Scribd
Upload
927 views42 pages

Whats New in SD WAN Release 17 - 6 20 - 6 - 20211026 1500 1

Uploaded by

Jose Rosas
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
927 views42 pages

Whats New in SD WAN Release 17 - 6 20 - 6 - 20211026 1500 1

Uploaded by

Jose Rosas
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 42

What’s New

SD-WAN v20.6 / 17.6

SD-WAN Technical Marketing

August 2021
17.6.1 Features

17.6.2 Features
Agenda list

© 2021
2020 Cisco
Cisco and/or
and/or its
itsaffiliates.
affiliates.All
All rights
rightsreserved.
reserved. Cisco
Cisco Confidential
Confidential
17.6.1 Features

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Infra & Services
• Thousand-Eyes agent hosting
• Per VPN QoS
• Route Leak Enhancements
• MT-Controller reverse proxy
• NBAR on Viptela OS

Cloud Networking
• Google Service Directory Integration
• SDCI with Azure and GCP
At-A-Glance •

Multi-cloud monitoring in vManage
CoR over SIG tunnel
17.6.1 (Major) Features Security
• Unified Security Policy
• Geo-fencing for Edges
• Certificate enhancements
• RBAC for vManage policies

vManage & Onboarding


• Smart Licensing Phase-2
• UX 2.0
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Day-0 Quick Connect workflow
Infrastructure and
Services

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco SD-WAN with ThousandEyes
Analytics
App telemetry

Problem vEdge X
Customers wishing to deploy ThousandEyes agents
throughout their network are forced to host the agent
cEdge 
software on an external x86 appliance. This can be
SaaS
cumbersome, hard to manage and introduces additional
App Front-end
equipment within the branch.
Solution
Cisco IOS-XE v17.6 (with vManage v20.6) now supports T T
ThousandEyes agent hosting (as a container) within ISR4K Data Center Branch/Campus
and C8K. Using existing Software Repository workflows
and Feature Templating, vManage can now deploy and
provision agent software on the router. Agents will then
register to the customer’s ThousandEyes portal and be
available for probing.
Caveats / Prerequisites SD-WAN Fabric
SD-WAN Path
ISR4K/C8200/C8300 support only, agent software App Path
T ThousandEyes (TE) Agent

does not currently support all testing methods

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Virtualized Appliance ISR/C8K Native ISR4K with UCSE/SSD
NBAR on Viptela OS vEdge

cEdge 

Use Case
From 20.6 Viptela OS, NBAR is used as application classification
engine on Viptela OS routers.

Supporting NBAR on Viptela OS helps achieve below use cases:


  SD-WAN
• Consistency in application classification between vEdge and cEdge 
• Full access to NBAR supported Applications 
S: 192.168.10.1
D: 192.168.20.2
IPv4 … S: 192.168.10.1
D: 192.16820.2
IPv4

• NBAR supports better sub-classification for Enterprise Grade Application Classification


Applications  Flow NBAR Application
  Flow1 webex-media

Caveats / Prerequisites
Once upgraded to 20.6 Viptela OS, vManage analyses the centralized
policy configuration and triggers notifications if there are any
application names that need to be added to policy configuration and
vManage notifies if there are any unsupported apps in policy config
which can’t be recognized with NBAR

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
DRE Optimization Enhancements vEdge X
cEdge 
Problem

In 17.5/20.5, DRE (Data Redundancy Elimination)


Optimization support is introduced only for Catalyst 8000
platforms, and it is fixed DRE container profile with specific
CPU, RAM and Storage requirements.
Solution DRE Compressed
TCP Connections TCP Connection TCP Connections
With SD-WAN 17.6/20.6, we have DRE container profiles (S, M,
L and XL) introduced using which DRE container could be run
with various CPU, RAM and Storage requirements based on
number of TCP connections that needs DRE optimization. SD-WAN
In 17.6/20.6, External Service Node Catalyst 8000v can be Fabric
deployed on UCS E series module inserted in ISR4k or Catalyst Client WAN Edge WAN Edge Server
8300 routers and ISR4k, Cat8300 router can be run as Service
Controller or Hybrid cluster to leverage the C8kv on UCS-E for
DRE Optimization.
Caveats / Prerequisites
None

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Network Wide Path Insight (NWPI) vEdge X
cEdge 
vManage
Use Case
In 17.4/20.4, NWPI provides network wide insights
such as packet trace with network path info, path
performance metrics and helps to validate policy design.

