VMware SD-WAN e02: VeloCloud Core Components

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everyone thank you for joining me on another lesson about VMware sd-1 for those of you haven't caught up with my first episode I describe the shift in wide area networks from traditional way of doing things that is by using private lines and backhauling all the traffic back to your own datacenter and potentially break out to the Internet to a brand new way of seeing things and we discussed how traditional networks are not really optimized for cloud based applications and also cannot cope with the increased traffic coming in from the branch remember your guests wants access your employees might be using their own devices you might be using yourself bandwidth hungry applications and last but not least you now have IOT coming up so today I'm going to discuss on high-level each of the three sd1 components of VMware and then I'm going to follow up with more details in later sections so I drew up a map of a network we have a couple of branches here on the left-hand side we also have a take the Senators who headquarters on the right hands we connect everything with the in terment but again please don't take this as the only way things work right as you can see but don't really have much resilience we don't have private circuits here it's just an easy example to show you how each component dates so we start with the easiest step and that is what we call the edge you also see it referred to as coming Oh VMware sd1 edge VCE now the engines are the ones that connect your local area network your trusted part with the wider gamut whatever that's the public internet presented eyes while broadband or an LC circuit or and private links again it doesn't really matter as the one is the technology that is transport agnostic now the easiest way to visualize the age is a box itself like a dome right you get private addresses downstream you might have maybe they have three switches internal reuters doesn't really matter and then all the traffic potentially gets knotted and pushed towards the Internet now on datacenter side we also need an inch now I'll do this behind the firewall because when we're deploying edges as hubs the best way of doing this is behind the main site firewall has a VPN concentrator again I didn't take into consideration any resiliency that he might put here any active standby the clustering we will be discussing this in further lessons the edge does come up in a box format from small desk sizes all the way to one rack unit pizza boxes but also can come virtualized so if you're interested in running a UCP type of scenario in which you use VMware sd1 as the way to connect the offices but then you service chain different things such as for example next-generation security you can do that so the solution has a flexibility to offer the edge in both physical hardware just software for us I also want to know that some of the hardware we do has edges to support security via NFC so then you can serve this chain it with things such as Armando checkpoint or Fortinet virtual images and this is to secure the edge right think about this back in the old days we used to take all the traffic from the branches into a private thing all the way to the datacenter and then we use this firewall to make sure nothing can come in and compromise our local area now because we're introducing direct internet access we want to make sure that you know the Internet bound traffic can go out as fast as you can as optimal as you can each of those branches becomes a security risk so we can integrate with things such as again the VMS we can potentially push traffic to called firewalls such as this since Caleb and we also have native fiber capabilities built in the post again more details in a next session so we covered the data plane aspect right so the edges themselves will connect we create tunnels and then based on these tunnels we can start forward traffic now what actually allows you to manage all these edges remember back in the old days we used to manage it with this wrong one VI CMI that was not really effective in bringing a branch up or pushing your settings with this divine we're going to a centralized way of managing things and this is done via a control hello cloud orchestrate the orchestrator in itself is hosted primarily by so we patch it we push on the security features there's nothing for you to worry about some service providers or some enterprises that are really security focused can potentially host this on-premise again it comes with a few disadvantages because you hosted on-premise you have to have the skills to patch it troubleshoot it and so my recommendation is always always go with the cloud option if possible now don't astray today's presenter has a simple UI in which you can provision all these boxes even before you send them decide and then gather information from them so once the H gets activated it will then build a TLS tunnel with the orchestrator it will authenticate itself and then through this tunnel it will pull configuration and also it will push information and alarms now for those of you who want to take this information further you can integrate this into your existing for assessing VSS systems because the orchestrating itself does product things such as syslog as VP and even a peons it's very easy to provision things from a UI however with API you can actually script this and push changes even faster really really useful for deployments they need to be speed up and obviously our service providers and partners should do this in Moss so far so good we have the edges for the data plane we have the orchestrator for the management plain talk about the control plane one allows these edges to exchange roots and this is something that it's unique develop loud and for me he familiar with other ways of doing sd1 was it become used at first however that cloud has this concept of gateways gauges now this one gateway is that VM web hosts themselves they're about nothing more than a thousand of them spread around the world and all the big points presents mostly hosted in in AWS and the idea of this gateway is to allow the edges to redistribute routes between them very similar to a BGP route reflector now when a gateway is acting as a distributor and allows the edges to spread control information we also call it the control and that is that each H will have a primary and the secondary gateway that we could always talk began more details in a photo session regarding gateways now this may things become even more interesting because the gate is themselves can have also a function in the data plane and the idea is simple let's say I do not use the house to send traffic in my branches don't let see my branches might be in Latin America my heart might be in Europe so it's I'm bad if I have to send the traffic all the way there to come back in this case I'm actually can use a gateway in reach the Gator is again set up automatically when the edge comes out so there's no manual configuration you have to do and we give you itself will act as a hub for that particular traffic secondly with the gateway you can then start doing the trout on ramp most one solutions don't really have a great answer they might track things such as hysteresis why for example here with some sort of an IPS LA and make a routing decision based on that the new products step forward so each edge will then build a secure tunnel so this is proprietary to vel Oakland but it's secured by a sec hi cutie and kind of the latest security standards and then we use these tunnels because each branch may have multiple transports does multiple tunnels to then take a decision I have to tell him coming out going to the cloud gateway which is my next hope for office this is private region which of the tunnels can allow office365 to run as smoothly as possible again if neither of the tunnels work for help we can then use techniques such as forward error correction and jitter buffer in order to so just to recap I have drawn each piece and also shown how they securely connect one another because again for most of these things we are actually using Internet as a transport so it's really important to understand how we secure that communication right so yeah we have the orchestrator as management system it is multi-talent it is hosted by VMware and secure data centers we can have the edges at each side in a physical or virtual form and then we have this gateways which have the primary role of a controller for distributing routes between the edges but then we also have a data plane problem where they push traffic to things such as software as a service or to third party IPSec DPS with let's call them legacy sucks so as you can see here the management is encrypted with TLS 1.2 over TCP 4.3 and the data itself uses dcmp encrypted with IPSec over UDP 24 26 now this MP stands for Bell cloud multi path problem and it's where the secret sauce lies but I'm gonna get into more details in a further session thank you for watching

Info

Channel: Dimitrie Sandu

Views: 3,258

Rating: 5 out of 5

Keywords:

Id: qzCwIvbeTjg

Channel Id: undefined

Length: 13min 49sec (829 seconds)

Published: Mon Mar 09 2020