Good morning, good afternoon, good evening, good night or good day.

I am Apii Carvey, a content BDM from

the Global Black Belt Academy, and welcome to the Black Belt FY 24 stage one learning map for Cisco
Catalyst SD Ven. This is the 3rd module solution and components in stage 1 learning series. In this module,
we will explore through the SD vent architectures related to Vitella and Meraki, the use cases, the
architecture components, and the relationships. Before we go any further, I'd want to take a minute to walk
everyone through the current branding and portfolio consolidation with Cisco Catalyst to put the entire
Catalyst technology under one naming convention. Cisco has working on rebranding a number of our EN
products with Viptela or Cisco Secure SD Van being renamed Catalyst SD Van beginning with version 17. 12
at 2012, a same case applies to the Cisco DNA Center, which will be known as the Catalyst Center. But now
to focus on the catalyst SD Venn rebranding, you can see the old and new names with the rebranding. When
it comes to technology, Cisco SD then evolves into Cisco Catalyst SD Ven. Vanage and VAnalytics have been
renamed as Cisco Catalyst, SD Ven Manager and analytics respectively. V Bond is now Cisco Catalyst SD Ven
validator while V Smart is now Cisco Catalyst SD Ven Controller. Cisco SD WAN is now cloud delivered Cisco
Catalyst SD Ven. These new names will appear on the product screen and throughout the documentation.
Please keep in mind that we preserve the old naming and branding in the API and CLI documentation due to
the prohibitively high expense of replacing them. The Cisco Catalyst SD Ven architecture by V Vitela is based
on a zero trust model. The solution has 4 distinct planes orchestration, management, control, and data
planes. Cisco Validator orchestrator is a multi-tenant element of the Cisco Catalyst SD Ven fabric. It
facilitates the mutual discovery of the control and management elements of the fabric by leveraging a zero
trust certificate-based whitelisted model. It automatically distributes list of controller and the manager
system to the WAN edge routers during the bring up process for situations where controller, manager
system, or the Venn edge routers themselves are behind NAT. Validator orchestrator facilitates the function
of NAT traversal by allowing learning public post NAT and private pre-NAT IP addresses. The discovery of
public and private IP addresses allows establishing connectivity across public internet 4G and private MPLS
point to point Ven transports. Validator orchestrator itself should reside in the public IP space or reside on the
private IP space with 1 to 1 NAT. When delivered as a cloud service, Controller are redundantly hosted in the
tele cloud. When deployed as an on-prem solution by the customer, it is the responsibility of the customer to
provide adequate infrastructure resiliency. Cisco controllers are a scale out control plane functions of the
Cisco Catalyst SD Venn fabric. Controller facilitate fabric discovery by running the overlay management
protocol, the OMP between themselves and between themselves and the Ven edge routers. Together with
Ven edge routers, Controller act as a distribution system for the pertinent information required to establish
the data plane connectivity directly between the Ven edge routers. This information includes service LAN
side reachability. Transport WAN site IP addressing IPsec encryption keys, site identifiers, and so on.
Controller also distribute data plan and application aware routing policies to the VenEdge routers for
enforcement. Control policies acting on the control plane information are locally enforced on the controllers.
These control plane policies can implement service chaining, various types of topologies, and general.
influence the flow of traffic across the fabric. The use of centralized control plane dramatically reduces the
control plane load traditionally associated with building large scale IPE networks, solving the N22 complexity
problem. The controller's deployment model does not only solve the horizontal scale issue, but also provides
high availability and resiliency. Controllers are often time deployed in geographically dispersed data centers
to even further reduce the likelihood of control plane failure. When delivered as a cloud service, controllers
are redundantly hosted in Cisco Cloud. When deployed as an on-prem solution by the customer, it is the
responsibility of the customer to provide adequate infrastructure resiliency. Cisco Ven edge routers are the
data plane elements of the Cisco Catalyst SD Ven fabric. They are in essence WAN edge routers positioned
everywhere SD Venn fabric needs to be extended to. Ven edge routers are responsible for encrypting and
decrypting application traffic between the sites. As mentioned earlier, VenEdge routers establish control
plane relationship with controller to exchange pertinent information required to establish the fabric and learn
centrally provisioned policies. Data plane and. Application where routing policies are implemented on the
VenEdge routers. VenEdge routers export performance statistics, as well as alerts and events to centralize
manager system for a single pane of glass operations. VenEdge routers leverage standards based OS and
BGP routing protocols for learning reachability information from service LAN site interfaces and for
brownfield integration with non-SD Venn sites. VenEdge routers have very mature full stack routing. which
accommodates simple, moderate, and complex routed environments for layer 2 redundant service LA inside
interfaces, VenEdge routers implement VRRP first hop redundancy protocol, which can operate on a pervAN
basis. VenEdge routers can be brought online in a full zero-touch deployment fashion or by requiring
administrative approval. Zero Touch deployment relies on the use of signed certificates installed in the
onboard temper proof module, the TPM. To establish unique router identity. Finally, Ven edge routers are
delivered in both physical or virtual form factors. Physical form factors are deployed as appliances with either
100 MB, 1 GB or 10 GB based on the throughput needs. The virtual form factor can be deployed in public
clouds such as AWS and Microsoft Azure, or as an NFE on the VCPE or UCPE platforms leveraging KVM or SC
hypervisors. Ultimately, Cisco Manager provides single pane of glass for day 0, day 1 and day 2 operations.
