VeloCloud SD-WAN Orchestration & Visualization Demo

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

all right so let's look a little bit and dive a little bit into a demo so sd1 has been a somewhat elusive creature so let's see what functionality is available today at this point and the first thing I want to quickly highlight again is the tree component that we have in the solution so on the one hand side we have the edges which are the on-prem components we have the Gateway so that our cloud delivered at this point they're highly distributed highly available as well and we basically run this as almost the stateless virtual appliance in a variety of facilities around the world so at this point we have a global presence that Sanjay was mentioning were present in Asia back we have Western Europe of presence were pretty much covered in North America as well and what I'm gonna do during the demo it's like I'm first gonna show you a good insight into the visibility like if the network is fully established on what you can see with the network and how it sort of like works from a high level perspective and now we're going to start stepping back one at a time we're going to go into the configuration and see how did we get to this point of establishing all the policies and all the way out the tail and we're going to actually activate a new device and bring that online in the network and do a few tests and then as a final point Cameron is going to step in and we're going to actually run a specific application and see the dynamic multi-part in action as well so we're looking at our Orchestrator at the moment so this is that central controller that we're looking at so this is the place where you do the management as well as the insight into the network in what's going on with the network and of course this is a multi-tenant portal I was mentioning earlier this is fully rest-based as well so everything that you see on here everything that you can click on here is backed by a rest call in the background so you can programmatically access all of those functions as well if there is an existing single pane of glass system that you are preferred to use then we can just tie in with a REST API call there as well and the first thing that you will see here is we get a quick overview of like all the branches that are spread out and I should point out like we're going to look at our life office environment that today so this is our own production environment that is currently serving the off traffic so what I can do is if I see all of those edges online we can immediately see what the status is of those devices we can immediately see which links are connected to those individual sites so if we click further into that the first thing that's going to pop up now is that we get an inventory of the links that are present and this is where our dynamic multipath actually will kick in so we like every time you plug in a link into the device the first thing that will happen is we're going to do characterization of that link on how well it behaves in terms of quality what kind of capacities are available and we're also automatically figuring out which service provider that is actually on so important to know that is this is all measured in real time and this is certified the foundation where we make decisions um and as you can see on the right hand side we're actually clicking live statistics so if we click on one of those sites then we're actually going to signal this from the orchestrator that hey somebody's looking at you go into an accelerated reporting interval and you can see live statistics clicking from that perspective so as you navigate away from this it's gonna detect that fall back to a five-minute reporting interval later on so if we hover over to the right hand side you can clearly see that we cover all the latency packet loss jitter characteristics they're all covered and then we can also measure all the capacities in real time as well so how do you measure capacity yes it's a good point so like you when you plug in the link there is an active measurement at first that is done and that gives us a high ballpark number then we basically tag on to the traffic of the customers and we're gonna measure that traffic as well to see if there are any large variations if there are small variations then we'll make adjustments if they're very large variations then we're going to trigger a new active measurement and all the latency and packet loss characteristics they're effectively done by time stamping every single packet that goes through the system so your time stamp the packets as you encapsulate them and then you look at the time stamps as they get across right and you get real-time measurement of actual customer traffic correct correct that's cool is that an element of IPSec are you doing additional encapsulation before the IPSec well it's an interesting question because like you're on the hand-side like if you sent traffic towards the gate where you can sort of like be two types of traffic right you can have your VPN traffic of course IPSec encrypted all covered but then traffic that goes to Salesforce that's likely already SSL encrypted it's not really a need to burn additional crypto on it so so we do have mechanisms in place to detect like these are applications that are going to the cloud and eventually get exposed completely and we disable encryption on those applications as well but the question was if you do time stamping right and there is no time stamp in IPSec no no the IPSec is actually inside a proprietary protocol that we run between so you're doing an additional encapsulations yeah so are there any MTU concerns or anything like that no because we do a lot of free assembly and reordering at the gateway side as well so there's an entire engine that takes care of reconstituting the original flow so you can provide 1500 MTU and planned yes thank you for us my question there better that's cool can you can you do over 1500 to you not at this point I believe right no only because the landside doesn't support it at this point but if we enable jumbo frames on LAN side we could our transport layers agnostic as to how big the packets are all right so another way to look at all of these characters to just look at the historical view of it and this is sir very