VeloCloud Feature Overview & Testing
Purpose of this LAB is to understand the NSX SD-WAN VeloCloud Product feature set. To understand this we will be using the NSX SD-WAN Orchestrator. When any user logs in to orchestrator, all branch where Edge are installed and its device status is shown. It also states the number of link that devices is connected and its states.
To get a better understanding of where all the edges are located click on the following:
Click on the map and zoom into the US | CA | San Jose
Let’s look at an individual location and see what detail is provided by the SD-WAN solution:
Click to select the ‘Chennai BO’ edge
You will see the Following Window: In this you will see the total number of links, which will be automatically populated, as soon as the Edge is activated. It will discover the Service Provider as well as the bandwidth of the link, including the physical port that this capacity is connected to on the edge device.
Here you can also see the performance of the Link, like its Latency, Jitter, packet loss Behavior. Click on the Link Status detail icon to explore real time link statistics
It will help to understand what the links are capable of transporting and what the impact of these conditions are on applications.
Another way to determine the link quality is to look at the Quality of Experience (QoE) rating
- Click on the QoE tab
The screen shows the VeloCloud Quality Sore (VQS) for each of the links and rates them on a scale from 0 through 10 on how well the links perform to carry a certain type of traffic (Voice in the default case).
It will show the score before SD-WAN services applied and also it will show the quality observed by end users after SD-WAN services were applied.
The VeloCloud solution enables packet duplication to mitigate effects of packet loss on all of the available links. In addition de-jitter buffering feature also normalize the effects of jitter on VOIP calls.
All of the above discussed method like steering and mitigation techniques are dynamically enabled on a per-application basis. Steering of flows is done on a per-packet basis which ensures sessions are preserved while protecting the quality of the session towards the end-users.
Let’s select the another Traffic Type and see how the quality rating changes for an application that is more sensitive to network impairments.
- Click on the Traffic Type
- Click to select Video
Lets look on transport visibility where administrators can seek to better understand the utilization of the individual links
Click on the Transport tab
Admin can place an Edge in live mode in which it will stream real time updates to the Orchestrator. This is a tool that is valuable for troubleshooting and identifying network utilization pattern breakouts.
- Click the ‘Start Live Monitoring’ button to get real time (per second) updates on link utilization
- Click to select the ‘Show TCP/UDP Details’ to explore utilization of individual links as well as protocols
- Click on the metric drop down | ‘Average Throughput’
- Click on the ‘Stop Live Monitoring’ to suspend real time traffic updates
Now from Edge device it can also be detected that which applications are being used and have awareness of what the networking requirements are for each application. The embedded Deep Application Recognition (DAR) engine can detect around 3,000 applications.
- Click on the Applications tab
- Click on the scroll bar to navigate to the bottom of the page
- Click on the down arrow to expand with 10 additional applications
- Click on the scroll bar to navigate to the top of the page again
Let’s investigate why there is a sizeable volume of YouTube traffic on the branch network and eroding bandwidth.
- Click to select YouTube traffic
- The Top Applications infographics will show which devices are using YouTube and to which domains the flows are being sent.
- Click on the close
Her you will see that google videos is using the Max Link utilization.
Let’s see how the SD-WAN VeloCloud Configuration, is done
- Click on Configure | Profiles
- The solution works with the concept of profiles which provide a blueprint on how locations should behave in the larger enterprise network deployment.
- Click on the ‘Branch Profile’
- Profiles contain common settings for the Device, Business Policies and Firewall rules. Let’s first see what can be controlled with the Device settings.
- Click on the ‘Device’ tab
Administrators can control a variety of network settings here, including but not limited to DNS, VPN, routing, addressing. Click on ‘Configure Segments’
- Click to select the ‘Guest Segment’
- Click to select the ‘Global Segment’
The Global Segment is the default segment in which all configurations and resources are set up.
SD-WAN solution important function is the ability to connect the various branch locations through the overlay VPN and provide seamless connectivity to resources in remote locations. The NSX SD-WAN solution offers three main VPN controls:
Administrators has option to control over how branches connect with each other. By default NSX SD-WAN Gateways can be used as a point where branches exchange traffic. Another Option available is branches can also be set to build tunnels directly to each other without use of the Gateways. This is a preferred option for latency sensitive applications.