Solution
NWPI phase 2 in 20.6/17.6 is further enhanced to provide
details regarding various application performance issues
such as Flow Asymmetry, Bi-directional TLOC color
S: 192.168.10.1
D: 192.168.20.2
IPv4 … S: 192.168.10.1
D: 192.168.20.2
IPv4

Inconsistence, QoS congestion, Local or WAN Interface SD-WAN


drops, SLA violation, Path Change, Flow Reset, DPI
packet classification status (First Packet Match failure
etc.)
Caveats / Prerequisites NWPI Trace
• DNS Domain Discovery
• ICMP and Multicast Traffic can’t be traced. • Application Performance
• Maximum 10 traces can be running Visibility
• Policy Design Validation
simultaneously across SD-WAN overlay • Insight readouts for
Troubleshooting

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vEdge 
ACL on Loopback (XE) cEdge 

vSmart
Problem Central Data Policy
• This feature is an enhancement for ensuring that the
implicit ACL configured on loopback interface takes effect.
• Implicit ACL protects against DOS attacks by allowing DROPPED
ALLOWED
only limited packets to be forwarded.
• At present, configured ACL service doesn’t work on cEdge
Loopback interface.
DC-cEdge
Solution Branch-1-cEdge
• Starting from IOS-XE SDWAN release 17.6 onwards, Implicit Gig1
ACL is supported on loopback interface to allow/disallow
packets based on various filters e.g. ospf, ssh, icmp etc. INET/MPLS
SSH
icmp
SSH
icmp
• The feature will be designed to handle the following cases:
a. Loopback bound to a physical WAN interface
b. Loopback bound to a physical interface (vpn 0 no tloc) sdwan
c. Loopback interface in unbind mode interface Loopback100
tunnel-interface
Caveats / Prerequisites bind Gig1
None encapsulation ipsec
color mpls
allow-service icmp
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
no allow-service sshd
exit
vEdge

Per-VPN QOS Traffic initiated from Service VPN


cEdge 

Problem Parent Shaper


(VPN QOS MAP)
VPN 101 and 102 traffic
• In current SDWAN solution, only limited QoS modules are
gets scheduled together, Child Queueing
supported which are 2-level QOS policy on physical interface can also be shaped on (QOS MAP)
and per-tunnel QoS since 17.2. WAN interface.
• WAN Interface is not aware of VPN traffic, which means, all VPN
traffic still share the same SDWAN resource. Additional
requirements were needed to support more flexible QoS module.
Queue 1: 20%...
VPN 101-102

SD-WAN Fabric
Min B/w = 10 Mbps
Solution VPN 101
Queue 7: 30%
Max B/w = 20 Mbps
VPN 102
Per-VPN QoS feature is introduced on 17.6 IOS XE SDWAN version . Queue 1: 20%... VPN 201-209
Min B/w = 30 Mbps
This feature will differentiate QoS service per VPN. It will provide Queue 7: 40%
Max B/w = 50 Mbps
following benefits: VPN 201
~ Queue 1: 10%...
• Traffic throughput could be differentiated per-VPN basis, thus VPN 209
Queue 7: 20%
VPN Default
providing the capability to regulate throughput ratio among VPNs.
• A greedy VPN is limited in how much outbound bandwidth it can 200 Mbps
use and therefore can’t hog WAN’s resource and starve other WAN Interface
VPNs.
• QoS policy could be applied per-VPN so that various QoS services
are used on one interface for different VPNs. VPN 201 ~ 209 traffic Grand-Parent Shaper
gets scheduled together,
Caveats / Prerequisites can also be shaped on
WAN interface.
cEdge support only, Supports per-tenant model
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Carrier Supporting Carrier Support (CSC) X
vEdge