common like if you find out that routes a provider that has a having an out that you want to look at like did they actually violate an SLA so we can look at just the troop of each of the individual links so you can select one of those links and find out how much stupid is going over the individual ones and it's somewhat hard to see at the moment but the the traffic is actually already split out over the two legs so they're all active active at the moment another way to look at this is we can look at the jitter changing over time so there's very little change on the jitter side or we can actually look at the packet loss site yeah go ahead so you can use this to Nagle the service provider when he doesn't honor the SLA yes yeah I didn't want to say it like that yes okay good might get a little excited about that yeah and yes so this dashboard is is based on your cloud correct guys this one an accessible I didn't actually see you loaded up I'm sorry I was looking away it's not using Java or flash or like that right just html5 your castrator part of this now this is actually fairly lightweight it's old HTML base there are no plugins or so yes to come back to the original point so like you do get life insight into what these providers are doing and you get to see to come back for a second like we basically have in our office like to dia links it's not what you could say that these are relatively inexpensive links and you still see glitches on these links right so it's not at all uncommon right so another way to look at this is by looking at our quality of experience page and this is something that we do is we look at each of the individual links and we're actually gonna score these links on how they behave for a specific traffic type and we can look at different traffic types we can say like how does this work for voice traffic you-all does it or video and transactional and what the scoring does it will actually tell you if the link or the system in general is ready to carry voice traffic and you see that the bear links the AT&T s and the cogent things that we're using on a routine basis there are still glitches and outages that voice will get impacted when we're at the traffic directly over them so this is where the intelligent steering comes in where we can make either a steering decision like in this case for example where you see one of the links is accepting packet loss the other one is not so we can simply make a steering decision to steer that voice traffic to the other link and important to know here is that the dynamic multi-part can do that on a per packet basis so it is not moving a session we can move midstream so that's that's very important prevent that from being the case I mean out of order delivery can be a significant problem in some application no not really because we do reconstitute the original flow at the gateway sites okay so you guarantee in order delivery at the at the sort of the output end that's okay are you doing any parity did any parity to ensure that a error correction media error correction yeah that's an exponent so let's find another of these timelines so over here we see like one link exhibiting packet loss at the same time there is some minut packet loss on the other link so at this point we're gonna dynamically enable forward error correction techniques and this is done on a per application basis so not every application can benefit from forward error correction and you don't want to enable it all the time so when we detect these outages and we detect them on multiple links at the same time then we are going to enable this forward error correction techniques so you can actually send multiple copies of a voice packet to ensure that at least one gets across that is one option yes so we can replicate packets but we can also be a little bit smarter to just to parity injection into the flows as well so mention there so when you reconstitute are you adding latency how do you avoid adding latency while you're waiting for fragments to arrive sure yes sir everything in the system happens at very fast intervals so we probe every hundred milliseconds packets are timestamps our whole timers are set in the in the millisecond range right so we will only hold packets waiting for that duplicate to arrive say packet ones lost we're only going to give some order of say half a one way time difference to allow the second one to arrive before we move on we're very careful not to cause additional harm while doing error correction so the net result of this is like after we apply the vo cloud service like you should see a clean link right so your application should breeze through the network even if the underlying network is actually not as great as you would hope it to be you support any sort of flow reporting and I'm specifically thinking so that something that consuming those flow reports could tell which link or links were utilized in that flow yes it's a feature that we have in the pipeline so I'll walk you through the visibility aspect a little bit more there's a lot of information available but we can perfectly imagine that there is more yeah historical more when I'm thinking up to get that call and you know hey this thing didn't work well correct you want to see where you know what what elements of this magic land were involved okay so moving on to the application side so this is actually the flow information so we we do have a deep packet inspection engine that characterises about 3,000 applications at the moment and important here is like if you combine that deep packet information together with like all the intelligence that we put in there to know like voice traffic needs to go to the lowest latency link if as Salesforce traffic down spread that out over multiple links if if it's a book file transfer application and aggregate it capacity over all these things so that intelligence is sitting in the background it will also automatically plug in like what are the QoS settings that we need to do on this particular application what queuing mechanism do we need there so all of that complexity is essentially abstracted in the background but you can see now all the applications that are running over the network we can click on these application and we get a breakdown of the top devices that are sending that application and the top destinations