Re: Cisco SD-WAN Global Forum : Quick Guide to Design, Deploy, Operate, and Maintain - AMA - Page 4

ciscomoderator · ‎03-07-2021

All the knowledge of these four experts at your disposal!

Cisco Software-Defined Wide Area Network (SD-WAN) provides a highly scalable, resilient, and secure network infrastructure. With advanced security features built into the solution, automation, centralized management, and monitoring, Cisco SD-WAN enables you to control your network through a single dashboard, reduce operating costs, and ensure the best possible experience for your users in local applications or on the cloud.

In this event, the experts will help you understand how Cisco SD-WAN is designed and its main benefits.
They will explore everything from the basic solution design, which license to choose, or which router to select, to overall design and deployment best practices. vManage allows you to configure devices, templates, security / control policies and much more... What if, for some reason, vManage fails? We will help you master an understanding of the policy framework and common troubleshooting tools and learn from programmatic methods to create backups in the SD-WAN environment.

This event is for Cisco SD-WAN beginners and advanced professionals.

To participate in this event, please use the button below to ask your questions

Ask questions from Monday, March 8 to Friday, March 19, 2021

Featured experts

Guilherme Lyra is a Solutions Architect focused on the Enterprise Networking area. With more than 14 years of experience in networking and security technologies, he has designed and led the implementation of projects with national and global extension for companies in segments such as retail, manufacturing, utilities, and government agencies. Guilherme has also conducted training on Software-Defined Networks and WAN optimization. He holds Cisco CCNP, Cisco CCDP, Juniper JNCIA, and Meraki CMNA certifications.

Danny Blais joined Cisco in 2000 in the role of Lab Administrator. In 2004, he moved to RTP, North Carolina for one year to be part of an incubator program leading him to a Systems Architect role. He is currently based out of Montréal and supports a major enterprise account in the Québec province. Danny has a college degree in computer science with a networking specialty. He has specialized in many Cisco technologies over the years, from Unified Communications to Data Center and now for the last couple of years Cisco SD-WAN. He holds multiple Cisco certifications: CCNA, CCDA, CCNP, CCDP, and CMNA.

Osvaldo Salazar Tovar is currently in the role of Solutions Architect for Cisco SD-WAN technology for Latin America. He works with the partner ecosystem to deliver new approaches to simplify and optimize their WAN environments to end customers from different verticals, using the Cisco portfolio as a digital transformation platform. Osvaldo graduated from ITESM, and has several certifications such as CCNP R&S, DevNet Associate, and SD-WAN Specialist.

Thomas Matzeu graduated from the French University of Evry. He began as a Deployment Engineer in France, specializing in routing, switching, and security. Thomas joined Cisco in September 2018 as a Pre-Sales Engineer in the Global Virtual Engineering team and focuses on Enterprise Networking technologies such as SD-Access and SD-WAN in Europe.

Guilherme, Danny, Osvaldo and Thomas might not be able to answer each question due to the volume expected during this event. For more information, visit the Networking Discussions category.

Find further events on Networking Events list.

Do you know you can get answers before opening a TAC case by visiting the Cisco Community?

**Helpful votes Encourage Participation! **
Please be sure to rate the Answers to Questions

svemulap@cisco.com · ‎03-18-2021

It depends up on the (network) requirements from the the customer.
Some networks may be small vs some others big and cloud vs non-cloud options will come into picture too in determining which type of device for a given specific site type etc (branch vs DC vs Colo vs. remote etc)

Sarah Staker · ‎03-18-2021

Hi guys!

Is there a way to check that the guest traffic goes through GUEST VRF and that the rest of the traffic follows the global routing scheme?

Thank you.

- Sarah

Guilherme Lyra · ‎03-19-2021

Hello,

Thank you for your question.

Absolutely yes. Cisco SD-WAN has a troubleshooting tool called Simulate Flows that is accessible in vManage. You can use this tool to make sure traffic is going to follow the desired path.

Also, there is end-to-end segmentation built in the solution. What this means is that traffic from a VPN (VRF) is isolated using not only in distinct routing tables, but it is also transported with labels.

Following text from Cisco's documentation explains the workflow:
When you configure a VRF on a router, the VRF has a label associated with it. The router sends the label, along with the VRF ID to the vSmart controller. The vSmart controller propagates this router-to-VRF ID mapping information to the other routers in the domain. The remote routers then use this label to send traffic to the appropriate VRF. The local routers, on receiving the data with the VRF ID label, use the label to demultiplex the data traffic. This is similar to how MPLS labels are used. This design is based on standard RFCs and is compliant with regulatory procedures such as PCI and HIPAA.

Hope this helps.

Best regards.

Modérateur Cisco · ‎03-18-2021

Why does Cisco SD-WAN use OMP in the Control Plane and not the traditional routing protocols?