cEdge

--- Control traffic


Problem --- BFD probe traffic
--- VPN data traffic
Within the Department of Defense (DOD) and some large MSP
customers, there are multiple individual sub-organizations and
services like (A,B,C,D) which uses the services of another sub-org no-label
“Z” to fulfil their inter-connectivity requirements. “Z” mandates
that (A,B,C,D) acts as individual service providers while send CE
labelled packets within Z’s core in order to utilize the Z network.
This required DOD sub-groups, migrating to SD-WAN send CSC-PE
labelled packets instead of regular IP forwarding. CSC-CE CSC-CE
. VPN-X VPN-X
Solution CSC-PE CSC-PE
cedge cedge
17.6 introduces capability to send BGP based labels to the CSC
backbone in order to form tunnels using mpls links provided by DOD IP E-BGP-send-label E-BGP-send-label IP
sub-org Z. The tunnel is encapsulated into additional labeled packet.
IP|VPN-label|Outer-P|Ebgp-label IP|VPN-label|Outer-P|Ebgp-label

Caveat / Prerequisites
IPv6 in transport side not supported. IP|VPN-label|Outer-IP|Backbone-label
cEdge only

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

MT-Controller Reverse Proxy Support vManage

vSmart 
Problem
For some of the Global enterprise and MSP customer, security No Internet Access
Private ip
architecture mandates that critical controller infrastructure should be
behind a reverse proxy which provides another layer of security
and ports
vManage vSmart
insulation for the sd-wan controllers. In this kind of scenario instead
of using NAT, the controller totally depends on reverse proxy for
control communication with branches i.e WAN-edges talks to reverse
proxy while reverse proxy talks to controllers in backend over secure Inside
channel. Reverse Proxy Internet Access
.
Solution vBond Outside Proxy ip
In previous release this feature was validated for single tenant and ports
vManage and vEdge platform only. In 17.6, this feature is validated
in Multitenant vManage/clustering scenarios and for both vEdge and Internet
cEdge platforms as well Proxy/Private ip
and port
Caveats / Prerequisites mappings
vManage DR and DB config restore not validated WAN-Edge
TLS only, IPv4 only
Vedge5k not supported, Limited MT support Direct Control
Connections
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Control Connections
through reverse proxy
Route Leak - Enhancements vManage

cEdge


Problem vEdge 
Route leak from underlay to service VPN and vice versa provides user
flexibility of routing in order to achieve multiple customer use cases e.g., Colo/DC/Hub
Migration support or Optimal SP service access.
VPN X
20.3/17.3 release introduced route leak support for vEdge and cEdge. DC Core
BGP,OSPF,
cEdge route leak implementation in 17.3 was missing redistribution of leak EIGRP
VPN 0
route support for BGP which is considered the primary routing protocol in
BGP,OSPF
underlay with Service Providers. Along with that there were some gaps on
missing CLI and flexibility of configurations using GUI.
Solution CE
.
20.6/17.6 release focuses on closing gaps from previous release by providing SP Services
(SIP, CPE
missing features and providing flexibility of configurations and ability to mgmt,
handle more use-cases. This release introduces Internet/MPLS Security etc)
• BGP redistribution support in both global and service VPNs along with
important route attribute propagation for better flexibility and loop BGP,static
(most used)
prevention
• GUI support for cEdge configuration with enhanced easy to use workflow BGP,OSPF
VPN 0
• OMP AD change support for ipv4 and ipv6 using OMP and VPN templates
Legacy site (non-sdwan)
• GUI based VRRP tracker config referencing IOS-XE based IP SLA tracker
add-on CLI configs
VPN X
Caveats / Prerequisites BGP,OSPF,EIGRP
Ipv4 unicast only,
No OMP leaking support
Branch LAN
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vEdge x
EtherChannel Support at Service VPN cEdge 

Problem vManage
The existing SDWAN deployment has no support for
port-channel, absence of this feature leads to low
resiliency and there is no way to do link aggregation in
Customer environments where there is heavy
deployments of switches.
Solution
cEdge
cEdge
SD-WAN IOS-XE now supports port channel
configuration starting 17.6/20.6
INET/MPLS
Caveats / Supported platforms
CSCvw94717- Etherchannel / LACP Yang CLIs
implementation and hardening.