Its multi-tenant web scale architecture caters to the needs of the enterprises and the service providers alike.
Some of its key functions include centralized provisioning, centralized policies, and device configuration
templates. Ability to troubleshoot and monitor the entire environment and perform centralized software
upgrades on all the fabric elements. Manager GUI allows segregated administrative access by implementing
RAC for proper roles and responsibilities. It's programmatic interface. enable DevOps operations. These
interfaces can also be used to extract performance statistics collected from the entire fabric. Performance
statistics can be exported into external systems or to Cisco Analytics tool for further processing and deeper
insight. Overlay management protocol, the OMP lies in the heart of the Cisco SD Ven fabric. It is TCP based
highly extensible control plane protocol that unifies all control plane functions under the single protocol
umbrella. It operates inside bidirectionally certificate authenticated TLS or DTLS connections established
between the VSmart controllers and between the VSmart controllers and the Vedge routers. By. Averaging
the concepts of address families and route attributes, OMP advertises all pertinent control plane information
between the VEdge routers to allow establishing direct IP set communication between the VEdge routers
without reliance on IKE protocol. It allows exchange of full reachability without reliance on traditional routing
protocols such as AST and BGP over the IPEC tunnels. Furthermore, OMP. Allows dissimilation of centrally
defined data and application aware routing policies for a fully distributed scale out enforcement on the
Vedge routers. Ultimately, OMP allows high degree of scalability by dramatically lowering control plane
complexity and eliminating the N22 problem associated with traditional IKE based IPE networks as depicted
by the diagram at the bottom of the slide, the use of OMP and. Smart controllers creates linear complexity
control plane where Vedge routers establish control plane connectivity only to a handful of VSmart
controllers and not to every other Vedge router in the topology. In contrast, in traditional IKE based IPE
networks, each router needs to establish control plane connection to every other router in the topology,
resulting in quadratic and square to control plane complexity that does not scale. In SD then deployments,
the control components are deployed and configured first. There are multiple flexible control component
deployment options available for customers. Control components can be deployed on premise in Cisco
hosted cloud or in managed service provider or partner hosted cloud on premise in a private cloud or data
center owned by an organization. Control components are deployed in a data center on SC or KVM. The
customer is typically responsible for provisioning the control components and responsible for backups and
disaster recovery. Some customers, such as financial institutions or government-based entities may choose
to run on premise deployments, mainly due to security and compliance reasons. Cisco hosted cloud is the
recommended model and control components can be deployed in AWS or Azure. Single or multiple zones are
available for the deployment. Most customers opt for Cisco cloud hosted control components due to ease of
deployment and flexibility in scaling. Cisco takes care of provisioning the control components with
certificates and meeting requirements for scale and redundancy. Cisco is responsible for backups slash
snapshots and disaster recovery. The customer is given access to the SDen manager to create. Configuration
templates and control and data polices for their devices in a managed service provider MSP or partner
hosted cloud. This is private cloud hosted or can be public cloud hosted and deployed in AWS or Azure. The
MSP or partner is typically responsible for provisioning the control components and responsible for backups
and disaster recovery. To fully understand the Cisco Catalyst SD Ven solution, one must be familiar with the
terms we've given here for the Catalyst SD Ven fabric overlay management protocol, the OMP routing
protocol, which has a structure similar to BGP, manages the SD Ven overlay network. The protocol runs
between SD Ven controllers and between SD Ven controllers and Ven edge routers where control plane
information. Such as route prefixes, next top routes, crypto keys, and policy information is exchanged over a
secure DTLS or TLS connection. Transport locator T lock, Transport locators or T locks. Are the attachment
points where a Venn edge router connects to the Ven transport network. A T lock is uniquely identified and
represented by a 3 tupple consisting of system IP address, color, and encapsulation. Color. Colors are
abstractions used to identify individual then transports that terminate on Venedge devices, site ID. A site ID
is a unique identifier of a site in the SD Ven overlay network with a numeric value used in policy application.
