SDWAN Vendor Series 2019 - Cisco Viptela
Updated: Jul 19, 2019
Cisco provide two SD-WAN platforms to meet the expectations of a variety of organisations. These are Cisco Meraki and Cisco Viptela. This article covers Cisco Viptela, a platform that takes advanced SD-WAN capability and layers on features and functionality from a suite of Cisco networking and security technologies. The acquisition of Viptela introduced a SD-WAN platform aimed at addressing the simplistic through to advanced networking requirements. The Viptela platform has gone through a transformation with the edge functionality ported to Cisco ISR and Cisco ASR routers but the core components of the cloud platform remain. These components are:
vManage is the dashboard to define templates, define policy, define devices, and build configuration from a centralized management platform with troubleshooting and monitoring capability. This is the network administrators single pane of glass to the SD-WAN fabric.
vSmart provides the SD-WAN fabric control plane, it implements the control plane policies, propagates routing and application routing policies between SD-WAN edge devices, in addition to distributing the data plane policies.
vBond is the first point of authentication for SD-WAN edge devices connecting to the SD-WAN fabric and is used to build the relationship between vSmart and vManage for an organisation.
All the platform components above can be hosted in the cloud by Cisco or as part of your own data centre infrastructure. The recommended approach is in the Cisco cloud where Cisco will manage all the underlying infrastructure and software maintenance.
For flexibility in edge deployment modes, the edge devices are available in physical, virtual and cloud based platforms and also expanded to the Cisco ISR, ASR and vCSR1000v.
Evaluation and Assessment
On-boarding a Cisco Edge router is zero touch provisioning when the WAN provider serves up an IP address through DHCP and a DNS to the edge router. From factory configuration, Cisco provide a URL ztp.viptela.com for vEdge devices and devicehelper.cisco.com for cEdge devices to allow the router to communicate with the ZTP/PnP server and directs the device to the corporate vBond and orchestration instance for your organisation platform. This is the point the organisational registered devices is able to begin communication with the associated controllers and vManage and pull down its configuration templates.
Cisco has a proprietary overlay management protocol (OMP) which is used to communicate with the vSmart controller for propagation of routes to other Cisco Viptela edges. Integration with the transport layer and local area network is achieved using BGP, OSPF static routes and also VRRP for local HA. Combining OMP with these protocols, Cisco provides capability to implement active/standby or active/active redundancy at a site thereby allowing access to all transports connected to 2 nodes functioning in HA.
Data plane integration is based on IPsec and is supported Viptela to Viptela, Viptela to 3rd party IPsec end points, Viptela to cloud provider IPsec end points and Cisco Viptela to virtual/cloud deployed Viptela.
Cisco has automated the process to integrate IaaS access to Azure (VNETs) and AWS (VPCs) and there are two approaches. The first is to place the SD-WAN edge virtual instance local to the compute within the VPC or VNET or the second method is to implement a gateway in a separate VPC/VNET and automatically identifying the compute VPC/VNETs and establishing connectivity to the compute VPC/VNET.
Cisco has looked to address performance at the edge with ISR and ASR router platforms powered with Viptela SD-WAN software. The Viptela architecture ensure that the largest of networks will not be limited by tunnel maintenance with Cisco supporting as many as 10000 edge devices in a single topology. Even larger topologies are possible with a regional hub toppolgy and then implementing a full mesh with the regional hubs.
FEC and packet duplication protects against circuits with a high error/loss. FEC provides a parity packet for checking at the remote end. This can be enabled dynamically so as not to use unnecessary bandwidth maintaining the parity. Packet duplication will generate duplicate packets over separate transports/SD-WAN tunnels and a packet loss on one transport can be recovered from the second transport.
Cisco route traffic over different transports on a per session basis. This, Cisco believe, avoids the reassembly required at the remote end if the approach was per packet. My preference is per packet so that a session does not need to be rebuilt during temporary performance issues and you application will continue seamlessly.
To ensure that application performance characteristics are met, Cisco measure the performance of paths to the application using bi-directional-forwarding delay to determine the latency, loss and jitter of paths to applications. In the example below, Path2 does not meet the configured application performance requirements and is not used for access to the application.
Cisco also provide techniques for optimizing communication paths such as establishing a maximum MTU for IPsec tunnels to minimizing packet fragmentation and TCP optimization for higher latency paths where a remote location which due to geographical distance introduces higher latency to a target application.
