Cisco Viptela SDWAN Licenses and propositions

Today I am going to talk about some of the queries asked by the pre-sales engineers to understand Cisco Viptela SD-WAN capabilities and features. 

Do we have low cost licensing model for customers who wants centralize management and active-active links on the network? 

This is one of the query asked from one of the Cisco existing customer who uses IWAN already 

The Answer is Yes. Cisco have different licensing models for basic SD-WAN capabilities or full SD-WAN capabilities depends upon the customer requirement. For understanding in depth go through the below licensing models which defines the feature set and the capability of the product. 

Fig 1.1- Cisco Viptela SDWAN License Models

Plus License include below feature set and Capabilities 
  1. Fabric: Management, Controllers, ZTP
  2. Routing: Static & Topology: Hub-n-spoke only
  3. Internet/Cloud: NAT, Split tunnel, IPSec IKEv1/v2, GRE
  4. Policy: Local ACL only, Data policy, QoS
  5. SLA: Application aware routing (5 tuple only)
  6. Segmentation: 2 VPNs (service + transport)
  7. Visibility : DPI for visibility only, Support: 24x7x365, NBD RMA
Professional License include below feature set and Capabilities
  1. All Plus tier features
  2. Routing: Dynamic routing (OSPF/BGP)
  3. Topology: Mesh topology, any
  4. Internet/Cloud: Cloud on-ramp for IaaS/SaaS
  5. Policy: Control policy, service insertion, extra-net
  6. Segmentation: 5 VPNs (transport + 4x service)
  7. SLA: Application aware routing (DPI), Multicast
Enterprise License include below feature set and Capabilities
  1. All Professional tier features
  2. Segmentation: Unlimited VPNs
  3. Analytics: vAnalytics platform
  4. Optimizations: TCP Optimization
Note: Decide what feature you required and on the basis of that select your licensing to order. 

Can we have vManage, vBond and vSmart controllers in HA?
Well most of time and the deployments are with the cloud based controllers which are virtual instances or virtual machines. So yes, they can be in HA as per the requirement of the customer. 

What happens if all vSmart controller (which has fabric control plane) goes down?vSmart controllers exchange OMP messages between themselves and they have identical view of the SD-WAN fabric. vEdge routers connect to up to three vSmart controllers for redundancy.

Fig 1.2- Cisco Viptela SDWAN Fabric

Single vSmart controller failure has no impact, if there is another vSmart controller vEdge routers are registered. If all vSmart controllers fail or become unreachable, vEdge routers will continue operating on a last known good state for a configurable amount of time (min of re-key timer and GR timer).

  1. No updates to reachability

  2. No IPsec re-key

  3. No policy changes propagation

For service insertion features, Services layer (i.e. Firewall) are part of underlay or overlay?
Physically, services are connected to vEdge routers and are advertised via overlay network and become part of overlay network.

Fig 1.3- Cisco Viptela SDWAN Single Service Insertion

  1. vEdge router with connected L4-L7 service makes advertisement with service route OMP address family and service VPN label
  2. Service is advertised in specific VPN
  3. Service can be L3 routed or L2 bridged
  4. Service can be singly or dual connected (Firewall trust zones) to the advertising vEdge
  5. Control or data policies are used to insert the service node into the matching traffic forwarding path with match on 6-tuple or DPI signature and applied on ingress/egress vEdge

Do they support multi-tenancy in Cisco Viptela SD-WAN?
Yes. Multi tenancy is introduced in 17.2 release. In the current Viptela based multi-tenant solution, the following applies: 
  1. vManage is multi-tenant (single VM instance or a cluster of 3 or more VM instances)
  2. Each vBond is multi-tenant, and a dedicated VM instance  
  3. Each vSmart is single tenant. Each vSmart instance can either be deployed as a dedicated VM or inside a virtual container 
  4. Each vEdge is single tenant
The vManage and vBond instances can be ‘re-used’ across multiple tenants, as they belong to the SP overlay. The vSmart and vEdge instances will along because to the SP overlay, however, they can only belong to a single tenant/customer overlay under this SP. 
If you choose not to deploy the multi-tenant vManage and vBond instances, then each customer will require its dedicated set of vManage and vBond instances, along with the vSmarts