The configuration is only available via CLI and there 20.20.20.1/24


10.10.10.1/24
is no vManage template support, this release is only Port-Channel1 Port-Channel1
for Service Side VPN and supports Layer 3 port
channels.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vEdge 
cEdge MIB parity with vEdge cEdge 
SNMP Client SNMP Client

Problem:
The vEdges offers SNMP MIB support for querying the operational data.
This is missing in cEdges and some customers require MIB support to
work with their existing Network Management applications.

Solution:
MIB 1 MIB 1
MIB 1
MIB 2 MIB 2
Cisco SD-WAN 20.6/17.6 release aims to close this gap by supporting the MIB 3 MIB 3
MIB 2
.
SNMP MIBs in cEdges also. . .
MIB N
. .
MIB N MIB N

vEdge vEdge cEdge


Caveats:
Only some MIBs supported in 20.6/17.6, more in upcoming releases.

MIB support plan


© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vManage 
Multitenant Migration and Scale improvement
vBond
Problem: 
vManage
The customers whoever on 20.3/17.3 Multitenant & Single-tenant
deployments, if they want to deploy vSmart MT feature, then they should
migrate from 20.3/17.3 to 20.6/17.6 Release. 
vSmart
Solution: Tenants

Cisco’s Multi-Tenant SD-WAN Migration approach implmented using


API call and software upgrades without  impacting data plane
connectivity . In 20.6 /17.6 also allows our customer to improve their
scale enhacement of 100 Tenants with 5000 device in 6-node vMaange API Migration from ST- vSmart to MT- vSmart
clsuter. 

Caveats:
Single Tenant migration to Multitenant as a tenant should be same
software version.  Scale to 6-ndoe 3+3

Only 20.4/20.5 Multitenant migration to 20.6 MT Migration, Edges also


needs to be upgrade to 20.6/17.6 version during same maintaince  Tenants scale up to 100 / 5000 device
window, otherwise dataplane will get reset.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Tenants
Cloud Networking

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vEdge 
Cisco-Megaport SD-WAN Cloud Interconnect cEdge 

Problem
SD-WAN has been a driving force behind businesses
shifting their WAN towards commodity Internet for over
a decade now. But this transition has brought forth its
own challenges - namely, the fact that the Internet (while
efficient and robust) is unpredictable.
Solution
Customers seek the best of both worlds when it comes to WAN
connectivity: commodity price with premium features. Cisco SD-
WAN optimization, now coupled with programmatic access to
Megaport colocations, allow a customer to solve this dilemma.
SD-WAN will optimize traffic over commodity Internet until it
arrives at the colocation, where it will ride premium, dedicated
bandwidth to the destination. Version 20.6 brings Microsoft
Azure and GCP virtual cross-connect support.
Caveats / Prerequisites Unify Fractured IaaS Delivered Optimal Network
None First-Mile Network Service Peering Points

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vManage 
Cisco-Equinix SD-WAN Cloud Interconnect vEdge x
cEdge 

Problem
SD-WAN has been a driving force behind businesses
shifting their WAN towards commodity Internet for over a
decade now. But this transition has brought forth its own
challenges - namely, the fact that the Internet (while
efficient and robust) is unpredictable.
Solution
Cisco customers seek the best of both worlds when it comes
to WAN connectivity: commodity price with premium
features. Cisco SD-WAN overlay optimization, now coupled
with programmatic access to Equinix colocations, allow a
customer to solve this dilemma. The SD-WAN overlay will
optimize traffic over fractured first-mile commodity Internet
until it arrives at the colocation, where it will ride premium,
dedicated bandwidth into the destination.
Caveats / Prerequisites Unify Fractured IaaS Delivered Optimal Network
AWS support initially, followed by First-Mile Network Service Peering Points
Azure/GCP
CSR1000v only, No Enterprise Cert Support
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
x
Cloud onRamp for Multi-cloud – GCP Service Directory vEdge
cEdge 

