SD-WAN and DNA to help the admin: architecture features and practice

A stand that you can feel in our lab if you want.

SD-WAN and SD-Access are two different new proprietary approaches to networking. In the future, they should merge into one overlay network, but so far only getting closer. The logic is this: we take the network of the 1990s and roll on it all the necessary patches and features, without waiting for it to become a new open standard in another 10 years.

SD-WAN is an SDN patch to distributed corporate networks. Transport separately, control separately, so control is simplified.

Pluses — all communication channels are used actively including reserve. There is packet routing to applications: what, through which channel and with what priority. A simplified procedure for deploying new points: instead of rolling the config, only specifying the address of the Tsiska server on the big Internet, the CROC data center or the customer, where the configs for your network are taken from.

SD-Access (DNA) is the automation of local network management: configuration from one point, wizards, convenient interfaces. In fact, another network is being built with different transport at the protocol level on top of yours, and compatibility with old networks is provided at the perimeter boundaries.

We will also deal with this below.

Now some demonstrations on test benches in our lab, how it looks and works.

Let's start with SD-WAN. Key features:

• Simplifying the deployment of new points (ZTP) - it is assumed that you somehow feed the server address with settings to the point. The point knocks on it, gets the config, rolls it up and joins your control panel. In this way, Zero-Touch Provisioning (ZTP) is provided. A network engineer does not need to travel to the site to deploy an end device. The main thing is to turn on the device correctly on site and connect all cables to it, then the equipment will automatically connect to the system. You can download configs via DNS queries in the vendor's cloud from a connected USB drive, or you can open a hyperlink from a laptop connected to the device via Wi-Fi or Ethernet.
• Simplification of routine network administration - config from templates, global policies configured centrally for at least five branches, at least 5. Everything from a single place. To avoid a long road - a very convenient option to automatically return to the previous config.
• Application level traffic management - ensuring the quality and constant updating of application signatures. Policies are configured and rolled up centrally (no need to write and update route maps for each router, as before). You can see who, where and what sends.
• Network segmentation. Independent isolated VPNs over the entire infrastructure - each with its own routing. By default, the traffic between them is closed, you can open access only to understandable types of traffic in understandable network nodes, for example, passing everything through a large firewall or proxy.
• Visibility of network quality history - how applications and channels performed. Very useful for analyzing and correcting the situation even before users begin to complain about the unstable operation of applications.
• Visibility through channels - are they worth their money, are two different operators really coming to you at the facility, or do they actually go through the same network and degrade / fall at the same time.
• Visibility for cloud applications and steering traffic through certain channels based on it (Cloud Onramp).
• One piece of iron contains a router and a firewall (more precisely, NGFW). Fewer pieces of iron - cheaper to deploy a new branch.

Components and Architecture of SD-WAN Solutions

End devices are WAN routers, which are hardware and virtual.

Orchestrators are a network management tool. They configure the settings of end devices, traffic routing policies, and security functionality. Configs are obtained, which are sent automatically through the control network to the nodes. At the same time, the orchestrator listens to the network and monitors the availability of devices, ports, communication channels, loading of interfaces.

Analytics tools. They make reports based on data collected from end devices: the history of the quality of channels, network applications, availability of nodes, etc.

Controllers are responsible for applying traffic routing policies to the network. Their closest analogue in traditional networks can be considered BGP Route Reflector. Global policies that the administrator configures in the orchestrator cause controllers to change the composition of their routing tables and send the updated information to end devices.

What does the IT service get from SD-WAN:

1. The backup channel is constantly in use (not idle). It turns out cheaper, since two less thick channels can be allowed.
2. Automatic switching of application traffic between channels.
3. Administrator time: you can globally develop the network, and not crawl through each piece of hardware with configs.
4. The speed of raising new branches. She is much higher.
5. Less downtime while replacing dead equipment.
6. Fast network reconfiguration for new services.

