Enterprise Networking and SD-WAN with Cisco and AWS

(1)

Ent erprise Net working and

SD-WAN wit h Cisco and AWS

Simarbir Singh

Technical Marketing Engineer Virtualization and SD-WAN Cisco

Technical Marketing Engineer SD-WAN and Cloud

Cisco

Nikolai Pitaev

(2)

Centralized firewall inspection architecture with SD-WAN Global WAN with Cisco SD-WAN and AWS Cloud WAN

Creating a bridge between apps and SD-WAN via AWS Cloud Map Deeper connectivity into the cloud with Cisco Meraki virtual MX and AWS Transit Gateway

Global WAN with Meraki SD-WAN and AWS Cloud WAN Securing the VPC with SD-WAN and SASE

Agen da

(3)

Wh at is SD-WAN n ow?

• Separation of control and data planes

• Policy-based application path selection across

multiple WAN connections

• Service chaining for additional services

Yesterday

• IaaS: cloud is just another branch/ PoP

• SaaS with first packet match and cloud telemetry

• Cloud app detection and integration into SD-WAN

Today

(4)

SD-WAN

Powered By

Simple and secure full -stack IT for SD-Branch and lean IT environments

Maximum versatility with advanced capabilities for sophisticated IT

environments

Viptela

Powered By

Wh ich Cisco SD-WAN?

(5)

Centralized firewall

inspection and SD-WAN

(6)

Cen t ralized firewall in sp ect ion an d SD-WAN

USE CASE OVERVIEW

AWS us-west

AWS TGW FTDv-1

Shared services VPC

Host VPC1

App1

AZ1

GWLBAWS

SD-WAN VPC

c8k-R2 AZ2 c8k-R1

AZ1

…

SD-WAN fabric

SD-WAN branch 1

Host VPC2

App2

FTDv-n AZ2

…

Public internet

SD-WAN branch 2

Requirements

East-west, north-south traffic must go through firewall

Benefits

• Scalable solution

• SD-WAN and security from one hand

(7)

Host VPC con n ect ivit y op t ion s

AWS us-west

AWS TGW FTDv-1

Shared services VPC

Host VPC1

App1

AZ1

GWLBAWS

SD-WAN VPC

c8k-R2 AZ2 c8k-R1

AZ1

…

Host VPC2

App2

FTDv-n AZ2

…

Design option 1: Host VPC route points to GLWB endpoint

Design option 2: Host VPC route points to AWS TGW

10.111.0.0/ 16 local

0.0.0.0/0 tgw -XYZ AWS Transit Gateway 10.111.0.0/ 16 local

0.0.0.0/0 vpce-XYZ FW-Endpoint -Service

(8)

Pack et flow: Sim p lified

AWS us-west

AWS TGW FTDv-1

Shared services VPC

Host VPC1

App1

AZ1

GWLBAWS

SD-WAN VPC

c8k-R2 AZ2 c8k-R1

AZ1

…

Host VPC2

App2

FTDv-n AZ2

…

From Host VPC to SD-WAN

Host VPC ➔ AWS TGW ➔ GWLB ➔ FTDv ➔ TGW ➔ SD-WAN

Returning traffic

SD-WAN ➔ AWS TGW ➔ GWLB ➔ FTDv ➔ TGW ➔ Host VPC

GENEVE protocol for load balancing between GWLB and FTDv

Appliance mode is required for sym m etric routing

(9)

Pack et flow: Det ails for sh ared services VPC

FTDv-1

Shared services VPC AZ1

FTDv-2

GWLB endpoint

cross-zone load

GWLB

balancing, GENEVE

2 3

4 Step 2: TGW routes to GWLB endpoint – shared services route table 10.102.0.0/ 16 local

0.0.0.0/0 vpce-XYZ FW-Endpoint -Service-AZ1 10.102.3.91

Target Group: FW-Target-Group-Geneve with 4 firewalls:

10.102.3.174 MC-FTD-IFT-1 6081 us-west-AZ1 10.102.13.67 MC-FTD-IFT-2 6081 us-west -AZ1

…

Step 3: GWLB endpoint routes traffic to GWLB using AWS PrivateLink Step 4: GWLB routes traffic to a firewall using GENEVE

FTDv-1 AZ1 FTDv-2

GWLB endpoint

cross-zone load

GWLB

balancing, GENEVE

5 6

7

Shared services VPC

Step 5: Firewall decapsulates GENEVE, inspects the packet, re-encaps and sends it back to GWLB

Step 6: GWLB removes GENEVE header and forwards packet to the appropriate GWLB endpoint

Step 7: GWLB endpoint sends packet to TGW

(10)

Con n ect in g SD-WAN

AWS us-west

AWS TGW FTDv-1

Shared services VPC

Host VPC1

App1

AZ1

GWLBAWS

SD-WAN VPC

c8k-R2 AZ2 c8k-R1

AZ1

…

Host VPC2

App2

FTDv-n AZ2

…

VPN or connect attachment for SD-WAN VPC BGP between AWS TGW and SD-WAN routers Cisco Catalyst 8000V as SD-WAN router

Multi-Region via AWS Cloud WAN – see the next chapter!