Problem Google Cloud


Enterprise cloud-based applications running on GCP are not
connected to SD-WAN. Network administrator must create
custom applications for this use case. Cloud-apps are Metadata
dynamic, all changes of the application definitions requires
manual intervention on the SD-WAN side.
Apps 1 Service Directory
Solution
Now cloud-applications can register at the GCP Service Directory and
2 Cloud-detected apps

vManage will read app metadata like Endpoint IP and Port Number vManage
on regular basis. Detected cloud-discovered applications will be
handled like custom apps for SD-WAN Policy creation. 3 SD-WAN Policy

Caveats / Prerequisites ISP1


Total number of custom and cloud discovered apps
is limited by SD-AVC, which is appr. 1.100 apps. If
SD-WAN
the total number is reached, new apps will be not ISP2 Fabric
added to the vManage.
Remote Site Data Center

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vManage 
Multi-cloud monitoring for real-time data in vManage vEdge x
cEdge 

Problem
Customers are using Cloud onRamp Multi-Cloud to provision
connectivity to Multiple Cloud Service Providers . They need a way
to monitor the status of these integrations and normalize data from
disparate providers into an easy to digestible format

Solution
Multi-Cloud dashboard provides a graphical view of the status of
Cloud Gateways (Azure, GCP, AWS) and Interconnects (Megaport). 
The connected sites and associated VNETS/VPC  are also show.  The Account info
Dashboard provides intuitive links to drill down on individual objects Cloud Gateway count
and view associated status and statistics.  vManage
Tag count
Host Vnet count
Caveat VPN connections
Azure, GCP, AWS, and Megaport WAN Edges
VHUB ASN
Throughput
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Multi-Cloud Dashboard
Cloud OnRamp for SaaS via SIG vEdge 
cEdge

Problem

Currently Cloud OnRamp for SaaS doesn’t support using


Secure Internet Gateway (SIG) IPsec/GRE tunnels for the
SaaS application traffic, and we can’t select best SIG tunnel
for the SaaS traffic when going via SIG provider. SIG Provider
(Cisco Umbrella, Zscaler or others)

Solution

With SD-WAN v17.6.1/20.6, we can select Secure Internet Gateway


(SIG) IPsec/GRE tunnels for best path selection in Cloud OnRamp for
SaaS workflow and edge router will send the HTTP Probes through Regional
the SIG tunnels and measures the performance of each Tunnel in Data Center
similar way how path performance is calculated for Local or Gateway
exits in Cloud OnRamp for SaaS. ISP1
Caveats / Prerequisites SD-WAN
• On cEdge, we can select either TLOC Interfaces or
SIG Tunnels.
ISP2 Fabric
• ECMP load balancing across multiple best Remote Site Data Center
performing tunnels is not supported.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Security

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vEdge x
SD-WAN Unified Security Policy cEdge 

Problem
Public
The On-prem security stack which we support in SD-WAN offers Internet
various capabilities such ZBFW, IPS/IDS, AMP, URL-Filtering, Signatures
DNS Security and SSL Proxy. All these capabilities works
independently, and can be applied only at a VPN level, which
doesn’t provide the flexibility which our customers require. Outside Zone
Solution
With the introduction of Unified Security Policy in 20.6/17.6,
Customers now have the flexibility to configure security policies Self Zone Self Zone
in a granular fashion and apply advance inspection profiles making
the behavior synonymous to a NGFW which is popular in the
security industry.
Employee Guest
Caveats Zone Zone
• DNS Security workflow is not part of Unified Security policy
as of 20.6/17.6, instead it will continue to work independently.

Guest VPN

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vEdge x
Geo Fencing with SD-WAN Edge Devices cEdge 

Problem
4G/5G
Unauthorized removal, placement or movement of WAN Edge
LTE
devices may allow inappropriate access to an organization’s
network and resources.