where that is actually going towards so we can further zoom in and take a filter over if we want to look at now all the devices on the network that are sending Windows live traffic then we can get a breakdown of all these devices we can clear that filter again and just look at all the devices that are on the network an interesting to see here is that we can just hover over one of these devices and find out what their MAC addresses were their IP resist what their host name is what all ways they're running so a lot of good information that is very useful on a daily basis as well to quick identify what things are and you're using native hips second capsulation right yes so when you're multicast not at this point okay also this roadmap and is this basically layer three only or can you do layer L two bridging so we haven't really run into use cases where L two would be beneficial at the moment so we haven't really focused on deaths okay like if you can encapsulate l-2 and l-3 then of course like but you don't do that we would need to do that somewhere else then you're providing l three services for reference so then the other uh quick thing that I want to show you so we can look at all the destination all the domain names that we're sending traffic to so that you can get a quick feel of like where in the world are we moving traffic towards so what I'm gonna do now is I'm gonna switch to a more controlled environment so this was our office network that we're looking at so I'm gonna switch to a demo environment where we can start moving around some policies and introduced it a couple of new devices so again similar routine you see multiple devices on that map here as well if we scroll down you can see some of the devices are offline so this could be just devices that are disconnected from the network or where both of the links are effectively down and then you see on the bottom a couple of devices that we have provision but you're not yet activated as well so if we go into the configuration side of the house now and one thing I should mention here is like the topology that we're going to be looking at is we have on the table there an existing branch device so do we have a small edge that is sitting out there we have an existing branch with just a Cisco router that is unprotected and then all the way at the end of it we're gonna activate a new branch in an entire topology as well so the first thing that I want to quickly show you is that we do run a couple of services throughout the entire enterprise so we can define cloud proxy services Sanjay was mentioning this earlier that were just in a press release to support to showcase that we do see scalar and web sense integration as well and you can tie in this non vedo cloud side right so if there's an existing data center out there where there is very expensive equipment already that is supporting IPSec then we can just build IPSec tunnels from the closest gateway into those devices we can do redundant tunnels to make sure that the connection is reliable so but it doesn't have to be limited to an existing data center so this could be Amazon V pcs there could be just large branch offices where you don't want to deploy a viola cloud at this point and everything that we do is effectively centered around the use of a profile and a profile this is going to define how a specific set of edges should behave on the larger enterprise network so what's going to be added into that profile so we have two or a couple of categories in there we have some device settings some business policy settings and some firewall settings in important here is that we try to abstract again a lot of the the complexity in the background so there's a lot of items that just work with smart defaults and we just want to make sure that you can concentrate on setting business policies rather than tuning specific flows and finding out which TCP port a specific application runs onto so we do address management as well so in the profile we can say like what is the site or blog that we entitled to the enterprise and then if a new site comes online like well how which networks and how big should these networks be that we allocate automatically can you integrate with the routing protocols that are already on the side yes so we will shortly be announcing OSPF support for integrating into Landsat protocols as well as so right now it's static routing sort of yes towards the land side we do static routing at spot correct but that's soon going to change another important aspect is the small service catalog that we have at the moment so that is at this point limited to a lot of internal services but again as mentioned we're going to expand it to external third-party services to the website as they scale or the first ones in Anna down the line we're also going to include virtual services that you can immediately run on the branch device as well so let's switch to the device setting for a moment and again very simple we have some interface settings where you can say although all the interfaces that are on there do they need to be access ports which VLAN so the normal routine over there we can also define all the net the wireless networking elements in here as well so that you define the correct networking societies and on the VPN site so this is very straightforward to adjust an on or off button so very little that you need to do it's virtually no configuration from that perspective question so this Wireless that you're setting up where does that live it's right here so the device actually has built-in ap so we have a CNN Wireless okay and we can of course work with partners as well like if you have large building and we need to have multiple APs then we'll work with partners to do that well what about like Darwin X or you know yes so let me just switch that so you can go to the security you can do wpa2 Enterprise in switching back to the network service so we can tie into a back in trade II a server that sits either in the cloud or at your enterprise decedent's reach all over the video okay so on the VPN site very straightforward on or off the only choices that we basically give you is like do you wanna allow access between the edges individually or in do we wanna tie in an existing data center side so I've already tied in one enterprise data center here