id 172.16.20.20network 10.100.100.0 0.0.0.255 area 0network 172.16.20.20 0.0.0.0 area 0

Local VLAN

Loopback

BRKCRS-1579 78


OSPFv2 – Cisco IOS Resultsshow ip ospf ne

Neighbor ID Pri State Dead Time Address Interface

10.100.100.14 0 FULL/DROTHER 00:00:39 10.100.100.14 Vlan100

show ip ospf database

Type-5 AS External Link States

Link ID ADV Router Age Seq# Checksum Tag

192.168.250.255 10.100.100.14 41 0x80000001 0x00C365 0

192.168.254.255 10.100.100.14 41 0x80000001 0x00978D 0

show ip route

O E2 192.168.250.0/24 [110/100] via 10.100.100.14, 00:00:02, Vlan100

O E2 192.168.254.0/24 [110/100] via 10.100.100.14, 00:00:02, Vlan100

BRKCRS-1579 79


BGPv4

• Introduced firmware 13

• GA firmware 14

• Concentrator mode only

• eBGP

• iBGP (AutoVPN)

BRKCRS-1579 80


BGPv4 – Route Table

BRKCRS-1579 81


BGPv4 – Packet Capture

BRKCRS-1579 82


BGPv4 – Cisco IOS Setup

router bgp 50

bgp log-neighbor-changes

neighbor 10.200.200.14 remote-as 500

neighbor 10.200.200.14 description MERAKI

!

address-family ipv4

network 10.200.200.0 mask 255.255.255.0

network 172.16.50.50 mask 255.255.255.255

neighbor 10.200.200.14 activate

neighbor 10.200.200.14 soft-reconfiguration inbound

exit-address-family

Local VLAN

Loopback

BRKCRS-1579 83


BGPv4 – Cisco IOS Resultsshow ip bgp summary

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd

10.200.200.14 4 500 1666 1607 15 0 0 1d00h 2

show ip bgp

Network Next Hop Metric LocPrf Weight Path

*> 10.200.200.0/24 0.0.0.0 0 32768 i

*> 172.16.50.50/32 0.0.0.0 0 32768 i

*> 192.168.250.0 10.200.200.14 0 500 i

*> 192.168.254.0 10.200.200.14 0 500 i

show ip route

B 192.168.250.0/24 [20/0] via 10.200.200.14, 1d00h

B 192.168.254.0/24 [20/0] via 10.200.200.14, 1d00h

BRKCRS-1579 84

Demo - BGP


Redundancy

BRKCRS-1579 86


Detecting Failures

http://canireachthe.net/

• Connection monitor• DNS• ARP• HTTP• PING

BRKCRS-1579 87

http://canireachthe.net/


Warm Spare

• VRRP

• VRRP hellos out each MX LAN interface/VLAN every second

• After 3 seconds, the VRRP dead timer expires triggering a failover event

• Once higher priority heartbeats are seen again by the secondary MX, it immediately relinquishes the gateway response role back to the primary.

• In NAT mode

• WAN uses connection monitor, not VRRP

BRKCRS-1579 88


Warm Spare Operational

BRKCRS-1579 89


Warm Spare Broken

BRKCRS-1579 90


Probes

BRKCRS-1579 91


Performance Probes (1)

• Each uplink send a probe across all available paths

• In this example, MX2 sends 4 probes

• The receiving MX will reply with 4 probes

• Probe: 100 byte UDP with no DSCP marking

• Default probe interval: 1 secMX #2

MX #1uplink1

uplink2

uplink1

uplink2

1 23 4

BRKCRS-1579 92


Performance Probes (2)

• Average latency, loss, and jitter is computed over the last 6 samples

• These values are computed all possible paths (max 4) per MX

10 15 20 20 15 10

Path Latency

Current average: 15 ms

Incoming latency value

5 5 0 5 5 …

Path Jitter

Current average: 2.5 ms

Calculated Jitterk = |atencyk – latencyk-1|

0 0 0 0 0 0Current average:

0%Incoming loss (1/0)

value

Packet loss

BRKCRS-1579 93


Protobuf

• Google creation (2001)

• Open-sourced (2008)

• Supports C++, Java, Python, JavaScript

More info: https://blogs.cisco.com/sp/streaming-telemetry-with-google-protocol-buffers

