Re: Viptela SD-WAN

rifnas.ahamed1 · ‎07-07-2018

A. We have 450 branch locations currently connected using MPLS links from two different SPs (SP-A & SP-B)

B. DC, DR and 13 main branches are connected through both SP-A & SP-B links. (Redundancy & Load Sharing )

C. Other 435 branches are connected through only one MPLS link. Either SP-A/ SP-B link. (BW - 512 Kbps/ 256 Kbps)

D. Out of above 435 branches, 300 are very small branch and less critical for business. Connected through 256 links. These branches access few web based applications hosted in DC.

Now,

1. Considering the considerable cost of MPLS links, we assess the Viptela SD-WAN option and completely replace small branch MPLS links with low cost ADSL/FTTH Internet links. (Remove MPLS links and only ADSL/FTTH for DC connectivity)

2. Also for other 135 branches, we assessing the possibility of connecting one MPLS link (A/B) and one ASDL/FTTH link for redundancy and load sharing. This internet link will be additionally used for DIA.

3. Other 15 branches may connected with 02 MPLS links and one ADSL/FTTH link.

Please clarify me that, whether it is possible and what are the constraints associated with this plan? Also what are the security related features available in Viptela to secure branch DIA?

elesani · ‎07-30-2018

Hi,

Your overall plan looks ok and from very high level perspective, it's absolutely possible and seat in most common used cases already defined for SD-WAN solutions.

Please also note that Viptela never claim to be a proper security box to serve as firewall service inside your network hence it has L3 & L4 firewall capabilities.

You can apply traffic limitation * monitoring using:

ACL
DPI : Deep Packet Inspection

As a result, you can block traffic using ACL up to L4 or using DPI feature at application level.

If you need more extensive security like IPS/IDS or malware detection or email protection, you might need to go down the service chaining path.

Regards,

Ehsan

vinod.agrahari · ‎07-31-2018

My understanding - you are all set to go with Cisco Viptela Services.

Approach - segregate all the sites with there priorities - P1 - sites need resilency and load balancing P2:) resilency and transit 3 :) remote site with single WAN link ..

DC - Vcontroller,Vorchtestrator ,VBond
P1&2 - two vEdge
P3 - one vEdge
There are many benefits but challenge are like if you are using EIGRP ,you can redtribute it and have to use work around , this is not Security device

UthayakumarNetp · ‎12-18-2018

Anyway we have pushing the traffic through service VPN.like vpn 1 to 511 .So it's seems to be segregated traffic and secure even though branch to branch connected with ipsec tunnel.So i guess it's more secure than others.

tahiali · ‎01-03-2019

you can now use viptela great wall security features like a full functional firewall , IDS/IPS, Umbrella (DNS) security and URL filtering with the new code. 18.4.0 obviously you will need some resource planning when it comes to enabling these features on a device. Or you can go service chaining route by having one or 2 site dedicated for firewalling /other security

AhmedBassiony · ‎01-06-2019

Hi tahiali

I believe those features aren't supported on vEdge routers, its only for XE enabled routers, right?

ekhabaro · ‎01-06-2019

full functional (stateful, Zone-Based firewall) is available on vEdge as well https://sdwan-docs.cisco.com/Product_Documentation/Software_Features/Release_18.3/07Policy_Applications/05Zone-Based_Firewalls

But all other mentioned earlier features only on Cisco IOS XE SDWAN software. For these features controllers should be from 18.4 branch (18.4.0 currently)

AhmedBassiony · ‎01-06-2019

For vEdge, Can we use application based firewalling?

tahiali · ‎01-06-2019

yes with vedge Viptela - (100, 1000, 2000 and 5000)

you can use app fw (the dpi engine is using qosmos based), IPS/IDS, URL filtering not supported on it, but DNS security is.

Cisco other platforms will support it all with some functional exceptions.

AhmedBassiony · ‎01-06-2019

So, it's using on vEdge routers the stateful engine + Qosmos DPI engine, rather than stateful firewall with NBAR, right?

tahiali · ‎01-06-2019

FW integration with our NBAR application detection engine will be implemented on Cisco ISR4K, 1K, ASR, CSR, and ISRv providing Ent FW with Application Awareness . The vEdges however will support a stateful FW but application detection mechanism is using Qosmos DPI (Deep Packet Inspection) Engine.

AhmedBassiony · ‎01-06-2019

So, with Qosmos DPI on vEdge, the user can define the application then can apply the policy by allowing or block?

tahiali · ‎01-09-2019

You cannot do custom applications as of now. but there is a list of applications which nbar2 and qosmos support muttually which can be detected and policies can be applied.