Solution
• Geo Fencing feature can be enabled on the WAN edge routers
Home location
• Utilizing location-based services (GPS) to track the assets GPS co-ordinates

Geo-Fence
• Provide real time alerts on vManage/SMS to registered mobile numbers if Radius
the device moves out of the authorized geographical boundary
• Supported actions - Device invalidation, stop the data traffic and factory 100-1000 meters
reset

Caveats / Prerequisites WAN Edge Router

• Geofencing can be enabled through CLI /add-on


CLI template only
• Supported platforms : ISR1K and Catalyst 8000
series with LTE/GPS support
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

SD-WAN Certificate Enhancements
vEdge

cEdge 

Problem vManage
Until 17.5/20.5, there is no option to re-generate CSR for software
WAN edge devices and customers have to re-onboard the device
with valid certificates once expired. No alarm generated for
expiring/expired certificates
Solution
As part of 20.6/17.6 release, there are three new enhancements introduced
related to SD-WAN certificate management.
1. CSR re-generation and certificate renewal for software WAN edges.
CS CS
Supports both vManage automated as well as Manual Enterprise CA
2. Notification alarm to be triggered when WAN edge router has been R R
expiring/expired certificate. If cert is expiring in 6 months alarm triggered
once in a month for first 5 moths, then in the last month every week, last
week every day, last day every hour.
3. Option to upload Symantec (DigiCert) JKS file directly on vManage Software Software
Caveats / Prerequisites WAN Edge WAN Edge
None

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vEdge 
SNMP Traps: Certificate Expiry Alert & Health Check cEdge 

Problem
Until 17.5/20.5, SNMP traps were not supported on XE SD- SNMP Manager / NMS
WAN devices and certificate expiry/health check SNMP traps
were not included in the SD-WAN solution.

Solution

ap

SN
Tr
From 17.6/20.6, SNMP traps can be enabled on XE SD-WAN devices and

M
M
enhancements are made on Viptela devices to support certificate expiry

PT
SN
and health check related SNMP traps.

rap
• Cert expiry alert on cEdge, vEdge, vSmart, vBond & vManage for all MIB
MIB
SDWAN-related certs including Enterprise CA certs
• Supports SNMP traps related to system health check such as disk,
memory and CPU usage on Controllers, cEdge and vEdge platform
• No new configuration change needed for health check and certificate WAN WAN Edge
expiry traps on top of SNMP trap configuration. Edge

Caveats / Prerequisites
Partial MIBs support on XE-SDWAN devices

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vManage 
RBAC for policy configuration and modification

Problem:
Customer managed requests are a big chunk of the MSPs business revenue. MSPs
are looking to differentiate their offerings from their competitors. One of the key
differentiating capabilities is the Co-managed policy.

Solution:
• vManage RBAC for policies allows a user/group, selective R/W access to
policies.
• Topologies are owned by service provider and end customer should never be able Policies
to change these, for overlay security reasons.
• Typically, in the field, policy configuration and policy deployment are done by RBAC
different users.
Configure Configure
Caveats: Topology QoS Policy
Policy
Centralized and Localized policies only, Security policies are excluded.

Policy
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
deploy
vManage and
Onboarding

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Smart Licensing phase 2 vManage 

(offline reporting and compliance notification)


Problem
Add/change/
In the context of licensing for SDWAN components there are delete/modify
Offline Mode
customer setups where there is no connectivity to CSSM and licenses after
initial order
would• require
License a manual upload/download of SA/VA and license
summary file to assign licenses and track consumption on SA/VA Reporting
• Summary
vManage. periodically
vManage
• Request Usage Reconciliation and
Solution Ordering Fulfillment
Report quantity compliance
check
On CSSM On Cisco OPS
vManage can now assign licenses to edge devices, record license usage License
and report it to CSSM ( Cisco Smart Software Manager) for offline Summary
Request
SDWAN deployments. CSSM will keep a track of license usage in form
of reports. You can also see compliance alerts related to reporting and
different type of license subscriptions.
Try & buy, SBP for billing
POC, trial
Caveat / Prerequisite
a) The entitlements MUST be part of a Smart Account/Virtual
Account.
b) Only DNA stack is consumable by vManage for SDWAN SLE.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vEdge x
[Day0] One touch provisioning using mobile app/SMS (Ph2) cEdge 

Problem:
To onboard a new Edge device, it has to be configured with certain basic
parameters like the vBond controller IP, port number etc. This is usually
provided by the PnP process. There may be cases where PnP is not available
and/or one/zero touch provisioning is not possible, like in cases where IP
connectivity does not exist.