BRKCRS-1579 94

https://blogs.cisco.com/sp/streaming-telemetry-with-google-protocol-buffers


Interface Queuing

BRKCRS-1579 95


10 Mbps

Traffic shaping and prioritization

LAN Traffic

High

Normal

Low

5 Mbps

Classify traffic and forward based on app (L7)

Traffic Shaping and

Prioritization

L7 classifiers. The default priority is Normal

Traffic distribution is proportional to the path bandwidth ratio. In the example above, WAN1 gets 2x packets as WAN2

4x

2x

1x

4x, 2x, 1x packets are consumed respectively from each queue

WAN1

WAN2

4x

2x

1x

High

Normal

Low

Path Selection

Mux

Selection based on L3/4 classifiers. Unclassified traffic is distributed based on WAN1 / WAN2 ratio

LLQ2

1 Firmware 14+

Priority QueuesRound

Robin Scheduler WAN Uplinks

Real-time1

2 LLQ Introduced in R13-24+

BRKCRS-1579 96


Policies

BRKCRS-1579 97


Simply Express Intent

1. Define acceptable performance thresholds

2. Select from built-in Layer-7 categories and applications

BRKCRS-1579 98


Simply Express Intent (continued)

3. Choose preferred uplink and when fail over should occur

Tell the network what you want to accomplish, not what to do and how to do it

BRKCRS-1579 99

Automation!


L7 Uplink Selection

• Custom expressions for setting L3/L4 rules

• Leverage existing L7 categorization for L7-based rules

• Use both L3/L4 classifications and L7 together

BRKCRS-1579 100


Dynamic path selection (DPS)

• Based on latency, jitter and loss

• Special case for VoIP using MOS score (see later)

• Can be used for load-balancing or failover trigger criteria

BRKCRS-1579 101


DPS for VoIP

What is a MOS score?

Built-in rule (3.5 MOS)

BRKCRS-1579 102


SD-WAN Algorithm

BRKCRS-1579 103


SD-WAN “Algorithm”

BRKCRS-1579 104


SD-WAN Example Flows

BRKCRS-1579 105



BRKCRS-1579 106

Internet traffic => PbR



BRKCRS-1579 107

VPN traffic => PfR


DC MX

MPLS Internet

SPOKE MX

uplink1

uplink1 uplink2

Flow decision example – H&S

VPN tunnels

Example: One-armed VPN concentrator at the data center

BRKCRS-1579 108


DC MX

MPLS Internet

For a given flow:

1. MX DC sends first packet to SPOKE MX uplink2

• Local uplink decision: No local choice, so sending via uplink1

• Remote uplink decision: First packet, pick a tunnel (round robin)

SPOKE MX

uplink1

uplink1 uplink2


VPN tunnels


BRKCRS-1579 109


DC MX

MPLS Internet

For a given flow:




2. SPOKE MX decides to reply through uplink1

• Local uplink decision: Based on PbR / dynamic path selection

• Remote uplink decision: No remote choice, DC has one uplink only

SPOKE MX

uplink1

uplink1 uplink2


VPN tunnels


BRKCRS-1579 110


DC MX

MPLS Internet

SPOKE MX

uplink1

uplink1 uplink2


VPN tunnels


For a given flow:




2. SPOKE MX decides to reply through uplink1

• Local uplink decision: Based on PbR / dynamic path selection

• Remote uplink decision: No remote choice, DC has one uplink only

3. DC MX learns spoke preference, proceeds by sending traffic to SPOKE MX uplink1.

• Local uplink decision: No local choice

• Remote uplink decision: DC registers senders remote uplink (#1)

BRKCRS-1579 111


MX #2

MX #1uplink1 uplink2

uplink1 uplink2

Internet

Flow decision example – Dual Network

VPN tunnels

Example: Both peers are dual WAN over Broadband

BRKCRS-1579 112


MX #2


uplink1 uplink2

Internet


VPN tunnels


BRKCRS-1579 113


For a given flow:

1. MX2 send a packet up • Local uplink decision: Based on PbR / dynamic path selection• Remote uplink decision: First packet, pick a tunnel (round robin) MX #2


uplink1 uplink2

Internet


VPN tunnels


BRKCRS-1579 114


For a given flow:

1. MX2 send a packet up • Local uplink decision: Based on PbR / dynamic path selection• Remote uplink decision: First packet, pick a tunnel (round robin)

2. MX1 replies through its uplink1 to MX2 uplink1• Local uplink decision: Based on PbR / dynamic path selection• Remote uplink decision: MX1 registers that the packet came from MX2 uplink1

MX #2


uplink1 uplink2

Internet

Second p

acket


VPN tunnels


BRKCRS-1579 115


For a given flow:

1. MX2 send a packet up • Local uplink decision: Based on PbR / dynamic path selection• Remote uplink decision: First packet, pick a tunnel (round robin)



MX #2


uplink1 uplink2

Internet

Ste

ady S

tate


VPN tunnels


BRKCRS-1579 116


SD-WAN makes a dramatic difference for failover.