System IP unique per device IP4 notation identifier, also used as router ID for BGP and ASP. Organization
name, organization name is a name that is assigned to the SD Ven overlay. It is common in all elements of
the fabric, VPN. Also known as VRF and iOSZ used for device level and network level segmentation. Now that
we are familiar with the various Cisco Catalyst SD Ven components and terminology, we can understand that
when we discuss fabric operations, we are referring to the manner in which the control plane and data plane
traffic move within the SD-VenN solution. So imagine that we have two sites which are connected to the two
different transports. First of all, control connections are being established, and remember that they are not a
part of your data plan. So no use of traffic are coming through it. Once the DTLS connections has created, we
start the OMP session. Through OMP session, we get the information on how to get from one site to the other
with the IPEC tunnels. When the blue line is established, the next thing we do is we turn on BFD. BFD is
important because that's the protocol we are using to measure the quality of the link lay, lost jitter, so we
know the quality of that line. When that's been established, we start announcing the routes whatever we.
Learn on that site that is pushed through OMP to the VSmart. so the other guys in the fabric now learn about
what do I announce. The saying goes if I turn on another segment on the router again, an OMP update is sent
out. Finally, but not the least, VSmart then push out centralized policies. So how does those segments
connect to each other? And then we are ready to begin moving traffic across network. Cisco SD Ven supports
a wide variety of security options for your network, and it's consistent across SD Ven and SD routing.
Starting from the classic on-prem security embedded security, you have an AppAware Enterprise class and
GFW. We have a robust security stack which supports all the required security such as AMP, IPS, URL
filtering, and much more. All this is backed up by Cisco Talos, a threat in. We support unified logging where
logs are collected from ZBFW and UTD to understand what traffic, threats, sites, or malware were blocked.
Couple of other newer items to highlight here are Palo Alto integration and Xero Trust offering an embedded
security now coming to cloud security. First layer for cloud security is DNS security. Using DNS layer security
to block unwanted or malicious content, augmented by cloud-based offerings such as deep integration with
Cisco Umbrella, Cisco Secure Edge, and integration with other third party SSE vendors like CS, NetScope, or
Palo Alto. Hi hi. These are for DIA and SIG security traffic and support intelligence selective traffic redirection
with policy-based routing. Another important area is monitoring and visibility. One thing to highlight here is
the SEC ops persona, providing the right role-based access and deep visibility for the SEC ops persona
through SECOPS. It's been introduced in 20.12. 4th is certifications. Cisco Catalyst SDWAN now has a set of
certifications that help our customers in various sectors such as retail, financial, government, and critical
infrastructure. Commercial certifications include ISO 27,0001. 27,0017, 27,0018, 27,701 C5OC 2. We also
have renewed our existing PCI DSS and SOC 2. In addition to these commercial certifications, PIP's 140-2
validation, as well as Fed ramp moderate Agency ATO, let her provide us opportunities to cater to
government and critical infrastructure sectors. Going forward, all long lived releases will continue. to acquire
these certifications to serve our customers and provide peace of mind for security of their data. FedRAM is
for the government and PCI is for retails. Phipps is a generic validation for cryptographic algorithms. FedRAM
and other Goff agencies are asking for it. This is for our FedRAM solution to be approved. And finally, we
have fabric security, trustworthy technologies such as image signing, secure boot, Cisco Trust anchor module
TAM. And runtime defenses help ensure that the code running on Cisco SDen hardware platforms is
authentic, unmodified, and operating as intended. We have got the security integrations and the consistent
end to end policy enforcement. Now let's not forget about the security visibility. And talking about visibility, I
want to introduce one important technology partnerships that we have. It can be considered more than a
partnership, and that is Cisco Catalyst SD Ven's Plunk application which has been added and supported with
20. Version. I mentioned that it's more than an intervention because you might be aware about the
acquisition of Splunk by Cisco, and the idea behind Splunk application is it's built in ready to use application
on top of Cisco Catalyst SD then to enable an approach where we have a sock dashboard provides a holistic
overview with more flow analysis insights to see the traffic and the threats. With a very strong threat
inspection when it comes to the applications and firewall. It also has retained security events for one year
with Cisco Catalyst SD Ven Splunk application. If you resonate with an idea behind the application, these are
3 important key areas that splunk integration win the dashboard for real-time holistic view on all the security
events with threat management from an IPS perspective and malware perspective. Associated with the
devices and being able to click into those events further on with one year data retention and flow analysis.