Automation: GitHub repo SD-WAN CoR LabInfra

(11)

Cisco SD-WAN and

AWS Cloud WAN

(12)

Cisco Mult icloud Solut ion s for AWS

SD-WAN TVPC Host VPC Host VPC

TGWAWS US-West-1

Branch 1 Branch 2 Branch 3

Branch Connect:

Direct IPSec to AWS TGW

Extending SD-WAN Fabric to the cloud

VPN Attachment (IPSec) or Connect Attachment (GRE)

All – autom ated in Cisco vManage!

New!

(13)

Cisco SD-WAN an d AWS Cloud WAN

USE CASE OVERVIEW

Los Angeles SD-WAN Branch

AWS Core Network

Cisco SD-WAN Fabric

London SD-WAN Branch

VPC

Cisco vManage

Apps in any region

YAML file

• Easily stitch SD-WAN & cloud across many regions

• End-to-End Segmentation

• Secure, Scalable and On- Demand Bandwidth

Benefits

• Site-to-Cloud

• Site-to-Site over AWS Core

Use case

(14)

Arch it ect ure

TVPC

VPC VPC

CNP

Cisco vManage

CNE-2 CNE-1

VPC VPC VPC VPC

CNE-3 Region 1

Cisco SD-WAN Fabric

CGW

AWS Core Network

SD-WAN Policy

Branch 1 Branch 2

^{Branch 3}

Test Prod

Core Network Policy (CNP):

• Regions

• Edges

• Segments

• Dynamic routing

• Attachments

• Sharing (route leaking)

• Service Insertion (FW)

Region 2 Region 3

(15)

Cisco SD-WAN orch est rat ion for Cloud WAN

• Connect SD-WAN branches to AWS with private or public connections

• Deploy SD-WAN Cloud Gateway (CGW ) with edge services in as many AWS Regions as required

• AWS core network will automatically create inter-Region core network edge (CNE) peering in participating Regions using AWS backbone

• Extend SD-WAN segments by discovery and tagging for end-to-end segmentation across multiple Regions

• Enable Transit Gateway Connect attachment between SD-WAN edge and CNE for high bandwidth requirement

• Enable unified end-to-end network policy control

• Insert services between segments using business-driven policy intent

USE CISCO VMANAGE TO DEPLOY AND MANAGE AWS CLOUD WAN

(16)

Work flow – Cisco vMan age

CLOUD ONRAMP FOR MULTICLOUD

1.Provide vManage access permissions to your AWS

account 2.Select

configuration for SD-WAN router acting as cloud gateway

1.Discover VPCs across AWS Regions

2.Select VPCs to connect your cloud SD-WAN network to

3.Tag VPCs for SD-WAN management

1.Launch an SD-WAN cloud gateway in your Region

2.Deploy a new AWS Transit Gateway 3.Connect Transit

Gateway to SD-WAN VPC

1. Configure segmentation 2. Select segments to extend

to VPCs

3. Stitch WAN segments to

VPC segment

(17)

Map p in g SD-WAN an d cloud in frast ruct ure

ONE CLICK IN THE INTENT MANAGEMENT TABLE

Mapping SD-WAN to host VPCs with 1 click!

(18)

AWS Cloud Map as a

bridge between apps

and SD-WAN network

(19)

Creat in g a b ridge b et ween cloud ap p s an d SD-WAN via AWS Cloud Map

Use case summary

Cloud native WAN-adapter / vManage detects cloud-based app autom atically

DevOps register cloud-based apps at AWS Cloud Map (write m etadata “traffic-profile”)

NetOps create SD-WAN policies and ensure required app experience in the network

AWS Cloud Map

“traffic-profile=video”

Los Angeles branch

SD-WAN fabric

DevOps App

NetOps

Details: developer.cisco.com/ docs/ cloud-native-sdwan/ #!cn-wan-adaptor

(20)

Cisco Meraki and AWS

(21)

P O W E RE D BY ME RAKI

DIGITAL BUSINESS

{ API } OUT - OF - THE - BOX

MANAGEMENT & ANALYTICS

{ HTTPS }

A p lat form ap p roach t o SD-WAN

(22)

Creat e t h e foun dat ion for

high -quality experience in three clicks

Simple The ability to configure site-to-site, Layer 3 IPsec VPN tunnels in just three clicks in the Cisco Meraki dashboard over any WAN link

Automatic VPN configuration generated and deployed automatically from the cloud – create a mesh or hub-and-spoke topology with only a few clicks

Resilient Automatically adjusts to changes in order to maintain secure connectivity during an ISP or datacenter outage,

hardware failure, or IP address update

(23)

Ext en d securit y deep in t o t h e cloud

• Virtual MX ( vMX) is a virtual instance of a Meraki security & SD-WAN appliance.

