Академический Документы
Профессиональный Документы
Культура Документы
Branch 1 Branch 2 HQ
Enterprise
SD-WAN
Controller E2E VPN security
IPSec VPN
IKEv2 + AES-256 encryption
SSH/SSL Internet
ACL Powerful NG(Next Generation) FW
ACL MPLS/Internet
URL filter
IPS
ACL
URL filter File filter URL filter
IPS DDOS
IPS
File filter
DDOS
Anti-Virus
……
IPSec VPN
We can provide more security functions
according to Customer requirement
MPLS/Int
ernet
CPE CPE
LAN/Campus Network LAN/Campus Network
CPE
Country X China
CPE
CPE
Cloud DC
Internet
Operator
Enterprise
Y Enterprise Y
HQ/DC
Site2 MPLS
Control Domain for
Operator
HQ Branch HQ/DC
Branch
HQ
HQ/DC Hub-Spoke
Unified POP for vDC/vPC Global internet mode
Branch Branch internet
Branch VPC
Branch
HQ/DC
Hub
Layered HQ
Branch
Sub Sub Hub POP
Hub
CPE CPE
CPE
L2 LSW
L3 LSW
1 2
5
CPE CPE
CPE
VRRP
VRRP
Direct to Dynamic Static Rout
Direct to LSW routing ing
LSW Dynamic
routing
LSW LSW
LSW
3 LSW
4 6
7
3
vCPE
Enterprise DC
Dual uplink
MPLS internet
PE PE
LTE
1. CPE supports multi-type WAN interface 1. SD-WAN solution can identify apps
Type A-1: FE*2 (WAN), GE*4(LAN), LTE, WiFi
Type A-2: GE*1 (WAN), GE*4(LAN), LTE, WiFi
Type B: GE*2 (WAN), GE*4(LAN), GE*4(LAN, Option),
2. SD-WAN solution can display traffic by tenant
WiFi Traffic of each application
Traffic of each link
2. CPE supports F/W Traffic of each site
F/W (ACL, Package Filter, ASPF), IPS, URL filter Traffic proportion of applications
3. CPE supports to deploy NFV in the future 3. SD-WAN solution can display quality by
CPE includes X86 module tenant
3rd party application can be deployed Latency, loss and jitter of per application
Latency, loss and jitter of per link
4. CPE cost is very important
1. SD-WAN solution can set QoS priority of apps 1. SD-WAN solution can set path policy of
apps according to QoS priority, for example
2. SD-WAN solution can ensure QoS of apps High priority apps are carried on guarantee
according to QoS priority within a link, for link
example Low priority apps are carried on broadband
When the bandwidth of guaranteed MPLS link is link
not enough, low priority apps will be abandoned
or limited 2. SD-WAN solution can ensure QoS of apps
according to quality of link or apps between
3. SD-WAN solution can control apps to access different, for example
WAN When the quality of broadband link is bad,
SD-WAN solution provides F/W function, for apps will be switch over guarantee MPLS link
example, ACL and URL filter according to policy
Branch can not access Youtube and facebook by
ACL or URL filter
Branch 1
CPE
vCPE1 Easy to evolution in the future
CPE Hub
Branch 2 MPLS Supports SD-LAN
vCPE2
Enterprise 2
CPE Hub Supports VNF
HQ
CPE DC
Branch 1
Agile Controller
Log server
① SSH: For Netconf and CLI
4
Http2.0 ② SSL: For Http2.0 and Syslog
3 Netconf (Yang) (ProtoBuffer)
③ Netconf (Yang): For SD-WAN
configuration and alarm information
collection
④ Http2.0(ProtoBuffer): For
5 information of quality and traffic of
CLI
1 SSH 6 link and application collection
⑤ CLI: For traditional or special
Syslog
configuration of CPE
⑥ Syslog: For system log and operation
SSL
log of CPE
CPE CPE CPE 2
Architecture is simple
Controller
Portal Agile Controller with SD-WAN portal
Equipment VPN
Monitor
Path Security
VNF-M
CPE/vCPE
Mgt Mgt Control Policy
Deployment is simple
Netconf +Yang model
Site #1
Http2.0+Protobuf HQ/DC CPE ZTD
CPE
CPE Support large-scale rapid deployment
MPLS
CPE Easy to evolution in the future
Site #2
Supports SD-LAN
vCPE
Supports VNF
Internet VAS
Site #3
AR1000v
CPE
Scenario 1: Carrier provides L2 MPLS Scenario 2: Carrier provides L3 MPLS to Scenario 3: Only Internet
to enterprise enterprise
1 2 3 4 5 6
AC sends
Build
Acquire AC sends Configuratio
CPE acquire Overlay VPN
MPLS Public Register on PPPoE ns/ policies
internet on
IP AC configuratio including
public ip MPLS/Intern
(DHCP/Email) n file to CPE IPsec Tunnel
et links
info to CPE
After step 6, the internal network of enterprise is fully connected with security.