You might be interested to know who are the top talkers or the top applications accessed. This is the place to
get all such information. Application aware routing. With application aware routing, we can actually create
policies to say, OK, my application has a requirements not to go above 150 milliseconds and above a loss of
2%. So I put that into my application aware routing policy, and if a path in this case MPLS goes across those
thresholds, then I will move the traffic to one of the other circuits or at least ensure that the traffic isn't put
on a link that is impacting user experience. We are in a situation where all the links are out of threshold,
then we have another way of ensuring that we're still utilizing. Instead, we can use to drop the traffic
because that is the best experience from the customer instead of having things waiting. It's better to say,
OK, it's down, but we can also do best of worst. So let's imagine that all three are outside of the scope, then
we will take one that is least outside of the scope and still utilize. We also doing ranking so we can other
parts of this metrics. When it comes to the application aware routing, SD Ven has been leveraging historically
the BFD for tunnel performance. And we identified the challenge for convergence time, which is a high
convergence between 10 mins and 60 mins to detect. SLA breach and failover. Now the solution with version
20 to 12 and 17 to 12 is the solution of enhanced application aware routing that will provide three important
capabilities, first of which is improving the measurements by leveraging the IPSEC sequencing number in the
packet and Having per Q level accurate measurements for faster detection around 10 seconds to 60
seconds. And with this the ability to quickly take action to switch to better path has been added as well and
this also trying to address the situations like if we have flapping between meeting SLA and not meeting
violated SLA. In this situation, there is a dampening mechanism in place for the tunnel so that we can avoid
such situations. So again application experience is the key, and there are different building blocks that we
can utilize inside SDen. First of all, TCP optimization with the congestion algorithm and other optimizations
features. Then there for the UDP based traffic. There is a. Forward error corrections and packet duplication
for error correction, where we are sending control byte per 4 packet, so if a packet is lost in transit, we can
recalculate that packet on the end, packet duplication where we are actually sending traffic across both links
at the same time. And again if a packet is lost, we can take it from the other link, ensuring that the video
stream or voice call gets through. Then we have introduced DRE and LZ compression so we can optimize the
vent traffic across long distances, and all of these features are configured from the VM manage as part of
your device template, as part of your features templates. So it's very easy to configure and manage. Cisco
Catalyst SD then provides you the option to select a preferred address family IPE4 or IPE 6 to establish
control and data connections in a dual stacked network environment. We can have an IP6 addressed for a
new prefix data list. One can configure centralized and localized policy to apply to IP Wi6re family. Deploying
branches and remote locations is not always a one size fits all, especially when it comes to the cloud.
Depending on your needs and the use case will determine what type of platform you need at your remote
location, regardless of the platform you need. They all work together seamlessly and can be managed
through a single user interface. The newest platform family to join Cisco's long history in the WAN space is
the Catalyst 8000 series, designed for an intent-based network. The Catalyst 8000 edge platforms enable
connectivity to hybrid and multi-cloud applications across your cloud data center and edge locations, and
industry leading cloud edge solution. Catalyst 8000 edge platforms are designed for accelerated SD WAN,
and routing services. Multi-layered security and edge intelligence. With the edge platforms, policies are
extended end to end for an optimal user experience across multiple domains. Catalyst 8000 edge platforms
provide a continually evolving solution delivered via Cisco DNA software subscription. So users get new value
and keep pace with advances in intent-based networking without new hardware. These new platforms
deliver a secure connected experience, industry leading security and networking services converge on prem
or in the cloud to deliver the best performance for SDWAN services across all users to any cloud, cloud native
agility. An open and fully programmable software architecture enables automation at cloud scale and
support for a diverse set of microservices, making cloud migration simple. Business first resiliency, the
flexibility to deploy any service anywhere and the ability to view end to end analytics allows IT to adopt
evolving technology like 5G without compromising performance or up time. A more comprehensive and in-
depth technical discussion of these and the other platforms can be found in the stage 2 learning materials.
Thank you for watching. Happy learning.