What businesses get from SD-WAN:

1. Guaranteed operation of business applications on a distributed network, including through open Internet channels. It's about business predictability.
2. Instant support for new business applications across the entire distributed network, regardless of the number of branches. It's about business speed.
3. Fast and secure connection of branches in any remote locations using any connection technology (the Internet is everywhere, but leased lines and VPN are not). This is about business flexibility in choosing a location.
4. It can be a project with delivery and commissioning, or it can be a service
   with monthly payments from an IT company, telecom operator or cloud operator. Who is comfortable.

Business benefits from SD-WAN can be completely different, for example, one customer told us that a top manager received a request for a direct line with all employees of a multi-thousand company and the ability to deliver content.

For us, it was a "military operation." At that moment, we were already solving the problem of upgrading the KSPD. And when we understand that we basically need to renovate equipment, and the technology stack has gone ahead, why do we need to renovate the same technologies and services if we can take a step further.

SD-WAN is installed on site by enikeev. This is important for remote branches, where there may simply not be a normal admin. Send by mail, say: “Plug cable 1 into box 1, cable 2 into box 2, and do not confuse! Don't mix it up, #@$@%!". And if they don’t get confused there, then the device itself contacts the central server, picks up and applies its configs, and this office becomes part of the company’s secure network. It's nice when you don't have to travel and it's easy to justify in the budget.

And here is the layout of the stand:

A few setup examples:

Policy - global traffic control rules. Policy editing.

Activate the traffic control policy.

Bulk configuration of basic device parameters (IP addresses, DHCP pools).

Application performance monitoring screenshots

For cloud applications.

Detailed for Office365.

For on-prem applications. Unfortunately, we didn't manage to find applications with errors at our stand (FEC Recovery rate is zero everywhere).

Additionally - the performance of data transmission channels.

What hardware is supported on SD-WAN

1. Hardware platforms:

• Cisco vEdge routers (formerly Viptela vEdge) running Viptela OS.
• 1 and 000 series Integrated Services Routers (ISRs) running IOS XE SD-WAN.
• A 1 series Aggregation Services Router (ASR) running IOS XE SD-WAN.

2. Virtual platforms:

• Cloud Services Router (CSR) 1v running IOS XE SD-WAN.
• vEdge Cloud Router running Viptela OS.

Virtual platforms can be deployed on Cisco x86 computing platforms, such as the Enterprise Network Compute System (ENCS) 5 series, Unified Computing System (UCS), and Cloud Services Platform (CSP) 000 series. Virtual platforms can also run on any x5 device, using a hypervisor such as KVM or VMware ESi.

How a new device rolls

The list of licensed devices for deployment is either downloaded from a smart account in Cisco or uploaded as a CSV file. I'll try to get more screenshots later, right now we don't have new devices to deploy.

The sequence of steps a device goes through during deployment.

How a new device is rolled / config delivery method

We start devices in Smart Account.

You can upload a CSV file, or you can upload one at a time:

Fill in the device parameters:

Next, in vManage, we synchronize data with Smart Account. The device appears in the list:

In the drop-down menu next to the device, click Generate Bootstrap Configuration
and get the initial config:

This config needs to be fed to the device. The easiest way is to connect a USB flash drive with a saved file named ciscosd-wan.cfg to the device. When booting, the device will look for this file.

Having received the initial config, the device will be able to reach the orchestrator and get a full-fledged configuration from there.

We look at SD-Access (DNA)

SD-Access makes it easy to set up ports and permissions for connecting users. This is done with the help of wizards. Port parameters are set in relation to the "Administrators", "Accounting", "Printers" groups, and not to VLANs and IP subnets. This minimizes human error. If, for example, a company has many branches in Russia, and the central office is overloaded, then SD-Access allows you to solve more problems on the ground. For example, the same troubleshooting tasks.

For information security, it is important that SD-Access implies a clear division of users and devices into groups and the definition of interaction policies between them, authorization for any client connection to the network and provision of “access rights” throughout the network. If you follow this approach, it becomes much easier to administer.

The startup process for new offices is also simplified thanks to Plug-and-Play agents in the switches. There is no need to run on the crossroads with the console, or even go to the object at all.

Here are examples of settings:

General status.

Incidents worth reviewing as an administrator.

Automatic recommendations on what to change in configs.