Configure policy
Step 3 Click URL, log in Web portal of CPE and configure CPE, then Click Active
If choice DHCP, the process is same the process of ZTD by DHCP, the differences are
DHCP server does not be pre-configured AC IP address brought by URL
AC does not be pre-configured the account and password of PPPoE configured by CPE web portal
enterprise
Internet
CPE CPE
Rich routing protocol supported: Static
LTE
Routing/RIP/OSPF/ISIS/BGP
Overlay VPN
Rich VPN supported:
GRE/IPSec/VxLAN/DSVPN
MPLS/Internet Internet
Highlights
Support DSVPN/IPSec
Branch1 Branch2
Branch3
Agenda
SD-WAN/CloudVPN Overview
SD-WAN Scenarios and Requirements
Huawei SD-WAN Solution
SD-WAN Architecture
ZTD (Zero Touch Deployment)
Traffic Monitoring and Path Control
Routing in Mixed Scenarios
HA (High Available) , Security and WAN Acceleration
SD-WAN CPE Maintenance
To use SD-WAN System by Web Portal
Annex: Huawei SD-WAN Portal Introduction
AR DPI Architecture
Huawei DPI technology names SA, SA is Service Awareness
① IP Forward received traffic flow, and then
find application ID in flow table according
AR to 5-tuple
If there is application ID in flow table, IP
SA
SDB* Forward directly forward flow with
application ID, go to step 5
If there is not application ID, go to step 2
SA Engine
Service handle based ② IP-Forward forward flow to SA
2 3 application ID ③ SA Engine identify application or protocol
Traffic
according to SDB
Flow App Traffic App Path App
IP-Forward
Monitor Control QOS Generates application ID
1 5 Flow return back IP-Forward
4 ④ IP-Forward record application ID with 5-
tuple to Flow Table
Flow Table
⑤ IP-Forward forward flow with application
ID
SDB is signature database, and record signature of protocol and application
Flow Table records application identified with application ID according to 5-tuple
Aging time of Flow Table is 60s *SDB: Signature DB
1 Electronic Business
3 File Sharing
5 General_UDP
Business Systems Email FileShare_P2P
General Internet General General_TCP
Enterprise Application IM_File_Transfer
Other
Finance Network_Shorage
Utility
Game
Web_Browsing
IM
Cloud Service
2 Media Sharing 4
Encrypted_Tunnel
PeerCasting Network
Entertainment Infrastructure
Social Networking
IP Protocol
VoIP
Network Admin Includes 1600+ applications
Web Video
Proxy
For example
3. Resource download
1
2
Data flow 2
4.Resource exchange
Download User Peter Download User Alex
① Identify control flow by signature based method. Get resource publisher’s IP & Port and cache it.
② If data flow’s destination IP & Port is matched with the cached, it can be considered as “BitTorrent ”,
which is called “association identification”
Facebook Client 1
IP:23.173.52.88
2
L7+: Facebook
IP:23.173.52.88
L7: HTTPS
CPE analysis ClientHello or ServerHello of HTTPS/SSL, if they bring SNI, CPE can identify it
Browse-based AppleMap
NS_Namipan_Common
eBay
AdobeFlashPlayer 136 items
Facebook
Client-server STUN
google
ICY
Google_Docs
Networking RTMP
Sky_Now_TV
Itunes
Twitter
Peer-to-peer TaoBao
Yahoo_Common
HTTP_Proxy
Youtube
Unassigned
……
AR AR
3 AR create policy table
according to policy
configuration
Configure policy with application name KEY Value
Key1 Application Catalog
AR 2 Policy SDB app Key2 Application Name
Configuration description
Key3 Application ID
Control plane
Flow with Application ID
KEY Value
Forward plane
Policy Table 3 Key1 Application ID
Policy ….