adding a new one is also very straightforward we can simply say add in a new one let's login a quick sample you can select the equipment that is at your data center site so if there is already a Cisco is our iOS style router or plug-in the public IP address for that site going to happen next is that will just generate configurations that you can immediately plug in into the data center router so make it very easy for you so that in within a matter of five minutes you can actually get that done let's college if it's the other way around and you're looking at integrating and Amazon VPC for example that is on that is generating already configurations then we actually go back go into the advanced settings plug in your pre shared key as well so that's also an option yes so I this I think I missed something so when you generated the config that you would need to dump into like a nice alright this is there do you get very grey on the code versions and everything for the different I do believe we have a minimum requirement on the code but we're effectively not doing anything special we're doing basic vti totalling to the Isar and then we just do a static routing with an IP SLA on top of that it's the aasa' one of your options yes yes so actually they say one if you look at the example as they config there's actually tabs for different versions because they changed the command structure in 83 correct nice just delete that again so the next thing is going switching to the firewall at the moment and again the firewall is first straightforward is an application level firewall and we basically ask you to just say which application gets blocked so we're not going to work or worry any more about which individual flow you want to block so if it's Netflix traffic that sprays across multiple destinations and CDN providers then the DPI engine is going to aggregate all of these flows and you can set a top level policy to block Netflix traffic so let's maybe introduce a new rule if we want to look at an application and well let's maybe do that Netflix traffic this is the way you block that so you can either block on an entire category of applications or you can pick an individual application another important aspect is the business policy and this is where we really have this all the steering decision so I've basically plugged in three policies so there is one policy that says like all the the traffic forum the guest feelin we're gonna shape that down to about eight percent of the upstream and the downstream bandwidth so that you can protect that bandwidth there's another policy that says like all the Gmail traffic I really want to run that through an enterprise DC where I have a DLP solution and scrub that first before it leaves the enterprise edge so you can just black hole that traffic into the enterprise DC and under is one additional policy that is going to move all the port 80 traffic so all the web traffic is just going to be redirected to websites in this case alright any other questions so far are there any logging or learning mechanisms for policy violations for policy violations so we do have alerting mechanisms in place for VPN outages linked out just but can you give me an example of a policy block you know site X right and someone keeps trying to go to it basically they're continuing to try to do something and you want to have visibility into that and see who it is find some accountability or maybe just you know maybe a machine gets compromised or something like that right yeah so today use our choices on the firewall we're allowing deny denying log which actually has a generate events and create a log of people attempting to violate the firewall rules is coming in the next release but it does currently you said it does currently do like a logging mechanism yeah the backend support is already there it's just exposing it to the UI okay and it's a simple syslog or you management gatsby LAN and it prompted a whole different series of questions so obviously you can assign different subnets to different VLANs on the client side can you treat them as totally isolated brf's afterwards yes the the just feelin is completely isolated from any of the production and I can have a PCI VLAN and video monitoring VLAN and whatever else VLAN yes and they would be end-to-end vrf and isolated across the whole infrastructure yes okay yeah a PCI is a big deal in these kind of environments yes for monitoring purposes are you going to have an allowing resent it as well so that's the first that I've heard of that request for that's easy enough to add some sometimes you want to log something because you think maybe it's there you're not you're not sure if you should go and block it just yet or whatever so you want to you want to just check and just confirm you want to see what's happening right so one thing we do have is you know with the application visibility and all the traffic visibility in the system you can see what's happening what's being used you can see what the most egregious offenders are so it is easy to see I mean I think that the use case I can think of for that was maybe tying it into an existing analytic system right that you already have yeah but as you can probably guess like so the the visibility items that we exposed at the moment is based on like a whole slew of analytics that is in the background to this serve like the first tip of the iceberg effect right you get 70 wipe every published in your white papers to the detail kind of how you're doing some of that yeah the analytics collection yeah that would fall under the secret sauce category I know so we don't publish anything that yes okay is is the commentation publicly available it's not publicly available it's actually embedded in the UI so there is a Help button on the top here and all the documentation is there so we don't like to print documentation and send it out just it's more just in terms like if I'm looking at you know I'm not current customer but I want to go through some of the documentation can I get access to that I'm sure our sales team will be able to accommodate that for you yes so with the the non fellow cloud sites right we're setting up a VPN right so their VPNs terminating on a gateway that you specify by yes so there are students so we can either let it auto-populate and like find