Branch to Branch connectivity can also be facilitated through an existing branch site that can be nominated to be a hub site. Hub sites can both facilitate this interconnection as well as serve as a centralized breakout to the internet. When nominating a site as a hub, all edges in the profile will build direct overlay tunnels to the hub site to allow resources downstream of the hub site can be accessed in a reliable fashion.
The Gateways also facilitate building standard based IPSec tunnels to non SD-WAN enabled sites that have existing VPN routers installed. Commonly these can be enterprise data centers or virtual private cloud providers such as Amazon Web Services, Azure, SoftLayer, etc …
- Click to select an NVS (Non VeloCloud Site) site | creation of a New Non-VeloCloud Site
- Click to type in “DataCenter ” | Cisco ISR as the non SD-WAN enabled data center VPN router
- Click to enter the Primary IP address of the data center VPN router | IP address as 184.108.40.206
- Click the “Next” button to continue| ‘Next’ button to complete creation of the NVS site
In this way, resources inside an existing data center can be made available to all SD-WAN enabled branches without the need of making infrastructure changes in the DC. Only a new tunnel needs to be configured in the DC.
Enter a subnet connected on the data center LAN, reachable through the NVS (Non VeloCloud Site) tunnel to other SD-WAN branches.
- Click on the subnet box to type in the IP Address as “172.27.1.0/24”
- Description box and type in “server farm” | ‘View IKE/IPSec Template’
- OK to show template’
- Click to scroll down in the template | Close the configuration template dialog
- ‘Save Changes’ button | ‘Close’ button to exit the dialog
We’ll take a brief look at the routing capabilities of the branches. The solution allows OSPF and BGP to be configured at each of the branches so that Edges can act as a CE router when MPLS links are connected or can ingest routes from an already downstream Layer 3 device such as a L3 switch. This allows for flexible insertions of the edge in brownfield deployments.
- Click to enable OSPF| Click to disable OSPF
- Click to enable BGP | Click to disable BGP
Another critical building block of the SD-WAN solution is the Business Policy framework that allows administrators to intuitively define how an application should be treated on the network. Administrators will not need to know what IP address and ports applications are active on, nor will they need to worry about queuing mechanisms and CoS settings. All of these are automatically set by the solution.
Let’s add a low priority Business Policy. Assume Box storage is not an application that is used by the Enterprise and as such needs to be de-prioritized on the network
- Click the ‘Business Policy’ tab
- Click ‘New Rule’ to add a low priority rule and name it box.net. | Type in box.net
- Click the ‘Define’ Application button and search for the application
- Type in box | Click to select the application in the catalog
- Click ‘Low’ Priority to de-prioritize deliver of the application in the event of congestion
- Click ‘Direct’ Network Service to avoid using remediation and steering techniques. The application traffic will be sent out of one of the attached links, directly to the internet
- Click ‘Transport Group’ Link Steering to control which type of links are eligible for letting the traffic break out to the internet
- Click to reveal options and ensure we only send this traffic on the “public wired” links, which is a classification that is associated when a link is first connected to an Edge
- Click on “public wired” links. | Click on the scroll bar | Click ‘OK’ to make the rule effective
- Click ‘Save Changes’ to enact the changes to the Edge. Edges will receive the update in the next 30 seconds.
The VeloCloud Edge has an embedded statefull application aware firewall, which can be disabled in favor of an existing external, hardware firewall or to a VNF based firewall hosted on the edge hardware.
- Click the ‘Firewall’ tab. Note that all rules are again in the context of a segment
- Click the ‘New Rule’ button to add a new rule. By default all outbound traffic is allowed and all inbound traffic is blocked. Outbound flows will create an inbound pinhole to allow the reverse flow.
- Type in “facebook” as the rule name | Click the ‘Define’ button | Type in “facebook” and
- Click on select ‘Facebook Mail’ to block a Facebook sub-application that is unsanctioned and deemed to be a data leak security risk. Other portions of Facebook will continue to work.
- Click on the ‘Deny’ Firewall Action to block the application on the network. | Click ‘OK’ to make the rule effective
- Click the ‘Save Changes’ button
Overlay Flow Control (OFC) is a centralized routing table that will provide enterprise wide insight in which subnets (per segment) are attached to Edge locations. It will also create insight into knowing how routes are learned by the SD-WAN solution, which is both valuable from a planning perspective as well as from an audit angle.
Click on Configure | Overlay Flow Control | Click on scroll bar to browse through the routing table