• vMX extends optimized SD-WAN fabric to hybrid cloud environments

• Deep public cloud connectivity for multi -region deployments

• AWS Transit Gateway

• AWS Cloud WAN

MULTI - REGION CONNECTIVITY

Flexible connectivity

(24)

Cisco Meraki vMX and

AWS Transit Gateway

(25)

• Extend your branch SD-WAN deployments to applications hosted on AWS

• Highly available architecture for deeper connectivity to cloud resources via AWS Transit Gateway (TGW) using AWS lambda

• Single-button automated deployment via AWS Quick Start

Ext en din g SD-WAN t o

AWS Tran sit Gat eway

(26)

Cisco Meraki vMX and

AWS Cloud WAN

(27)

Mult i-Region dep loym en t use case

• Customers are

increasingly operating in multiple Regions within the cloud

• Manually setting up multiple peering

attachments and lack of automation can make it difficult to scale

and manage

AWS Cloud

SD-WAN VPC Region

Cisco Meraki vMX

Workload VPCs

SD-WAN VPC Region

Cisco Meraki vMX

Workload VPCs

SD WAN VPC Region

Cisco Meraki vMX

Workload VPCs Peering attachments

Branch sites

SD-WAN Tunnels SD-WAN

tunnels

SD-WAN tunnels

TGW

(28)

Sim p lified m ult i-Region dep loym en t

AWS Cloud

SD-WAN VPC Region

Cisco Meraki vMX

Region

E

Region

E

Region

E

Workload Segment SD-WAN Segm ent

SD-WAN VPC Region

Cisco Meraki vMX

SD-WAN VPC Region

Cisco Meraki vMX

Workload VPC Workload VPC

Workload VPC

Branch sites

• Simplified multi-Region connectivity

• Managed Transit Gateway

• Segmentation and intent-based policies

• Regional hubs as VPC attach

SD-WAN tunnels

AWS Cloud WAN core network

(29)

CW Policy

Workload SD-WAN VPC VPC

Meraki SD-WAN

AWS Cloud

Region A

E

Region B

E Workload Segment SD-WAN Segment AWS Core Network

Branch Site 10.198.0.0/ 24

172.32.0/ 24

Cisco Merak i vMX wit h AWS Cloud WAN

TOPOLOGY FOR THE DEMO

VPC Attachm ent

(30)

Cisco SD-WAN orch est rat ion for Cloud WAN

Phase 0: Using AWS Quick Starts

• Extend your Meraki SD-WAN Fabric to AWS

• Automate deployment of SD-WAN edges in any cloud region using CloudFormation

• Deploy Cloud WAN core network and connect to sites in other regions using AWS Cloud WAN backbone

• Setup Cloud WAN segments and policies

Phase 1: Using Meraki Dashboard*

• Deploy Cisco Meraki vMX to AWS from Meraki dashboard in a few clicks

• Deeper integration with the AWS network with connectivity to AWS TGW and Cloud WAN

• Dynamically define and manage Cloud WAN policies and segments from the dashboard

USE CISCO MERAKI TO DEPLOY AND MANAGE AWS CLOUD WAN

(31)

Work flow – Cisco Merak i

CLOUD ONRAMP FOR MULTICLOUD

1. Launch the

CloudFormation template 2. Specify stack details and

create stack

1. Launch an SD-WAN Edge to your region

2. Deploy a new AWS Transit Gateway

3. Connect TGW to SD-WAN VPC via VPC attach

4. Program SD-WAN branch routes on AWS

1. Configure your SD-

Network from the Meraki Dashboard

2. Tag SD-WAN edges to be used as Hubs

1. Multi-region deployment 2. Setup segments based on

business needs

3. Configure attachment policies between segments 4. Connect branch sites to

different segments

(32)

Securing the VPC

with SASE

(33)

Securin g t h e VPC wit h SASE

AWS Cloud

Servers Servers Servers Workload Subnet

SASE Subnet

(Internet Gateway) SD-WAN Subnet (Branch Connectivity)

Branch Sites Branch Sites Internet

SD-WAN SD-WAN

Branch Traffic to Workloads Internet Traffic from Workloads

USE CASE OVERVIEW

• Traffic to branch sites via SD-WAN router

• Internet traffic from cloud workloads egresses via SASE router connected to Cisco Um brella

• Policy enforcement done via Cisco Um brella SIG

Umbrella SIG

(34)

Next st ep s

Risk-free evaluation Check out our website & blog Check out the

Cisco Meraki vMXQuick starts

m eraki.cisco.com/ eval m eraki.cisco.com/ blog aws.am azon.com/ quickstart/

cs.co/ CoR-Trial YouTube SD-WAN Channel cisco.com/ go/ sdwan

(35)

Enterprise Networking and SD-WAN with Cisco and AWS