the best gateway for that data center and for data center cases we try to pick gateways that are as close as possible to the data centers where as its maximal protection all the way up to the data center but we can move them around if there is a very specific reason then we can actually nominate a specific gateway then and I guess the downside of that is once you leave your gateway and head over IPSec tunnel back to that we've lost all the cool sauce that was happening in the cloud overlay we created and we now just back to check it across a link and hope as you would have done if you hadn't had this solution right that is that last pop yes that is correct but like the assumption here is that like you wants you in the data center that the connectivities well established that there is very little problems with that if there are problems then our data center edge device can actually sit in the data center and act as a gateway there as well okay thank you all right so I'm going to switch quickly and speed up a little bit on activating a new device so our power in a new device for a moment let's get that going again the links that we're gonna be plugging into the background we don't really care how you plug in these links so as long as they're Internet ports we'll plug them in the system is automatically gonna discover which link is plugged in shipping my box yet you know a store where there's no technical people to be honest to achieve as long as they can fit the cable and there's some little figure it'll figure out what's going on a ball goes in caller Jack X yes it figures out the provider it figures out the provider as well as so we do a reverse look-up on the IP address to figure out the provider which you locate them automatically as well so like if we have multiple links we're going to do a geolocation between those two links as well and we're gonna automatically gonna place it on the map as well what's the process for my circuit for the initial zero configuration yes so that's a very good point so a private lines there is of course like some element of configuration that you need to do but we can supply that conferee configuration part through the VCO so as long as there is contact to the orchestrator and we can move some of the configuration in there then if there is an additional private LAN circuit thank you we can move that configuration into the let it download the configuration and then you launch your private line or whatever use the LTE connection pulldown you correct you can fix your private line in exactly on your provider discovery in geolocation have you had any issues I'm just curious ability issues of that or false positive inaccurate mapping because yeah I think you're in South America and you're actually in Canada you know I guess I could cause some problems right if you try to click on cloud yeah there are cases where ISPs will have blocks of addresses and they'll spray them around so there is a manual override if it's wrong we see probably 1 out of 20 cases where that's wrong just that sample collected so far I guess the main point is you see like if you dropped me on the map in Japan I can go and move it down to yeah it's over right so you still need to do some pre configuration if they're using things like pppoe with authentication in that case yes in that case you would have to push that out as well as and there is a very small UI on there so if those cases happen then we're actually during the activation gonna get prompted to enter those credentials ok we can pre configure that before we ship it out yes so granted that there is an open link here to the Internet towards the orchestrator we can push other configuration precut no that's so you have no technical staff where you're shipping it and they have a VDSL circuit that's using PPP Yui has authentication and I need to put that authentication on the box before I send it yeah so that that's more logistics problems like we can perfectly like ship them to the headquarters you could reconfigure and pre activate them in ship and also so that's of course I'd like to give you a config and then you ship it and I never actually see the Box yes yes yeah the VCO will see the original link and as it ages out it will just disappear from the chef a so if you staged it at a central location it will show that link and then a week later all this disappears it that was just a temporary so let's bring up a new branch on line 4 Oh moans so I'm Indian configuration dialog for a new branch so it's very very straightforward actually to do this along so okay I'm not working so I'll give it a name and this is where we actually select that profile right so there's a couple of options the network field a profile is the one that we were just looking at and once I select that profile then if we bring the new edge online it's going to inherit all these policies of that master profile for the cases where IP address management kicks in it's gonna fill those blanks in and basically make that new site come online with all the right settings default profiles yes we do we have a default profile for a sort of like an internet-only branch where you want to have like every single site cookie cutter with the same addressing of course no VPN in that case and we have a more VPN Enterprise style addressing mechanism so I'll plug in my compacts over here well hit creates so that's pretty much the extent of the involvement to create a new branch so what's going to happen now is we're going to generate an activation key and this activation key is actually going to bind the physical device to the policies into the correct enterprise in a very late fashion and then bring out all these policies and activate them on the system so the only thing left to do at this point or let me just scroll down so we're asking about geolocation so this is where you would do the overrides so we can send out an activation email that automatically goes out to my email address send that activation email out and before I continue I want to just quickly go over the hardware specs so oh and a couple of devices around but we effectively have built in Wi-Fi as was mentioning earlier we have four LAN ports on these devices two one ports and an extra SFP port for the one we have four USB ports that you can plug in LTE modems as well so these are very