Plan for integrating SD-WAN with SD-Access

I heard that Tsiska has such plans - SD-WAN and SD-Access. This should significantly reduce the hemorrhoids when managing geographically distributed and local KSPDs.

vManage (SD-WAN orchestrator) is managed via API from DNA Center (SD-Access controller).

The micro- and macro-segmentation policies are mapped as follows:

At the package level, it looks like this:

Who and what thinks about it

We have been working on SD-WAN since 2016 in a separate laboratory, where we test different solutions for the needs of retail, banks, transport and industry.

We communicate a lot with real customers.

I can say that retail is already confidently testing SD-WAN, and some are doing this with vendors (most often with Cisco), but there are also those who are trying to solve the issue on their own: they write their own version of software that resembles SD-WAN in functionality.

One way or another, everyone wants to come to the centralized management of the entire zoo of equipment. This is one point of administration for non-standard installations and standard ones for different vendors and different technologies. It is important to minimize manual work, because, firstly, it reduces the risk of a human factor when setting up equipment, and secondly, it frees up IT service resources for other tasks. Usually the understanding of the need comes from very long renewal cycles across the country. And, for example, if retail sells alcohol, then it needs a constant connection for sales. An update or a downtime during the day directly affects revenue.

Now retail has a well-defined understanding of what IT tasks will use SD-WAN for:

1. Quick deployment (often needed on LTE before the arrival of the cable provider, it is often necessary that the new point be raised by the admin in the city according to the GPC, and then the center just looked and configured).
2. Centralized management, communication for foreign objects.
3. Reducing the cost of telecom.
4. Various additional services (DPI features make it possible to prioritize traffic delivery from important applications such as a cash register).
5. Working with channels automatically, not by hand.

And there is also a compliance check - everyone talks a lot about it, but no one perceives it as a problem. Keeping everything working correctly also works fine in this paradigm. Many believe that the entire network technology market will move in this direction.

Banks, IMHO, are still testing SD-WAN rather as a new technological feature. They are waiting for the end of support for previous generations of equipment and only then will they change. Banks generally have their own special atmosphere through communication channels, so the current state of the industry does not really bother them. Problems rather lie in other planes.

Unlike the Russian market, SD-WAN is being actively implemented in Europe. They have more expensive communication channels, and therefore European companies bring their stack to Russian divisions. In Russia, there is some stability, because the cost of channels (even when the region is 25 times more expensive than the center) looks quite normal and does not raise questions. From year to year, an unconditional budget is laid for communication channels.

Here is an example from world practice, when a company saved time and money at the expense of SD-WAN on Tsiska.

There is such a company - National Instruments. At a certain point, they began to realize that the global computer network, "received" as a result of combining 88 sites around the world, was inefficient. In addition, the company lacked the capacity and performance of hot water supply. There was no balance between the continuous growth of the company and the limited IT budget.

SD-WAN helped reduce National Instruments MPLS costs by 25% ($450k savings in 2018) while increasing bandwidth by 3%.

As a result of the implementation of SD-WAN, the company received a smart software-defined network and centralized policy management to automatically optimize traffic and application performance. Here — detailed case.

Here a completely crazy case of moving S7 to another office, when at first everything started hard, but interesting - 1,5 thousand ports had to be redone. But then something went wrong and as a result, the admins turned out to be the last ones before the deadline, on whom all the accumulated delays are pouring.

Read more in English:

• American Banker: Fifth Third investments in 5-year network upgrade with SD-WAN .
• Building Cloud SD-WAN success at Koch.
• McKesson's SD-WAN Journey to Cost Savings .
• SD-WAN Retail PoC & Segmentation: Gap Stores.
• Rђ RІRѕS, Cisco global study on network trends in the world.

In Russian:

• On CNews.
• How we implemented SD-Access, and why it was needed.
• Network fabric for the Cisco ACI data center - to help the administrator.
• Resilient Link Based on SD-WAN Software-Defined Networks: Solving Route Selection Problems.
• My mail, if you have questions or want to test your tasks at our stand, — [email protected].

Source: habr.com