How Fast is Failover?

Service Failover Time Failback Time

AutoVPN Tunnels 30-40 seconds 30-40 seconds

DC-DC Failover 20-30 seconds 20-30 seconds

Dynamic path selection Up to 30 seconds Up to 30 seconds

Warm Spare 30 seconds or less 30 seconds or less

WAN connectivity 300 seconds or less 15-30 seconds

BRKCRS-1579 117


Troubleshooting

BRKCRS-1579 118


Live Tools

Security & SD-WAN -> Appliance status

BRKCRS-1579 119


Other Tools

• Packet captures

• Event log

• Alerts

• RESTful APIs

• Traditional tools: SNMP, syslog, Netflow

BRKCRS-1579 120


Flow Table

• Live tool (not sysloged yet)

• Every flow decision…explained

• Which uplink?

• Why?

• Search by uplink or flow

Security & SD-WAN -> VPN status

BRKCRS-1579 121


Performance Monitoring

• Between 2 peers

• For all possible paths

(min:1, max: 4)

• Latency, loss, jitter, and MOS

• Identify performance issues

BRKCRS-1579 122

Demo – SD-WAN Examples


Cisco Meraki WAN Emulator

124BRKCRS-1579

https://github.com/nathanwiens/merakiwanemulator

https://github.com/nathanwiens/merakiwanemulator


OTT SD-WAN

BRKCRS-1579 125


OTT SD-WAN

Over The Top

OR

Over the Internet

SD-WAN

MPLS-like SLAs for Internet destinations

BRKCRS-1579 126


Partnership

Public-cloud based WAN service

BRKCRS-1579 127


Teridion Cloud WAN Service

• TCP acceleration

• Cloud routers throughout the Internet and public cloud

• Middle-mile acceleration

• Per application routing

• Throughput, loss, and latency as routing metrics

• High throughput routes: TCP based applications

• Low loss / low latency routes: UDP applications

• Adaptive, self-optimizing network

• Cloud routers change based on performance metrics

BRKCRS-1579 128


Cisco Meraki Dashboard

• Add Non-Meraki VPN peers for the Teridion edge

• Configure HA with Tag-Based IPsec VPN Failover

Quick, Easy Setup

Teridion Portal

• Add sites via UI or in bulk with csv upload

• Easily create IPSec tunnels with a pre-configured Meraki template

BRKCRS-1579 129

Demo – Teridion Speed

Security


Complementary Crossroads

BRKCRS-1579 132


More Than Just SD-WAN

IPS Snort IDS / IPS, updated every day

Content FilteringBrightCloud - 4+ billion URLs,

updated in real-time

Geo-based

security

Block traffic sourced from selected

countries

Malware

Protection

AMP with Threat Grid

ThreatGrid based sandboxing

Automatic

Updates

Software and security updates

delivered from the cloud

PCI compliancePCI 3.2 certified cloud-based

management Industry leading security built-in with no additional hardware required.

BRKCRS-1579 133


Security Integrations/Interoperability

Meraki Interoperability

Meraki Integrations

Cisco ISE

Meraki MX

BRKCRS-1579 134


Supported by Cisco Talos Threat Intelligence

1.5 million malware samples / day

600 billion email messages / day

16 billion web requests / day

Honeypots

Open source communities

Internalvulnerability discovery

Telemetry

Internet-wide scanning

Over 250 full time

threat researchers

Millions of telemetry

agents

4 global data centers

Over 100 threat

intelligence partners

Over 1,100 threat

traps

BRKCRS-1579 135


MX Appliance Licensing

Full SD-WAN feature set and functionality

Site-to-site Auto VPN

Branch routing

Link bonding and failover

Application control

Web caching

Client VPN

Stateful firewall

All enterprise features, plus:

BrightCloud content filtering (with GoogleSafeSearch)