solid solutions so we see a lot of cases where people want to quickly spin up new branches so they basically take two providers to LTE modems plug them in the side put the device on Prem spin up the Wi-Fi in business that they very straightforward and of course this is based on an Intel platform so this is VT capable and virtualization capable there we go I put one of these things out of the branch and that branch is just something small with uh I don't know a DHCP provider like this thing calls home into into the orchestrator correct yes can I do inbound VPNs for management to this without knowing anything about that branch service VPN so we we do have you know touch up on that in a second we are able to do port forwarding rules in one to one that translation rules so if there is a VPN system behind the device and yes you could but not directly to this there's actually no direct management on the device itself because everything is run through the cloud Orchestrator so but you will get full visibility you can run Diagnostics from the orchestrator yes right so let me switch to my email at the moment so I should have received an email here with the activation code and what we're doing here is we're simply going to give you three instructions for that person that is going to install it take it out of the box plug in the power plug in the cables in any Jack that you see that is marked internet and then we're going to request you to connect to a temporary SSID that we spin up and this is the SSID that you see here so it starts via cloud and then the last three digits of the serial number of the device well connected adds so this part has to be done by somebody on side local on site correct okay and then we basically click on the activation link once we click on the activation link so what's gonna happen now is that the device is gonna reach out to the orchestrator it's going to do that late binding to the correct enterprise figure out which policy and profile is associated to pull all these policies down and activate the network now so you see it pushed down some policies it says like you have new networks are life now the tech field a networks are online and these are broadcasting at the moment so you see that the let's actually turned red for a moment when we apply to us policies we're going to go into an Berlet now when we characterize the links in real time and now we turn to green where we say like system is life so that's the primary thing get straight you ship it to site you plug it in it shows up in the system you apply a profile it sends an email to somebody somebody on site then joins the temporary wireless clicks the link in the email yes how did they get the email once you're connected at temporarily wireless there is already internet access but not do the service and it could be something like this as well don't spoil my argument so yes so so if you don't have that email yet and just connecting to that if they come up on that temporary Wi-Fi they can get it they can get their mail from the internet great all right so that's that's guys that's really what I'm driving at is ya have a way to get long as I can access through email without already being on the corporate yeah around this nose how do you do that I mean is there a way around doing this part locally because I see that being a stumbling block when you're talking about a bunch of retail locations that have like zero technical it's one thing they will talk somebody on the phone through hey plug this into the blue hole right but then hey go get email click on this thing I don't know that pretty concise see that being a bit of a stumbling block yeah we can preview can reconfigure okay yeah I think that was a question asked earlier whether you can do it in the corporate office and send it down so you it's all activated and ready okay so but if you wanted to do all if you wanted to do that activation ahead of time you would need to get it shipped to you know your corporate location prep it and then all I wanna know is what serial number got shipped there and as an administrator know I wouldn't be able to say yeah that one it's on right and some other similar solution to do do that right it's not understanding why someone on site has to do that last there I'm missing a link is it we don't want to keep track of the serial numbers effectively so like we want to be able to ship our devices without having to know that so it also is very effective because like if for example one of the device fails you need to RMA that device it's just a matter of reactivating the new device because the configuration lives in the cloud so there's nothing really locally persistent I get that but I think I'm just thinking for my name like admin perspective I know that the replacement device has been shipped to side it gets plugged in and I won't be able to go yep activate it not hey can someone on site please go on this Wi-Fi thing and you say and that's why you have a local I'm just saying have it the other way to not be from this report we can perfectly reactivate as mentioned so that's not a problem at corporate it learns the corporate internet connections but those will disappear after it's been activated you just ship it out plug it in it figures out now what provider it's connected to source all that stuff out already has policy and you're done yes so if we look at this so there is a tech field a wireless network now that we can jump on to so let me just see it's a five gig only is that by policy or is that just by that's my policy so you can set two point four or five gigs yes so maybe just as a reminder it's Valentine's Day so that's coming up so if we switch back to the orchestrator at the moment so like if we go back now to the monitoring site we'll click on that edge we click on that new device that we have provisioned so immediately you see like these are the providers that are plugged in it's plugging into that port these are the capacities and it's still measuring the bottom one at the moment of no it's measured bits no traffic on there so you see that both of the links are effectively ten mega links at this point so at this moment we're measuring packet loss latency all of that is already working VPN connectivity pushed down already at this point and quickly show your debts so we have a new branch