Application traffic
CPE Application Quality Monitor
ART/IPFPM is used
Latency, loss and jitter of per
Quickly detection, about 1s, and data accuracy application
No impact on service
Mass applications: about 1600+
Report information to Agile Controller by HTTP2.0 with Protobuffer
Good performance for big network
No SNMP
Agile Controller can provide integrated quality index NQA: Network Quality Analysis
MOS of Voice, VMOS of Video, AQM of application, LQM of link IP FPM: Flow Performance Measurement Framework
Agile Controller
CPE
CPE
NQA server Source CPE A send NQA package (150bytes) with timestamp (TA1/TB1)
NQA client to destination CPE B in a period
(Branch 1) CPE (HQ)
Destination CPE B receives NQA package, then return NQA package
with timestamp (TA2/TB2) to source CPE A
NQA client Source CPE A calculate
(Branch 2) Latency: TA2-TA1, TB2-TB1
NQA package Jitter: (TA2-TA1)-(TB2-TB1)
Loss ratio
Agile Controller
CPE
Statistics
Http2.0 (ProtoBuffer)
Facebook
Flow
CPE DPI Netstream
CPE
DPI+Netsteam
DPI+Netsteam CPE (HQ) 1. Netstream supports 1:1 flow
(Branch 1) sampling
DPI+Netsteam 2. Netsteam is similar as Netflow, C-
(Branch 2) flow and J-flow
DPI can identify 1600+ applications
Better information improves traffic accuracy by 1:1 flow sampling
No additional hardware
Agile Controller
VoIP
Spoke1
Site1
192.168.1.0/24
Video
Application switchovers link within 1s Switchover
Video
Internet link:
Packet loss >10%
When bandwidth of MPLS is not enough, VoIP
Latency >300ms
Email
application will be QoS controlled
Spoke1
CAR, Shaping, Scheduling
When internet link quality restored, application Site1
will switchover back internet link
192.168.1.0/24
AWS/Microsoft Cloud DC
Azure/Office SD-WAN Hub
365/vCloud Air/White
Cloud
V
R Internet Site and site are directly interconnected
F
SD-WAN and Traditional Coexist
Internet
PE
HQ T-CPE: Traditional CPE
S-CPE: SD-WAN CPE
If all of CPEs run BGP with each other, the number of
168.10.10.1 168.10.11.1 168.10.12.1
BGP peers will be very big
If underlay and overlay are not decoupled, when S-CPE and T-CPE
interconnected, S-CPE is used as T-CPE
AC can not configure T-CPE (underlay network) and underlay network of S-CPE
The change of S-CPE or T-CPE will effect each other
If underlay and overlay are decoupled, network topology is very simple
The change of S-CPE or T-CPE do not effect each other
Hub or HQ 168.10.10.0/24
① Creates a VRF for in each SD-WAN CPE
Traditional CPE VRF1 V V VRF0 (default) VRF0(default) for Overlay network
R R
SD-WAN CPE F F VRF1 for Underlay network
② Configure static IP policy between VRF0
Overlay VPN
and VRF1 in SD-WAN CPE
If do not configure static IP policy between
VRF0 and VRF1 in SD-WAN CPE of
branch, the path is red, otherwise is blue
Local LAN IP of SD-WAN CPE only publish to VRF0
V V
VRF1 receives LAN IP of traditional CPE (site)
Branch
1 R
F
R
F
Support route-policy or filter-policy to filter the
172.10.10.0/24 VRF1 VRF0 (default) routes received and advertised between underlay
and overlay network
2 168.10.11.0/24
Hub or HQ 168.10.10.
0/24
Transit GW
2 V
VRF0 (default) ① Includes a CPE as transit GW in Hub
Traditional CPE
1 R
F or HQ
SD-WAN CPE
172.10.10.0/24
168.10.11.0/24
AC can auto configure dynamic routing protocols between transit GW and SD-WAN CPE
Same as configuring LAN scenario
Enterprise Switch
MPLS MPLS/Internet
(Guarantee) (Best Effort)
AC Clusters
If AC is failure, does not effect WAN network
AC AC AC ……
FW
Internet Security domain (ACL)
Packet filtering firewall
Application specific packet filter
CPE
(ASPF)
HQ
IPS
Attack detection of 1200+ signature
databases, up to 90+% detection
rate of false positives
Online database upgrade
CPE CPE URL Filter
Accuracy: 96%
Branch 2 Fine-granular pre-defined
Branch 1
categories:130+
VM of Eudemon1000E-V
X86 Module X86 Module
Router Anti IPS URL IPSec
DDOS Filter VPN
Hypervisor(KVM)
AR+WAN
acceleration
Branch 1
HQ
SAE220
WAN
Branch 2
SAE550
SAE220
Agile
1. Upgrade & Carrier Manager
Controller
Patch policy
AC supports to batch upgrade
2. Prepare version or patch CPEs
3. The Agile
Controller launches
or patch files Zero touch for upgrading and
upgrade & patch File server patching CPEs
instructions to CPEs Reboot CPE about 3 minutes
When CPE is being auto
4. The CPE obtain software
package/patch files from the rebooted, the service will be
file server. interrupted
It is better to upgrade CPE at
MPLS
midnight
Choice CPE or
CPE group for
upgrading or
patching
Choice Choice
upgrading file patching file and
and version version
Download file
and Reboot CPE
Remote
processing Remote reboot
failure according CPE
to guide
Vendor or SIer
Execute ZTD
service
processing
processing
Device
Site
Application category
QoS Policy
Policy Management Please see Web Portal (Demo)
Traffic Shaping
Bandwidth(MB)
Security policy
LAN: 192.168.1.0/24
LAN: 192.168.0.0/24
GE1/0/0: GE1/0/0:
10.168.1.10 10.168.1.11
VPN tunnel VPN tunnel
172.168.1.10 172.168.1.11
MPLS(B)
GE1/0/1: MPLS(G)
GE1/0/1:
10.128.1.10 10.128.1.11
VPN tunnel: VPN tunnel:
172.128.1.10 172.128.1.11
192.168.0.1
192.168.0.1 192.168.1.1