Thank you

Didier

* This is a question posted in French by Didier M. It has been translated by Cisco Community to share the inquiry and its solution in different languages.

Guilherme Lyra · ‎03-18-2021

Hello Didier,

Because OMP is used to propagate not only routes but also policies and information about TLOCs. This allows for greater flexibility than what we have with traditional protocols.

Hope this helps.
Regards.

Cisco Moderador · ‎03-18-2021

Hi everyone

How are alerts defined and how are REST API extensions used?

Note: This question is a translation of an original post created in the Spanish community by Fernando Mondragon. It was translated by the Cisco Community to share the query and its solution in different languages.

tmatzeu · ‎03-22-2021

Hi Fernando,

Below a link to the table where you can find how alarms are defined per severity (Minor, Medium, Major, Critical): https://sdwan-docs.cisco.com/Product_Documentation/vManage_Help/Release_18.4/Monitor/Alarms

About the REST API extensions, for Alarms and Monitoring my suggestion is to use the Webhooks. It is a push-model mechanism to send notifications in real-time.

An example of Webhooks utilization: https://developer.cisco.com/codeexchange/github/repo/suchandanreddy/sdwan-webhooks/

Another alternative, using traditional REST API, is to poll for the vManage's data frequently.

Cisco Moderador · ‎03-18-2021

Another question

How can I optimize SaaS connectivity with Cisco SD-WAN?

Note: This question is a translation of an original post created in the Spanish community by Fernando Mondragon. It was translated by the Cisco Community to share the query and its solution in different languages.

Guilherme Lyra · ‎03-18-2021

Hi Fernando

With Cloud OnRamp for SaaS, the SD-WAN fabric continuously measures the performance of a designated SaaS application through all permissible paths from a branch. For each path, the fabric computes a quality-of-experience score ranging from 0 to 10, with 10 being the best performance. This score gives network administrators visibility into application performance that has never before been available. Most importantly, the fabric automatically makes real-time decisions to choose the best-performing path between the end users at a remote branch and the cloud SaaS application. Enterprises have the flexibility to deploy this capability in multiple ways, according to their business needs and security requirements.

Cisco Moderador · ‎03-18-2021

Hi experts

Can Cisco SD-WAN integrate to security cloud providers?

Note: This question is a translation of an original post created in the Spanish community by Dani Ma was translated by the Cisco Community to share the query and its solution in different languages.

Osvaldo Salazar Tovar · ‎03-18-2021

Correct, Cisco SD-WAN can integrate to security cloud providers, check details on https://umbrella.cisco.com/solutions/sd-wan-security

Cisco Moderador · ‎03-18-2021

In other topics, what are the security features included in Cisco SD-WAN?

Note: This question is a translation of an original post created in the Spanish community by Dani Ma. It was translated by the Cisco Community to share the query and its solution in different languages.

dablais · ‎03-18-2021

Cisco SD-WAN builds on the architecture called secure access service edge (SASE). WAN security and features today must be distributed, cloud-based, flexible, and agile. Cisco SD-WAN is the industry’s first fully integrated SASE offering that combines best-of-breed SD-WAN with the cloud-based Cisco Umbrella or on-premise security portfolio. Both security architectures provide full protection for enterprises connecting to cloud and internet applications. These security features are:

Enterprise firewalls: Granular policy and control of thousands of applications
Secure web gateway: Full protection against all kinds of web-based attacks, including SSL inspection
DNS layer security and URL filtering: Stops threats at the earliest point, significantly reducing incidents
IPS: A built-in intrusion prevention system within an on-premises enterprise firewall based on Snort ® and powered by Talos ®
Cloud Access Security Broker (CASB): Protects against account compromises, breaches, and other major risks in the cloud application ecosystem
Malware protection: An extended security feature across both on-premises and cloud security using Cisco AMP and Threat Grid to prevent and detect malicious files with sandboxing

mikey_p · ‎03-19-2021

Hi,

Slow to finding this service. Lucky to make it in time apparently :).

If you are running sites that only have MPLS connections with Internet services via a DC and other sites that only have Internet connections is it logical to have multiple vSMARTs? A vSMART hosted on the MPLS network and another hosted in the cloud? I.e. the intelligence of the solution doesn’t suffer if there is an outage of vSMART or Internet connection at the DC?

Thanks

Mike

Osvaldo Salazar Tovar · ‎03-22-2021

Hi Mikey, hope you are fine.

Assuming you are asking for cloud hosted controllers, common thing for this scenarios would be to make a breakout to internet on MPLS, opening specific ports for specific IPs (ones for controllers), while you have single link type of sites, your network use DC (where both type of links exist) as pivot to inter connect the sites. As best practice you would reach controllers through both of the links you have on your environment so you have resiliency as a principle of your design.

Regards

Osvaldo