that is activated on the table now there's another branch that is already pre activated so if we want to ping a small device I've got a Raspberry Pi that's sitting up there that is just a dumb note if we want to ping that now it's actually flashing so you can see visually that it's working same thing we can do for the data center side so we have a quick web server that is sitting in the data center and we can access that as well not very sexy to look at but the the key thing to drive home here is that a packet flow now goes from the edge over VPN over a redundant bundle of links into the Gateway where that flow is reconstituted and handed off to a back-end IPSec channel into the data center site so all of that would sort of x0 engagement on the branch site right so a couple of other items that I want to quickly touch upon so we remember we had the Z's or a web sense item in there so if we went to go to a Yahoo web site and I basically blocked all the sports categories in there for click on sports now that traffic is actually being punted to web sense and we see the blocking action from web sites kicking in them go out to web sites web sense comes back to the no in it actually so from the edge it's going to a gateway in the clouds or our gateway in the cloud will hand it off to web stands at that point and web sense pushes down to the final destination so it's service change now another quick test that I want to show you because we're all running out of time a little bit it's a speed test we want to see the effects of aggregation right so we mentioned like we've got these two 10 Meg links ideally if we want to run a test over the network we want to take the benefit for bollock file transfer applications to capture the the capacity of both of these links so if we do a test again that traffic is going to go from the edge device towards the gateway and you see it's well exceeding that 10 Meg's that we had initially so very important aspect of the reliability as well as well so Shree am I out of time or yeah you actually do real live link aggregation that actually works that's one way to put it yes well and that's packet-based it's on a per packet basis yes and and as you can see this is very light way to install right so there's very little I did I did everything right so there is still a portion of the demo where we can go into the Diagnostics as well as the multi-tenancy of the portal but I think we're sort of like running behind on schedule so if that's still in first and come and find me later on I'll be happy to show you that great any motor or more questions one question just in in more back to the policy right and so application definition and and those types of things like what what type of granularity do you have is it just based off of ports well-known applications or are they already defined or what does that look like sure so you actually have a lot of flexibility here so if we go into the business policy for a moment or let's do maybe a firewall rule the way you define these applications could be either by source you can define VLANs IP addresses port there you can do it by destination where you get the same routine of controls that you can plug in but you can obviously also do it by application and we do support sub application in there as well so far on a block Skype traffic that is something that you can do if you want a block Skype chat traffic in there that's also something that you can do as well you crack as a cell know that should be very bad thing if we could do that I mean but can you do a cell intercept we do we look at the SSL certs to classify applications yes so we were not in the SSL to get to no no we're not yeah okay we don't know something else too oh yes absolutely you step in the negotiation process you can figure out who the server actually you can you can service chain anyway no device that does a cell reception here that makes sense so to be clear on your speed test example your traffic the Gateway to the Internet even though these are internet circuits we think your gateway to the Internet is through a fellow Cloud gateway somewhere right right so that's the reason our aggregation works because it's going up to a central point that has big fat internet exactly tivity yeah so that's in the cloud somewhere dad seen that magic Claudius so yeah absolutely I mean who's paying for that because it's a service right who's paying for that bandwidth to the Internet's so I'm paying for access to the Internet from my site but everything's getting tunneled to a gateway and then the gateway connects back to the Internet is that just part of the service that's a part of it so that's why it's capacity based because the capacity I add the more you have to provide through your gateways correct okay I'm very slow but I get there eventually well this was where I was going was you have internet links loool theory could give you direct access out but you'd lose that aggregation it's this the class it's the split VPN thing right some goes tunneled some just go straight out so in that tonight so I can create a profile that says some stuff can go straight out to the Internet yes other stuff or in this case everything gets here so I'm into the gateway into our corporate so if you look at this this policy over here let me just switch over here as you're ahead of us today I like this so if we will look at a business policy and we have this backhaul policy over here so we can actually click on that and you can see like it's either going home at eclis out or pick your specific link yes so you have that control as well but by default everything automatically connected right so your trees in that case either to push it to a gateway or yeah so one of the links or specifically if you really want yeah so for example social media it's not something that we want to push through the Gateway like if that glitches for a moment not really any harm so by default it's going to go out to the internet directly but of course you can change

Info

Channel: Tech Field Day

Views: 25,726

Rating: undefined out of 5

Keywords: Tech Field Day, Networking Field Day, Networking Field Day 9, NFD9, VeloCloud, software defined WAN, SD-WAN, software defined networking

Id: v4X1rmhQRA4

Channel Id: undefined

Length: 44min 54sec (2694 seconds)

Published: Wed Feb 11 2015