Cisco has some really good smarts for Direct Internet Access (DIA) or hybrid access to SaaS environments. They call this Cloud onRamp for SaaS where hybrid provides a path over the DIA and the private WAN such as MPLS and monitors performance over both allowing the switching between most optimal path to the SaaS environment. This is an excellent feature to address Internet performance issues and consider user experience during periods of higher latency via the Internet.
Control plane scaling is a result of vSmart performing functions similar to that of a route reflector. This means that edge devices only need to establish control plane connectivity with the vSmart controller and avoids every edge device having to establish a control place tunnel with other edge devices. This is implemented using Cisco's overlay management protocol (OMP) which is used to disseminate routing, security key, IPSEC encryption keys and control plane context with each edge device. Using OMP to disseminate the IPSEC encryption keys means that there is no requirement to maintain a IKE infrastructure and providing an efficient approach to building tunnels especially in larger networks.
Cisco has a multi-dimensional approach to securing SD-WAN. Out of the box Cisco Viptela SD-WAN provides:
IPsec for site to site connectivity for data plane
DTS/TLS for control plane
Stateful zone based firewall
Application aware firewall providing 1400+ application classified using Cisco's NBAR2
Network wide segmentation
DDos device protection
URL Filtering with 82 categories
Cisco combines the "out of the box" security features with cloud based security features. The SD-WAN has access to snort based IPS backed by TALOS threat detection signatures, DNS and Web-layer security provided as part of Umbrella and Anti Malware Protection (AMP) integrated with ThreatGrid for file analysis.
The configuration and implementation is provided by Cisco intent based security with predefined configurations using built in workflows, these include the following predefined security policies for enabling the appropriate security features.
direct cloud access
direct internet access
From vManage the administrator is able to select a workflow to define a the intended security policy for a device, segment as illustrated below.
A key fabric security feature is provided with end to end segmentation. Cisco provides a simple and intuitive approach to not only provide local separation of traffic but fabric wide separation from edge device to data centre, to cloud and other edge devices.
Each VPN created as part of segmentation can be implemented using per VPN topology and the following represents the predefined typologies that an administrator can implement.
When it comes to security, Cisco provides a full suite of options and capabilities. Not only can you implement the Cisco suite but you can also integrate 3rd party security solutions with service insertion. This allows organisation to maintain their preferred security appliances locally at a SD-WAN site or regionally at a hub site with service insertion. In addition an organisation may prefer an alternative cloud security solution than the Cisco options and 3rd part providers can be integrated with ease.
Simplicity and Visibility
vManage provides workflows, templates and policy for ease of device configuration and implementation. Cisco excel in the cloud delivery with onRamp for simplistic cloud deployments and access to cloud based host on Azure and AWS. The vManage interface is intuitive and with real time visibility of SD-WAN performance, application awareness, deep packet inspection the administrator is provided with excellent visibility of their organisations network environment. The monitoring of the Cisco Viptela SD-WAN is enhanced with troubleshooting tools allowing application and path performance assessment to be easily determined.
Cisco provide a monitor display with an at glance view of the devices and location. Zoom and drill down functionality allows the administrator to click to more detailed levels of information as required.
The Viptela platform provides good monitoring and visibility of near time network activity. Not mentioned until now but vAnalytics is the platform for longer trending visibility enabling an organization to analyze and plan more effectively with greater detail such as assessing circuit performance trends, application trends and QoS performance. vAnalytics is an optional component and probably requires an article on its own in order to do it justice.
Considering the SD-WAN solutions so far, I would say that Cisco Viptela and Versa are comparable both in capability and also have similar look and feel. Both with workflow driven, template based platforms and security at the core of their solution. The difference is Cisco approach advanced security features with cloud based solutions compared to Versa providing the features on device. Very little separate these platforms but Cisco does provide a excellent cloud based solution with onRamp for IaaS and SaaS that simplifies the integration with cloud. This is a capability that I really like. Cisco also provides an intuitive simplistic platform with good visibility tools especially with the inclusion of vAnalytics and will definitely be a major player in the SD-WAN space with security integration that is hard to beat.
References: Images and media courtesy of Cisco. Retrieved from http://cisco.com