Cisco Advanced Malware Protection

Snort IPS / IDS

Geo-IP based firewall rules

[Note: No license required for HA MX Appliance]

EnterpriseAdvanced Security

BRKCRS-1579 136


Security Updates (Firmware 14)

• FQDN/hostname firewall rules (passthrough mode)

• Support for AMP inspection of .zip archive content

• Support for submitting .zip files for Threat Grid inspection

• Support for in-place Snort upgrades (no reboot required)

• Improved layer 7 signature matching accuracy

BRKCRS-1579 137


Security Updates (Firmware 15 - Beta)

• Support for AMP inspection of .dmg files

• Umbrella DNS Security integration

Advanced Security License Required

Security & SD-WAN > Threat protection

BRKCRS-1579 138


BRKSEC-2702

BRKCRS-1579 139

Demo – Security Center

Performance Monitoring


User Experience (Era of Cloud-Managed Apps)

142BRKCRS-1579

“The cloud is the data center”Jarrod Benson, CISO of Koch Industries

End Point WLAN LANWAN

Applications


Cisco Meraki Insight (MI)

Firmware 14+

BRKCRS-1579 143


Network Assurance

Web App Health WAN Health

BRKCRS-1579 144


MI Metrics

145BRKCRS-1579

Category Examples

Network Utilization, latency

Application HTTP requests, response time

WAN Goodput, loss, latency

LAN Goodput, loss

Clients/Servers/Domains Requests, response time


MI for Your SD-WAN Mission

BRKCRS-1579 146

End-To-End VisibilityFor SaaS Applications

Application PerformanceApp over VPN or public Internet

Accelerate ITReduce time-to-resolution


MI is Critical for Meraki SD-WAN

Web App Health

WAN Health

“WHY ARE USERS EXPERIENCING

SLOWNESS IN CRITICAL WEB TRAFFIC?”

HOW: Passive Monitoring of HTTP/S

FOR: Tier 2/3 network support

“WHY CAN’T BRANCHES CONNECT TO THE

INTERNET?”

HOW: Active Monitoring of ICMP

FOR: Tier 1 support/Helpdesk/NOCs

BRKCRS-1579 147


Faster Rime to Resolution

Diagnostics show that WAN loss (ISP) is the

culprit for application

quality

degradation

BRKCRS-1579 148


How does Meraki Insight solve customer challenges?

Who should a network admin

contact?

What evidence can pinpoint the problem source?

MI’s FIRST page tells the user which point in the network is failing

and causing a degradation

Within 2 clicks, user can drill down to generate specific evidence for the network outage

BRKCRS-1579 149


WAN Health

What is it?

● Branch ISP connectivity

(to 8.8.8.8 or custom

destination)

● Ping/ICMP (active)

For Whom?

● Distributed branch

● Multiple sites

BRKCRS-1579 150


The First Collector

Meraki MX: built-in collector for MI

Firmware 14+

BRKCRS-1579 151

Demo – Web App/WAN Health

SD-WAN for All


Algorithms

BRKCRS-1579 154


Tools

BRKCRS-1579 155


Market https://www.arpatel.com.ec/

BRKCRS-1579 156

https://www.arpatel.com.ec/


SD-WAN at a Site Near You

Operational efficiency through

AUTOMATION

Business valuethrough

INTELLIGENCE

Cost reduction through architectural

SIMPLIFICATION

BRKCRS-1579 157


SD-WAN: An Option for All

Operate at the speed of the business

Better experience

Automate

BRKCRS-1579 158

Complete your online session evaluation

• Please complete your session survey after each session. Your feedback is very important.

• Complete a minimum of 4 session surveys and the Overall Conference survey (starting on Thursday) to receive your Cisco Live water bottle.

• All surveys can be taken in the Cisco Live Mobile App or by logging in to the Session Catalog on ciscolive.cisco.com/us.

Cisco Live sessions will be available for viewing on demand after the event at ciscolive.cisco.com.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS BRKCRS-1579 159

http://ciscolive.cisco.com/us

https://ciscolive.cisco.com/


Continue your education

Related sessions

Walk-in labsDemos in the Cisco campus

Meet the engineer 1:1 meetings

BRKCRS-1579 160

Thank you

#CLUS

Cisco SD-WAN powered by Meraki - Session Presentation

Documents

Transcript of Cisco SD-WAN powered by Meraki - Session Presentation