Solution:
Dynamic
Leverage cellular SMS service, and mobile application, push controller
generation of SMS
configuration to device and onboard it.
encryption keys
Push configuration file, Dynamic SMS encryption keys.
More secure
Caveats:
cEdge only, requires a cellular interface / LTE support and ezManage service,
Mobile app only on Android.

Phase1 delivered in SD-WAN 20.5/17.5 release.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
SD-WAN UX 2.0
Vision and Key Attributes

+ + =
Address
Simplified Differentiated
Competitive
SD-WAN
Experience Experience
Gaps UX 2.0

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
UX 2.0 – Phase 1

Emphasizes the Day 0 & Day 1 experience for


new customer on-boarding.

• Enhanced GUI
• Workflows Library
• Quick Connect onboarding

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Enhanced GUI
Streamlined Solution
• Standardizes and improves basic user
interactions
• Consistency with DNAC gives users
confidence in working effectively across
Cisco EN products

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Workflows Library

The workflow home screen shows all available


workflows for your organization.
a) In-progress workflows are at the top of the
screen
b) The library of intents organizes common
tasks by desired outcomes.
c) The library can be discovered and filtered by
intent.
d) Users can also search for workflows from the
top of the screen.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vManage 
UX 2.0 Day-0 Quick Connect Workflow

Problem:
vManage GUI works flows are not very intuitive which makes the Day-0
SD-WAN onboarding difficult for customers. Also the GUI is outdated.

Solution:
UX 2.0 Day-0 Quick Connect workflow enables the customers to create
device templates to onboard Cisco IOS XE SD-WAN devices using
ZTP/PnP, and to generate bootstrap CLI configuration.

It is a new, user friendly UI and intuitive workflow. Onboard your devices in an easy and quick manner.
1. Import valid customer devices into vManage
2. One pre-defined profile pushed to all devices,
Caveats: establishing control-plane and data-plane
3. Launch vManage dashboard
cEdge only.
4. Done!

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
17.6.2 Features

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Infra and Services
• Adaptive FEC support
• Security MIB control OIDs (for OBS)
• NTP Server using CLI Local policy

Security
At-A-Glance • Layer7 health check for SIG
17.6.2 (Major) Features •
auto-tunnels
DigiCert Root CA push to Devices,
Controllers, PnP/ZTP

Cloud Networking
• C8000v in Openstack Train / Queens

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vEdge 
Layer7 Health Check cEdge 
Tracking SIG Tunnel Health

Problem
• As a network admin, I want to monitor the IPsec tunnel health
to detect brown outs and dynamically influence traffic
forwarding based on high performing tunnels.
Solution
• As of 20.6/17.6 release, L7 health check will be enabled by
default for all SIG auto-tunnels provisioned using vManage

IPsec

IPsec
IPsec

IPsec
Secure-Internet-Gateway templates.
• Default tracker sends HTTPing request to the service API,
measures the RTT latency and compares with default threshold. Tracker Status
• Tracker status for the tunnels which does not meet the SLA are
Meets SLA Below SLA
marked down.
• Optionally Customers can create a custom tracker to override the
default parameters or use any service URL of their choice.

Branch
vManage
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Adaptive FEC
vEdge

cEdge 

Problem
When FEC is enabled, a parity packet is sent for every 4 packets and
parity packet is used for reconstruction if one of the 4 packets is lost.
Typically, FEC is enabled for critical applications and parity packet is
generated irrespective of WAN conditions, so it causes inefficient XOR
XOR
bandwidth usage
1 2 1 2
P 3
Solution 4
3 4 P
In 17.6.2, on XE-SDWAN routers, Adaptive FEC can be configured and with
that FEC would be triggered only when configured loss percentage threshold Block Block

values (1%-5%) exceed on the overlay tunnels. 5 6 Parity 1 2 Parity


(P) (P)
7 8 3 4
Sender Receiver
Caveats / Prerequisites
Enabling FEC always or adaptive, could cause packet re-ordering.

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

You might also like