Control Plane traffic security in Cisco Viptela SDWAN
There are lot of questions on security parameters which people generally asked and i knew the concern as well. As most of you already know about the control plane traffic which actually is not a real traffic but the traffic by which decisions are being made.
Along with Control plane, management traffic will also be there. So if you see the overall architecture of the Cisco Viptela SDWAN solution, vEdges are informed and managed by vSmart/vBond.
Along with Control plane, management traffic will also be there. So if you see the overall architecture of the Cisco Viptela SDWAN solution, vEdges are informed and managed by vSmart/vBond.
Once vEdges know it will setup a IPSEC tunnel directly with other vEdge and the traffic is data plane traffic.
Security parameters between vEdges and vSmart/vBond:
 |
| Fig 1.1- Secure Control Plane Traffic in Cisco SDWAN |
Security parameters between vEdges and vSmart/vBond:
- Certificates are exchanged and mutual authentication takes place between vBond and vEdge over encrypted tunnel.
- vBond validates vEdge Router serial number and chassis ID against authorized vEdge white-list
- vEdge Router validates vBond certificate organization name against locally configured one.
- vBond returns to vEdge a list of vSmart Controllers and vManage
- vBond notifies vSmart and vManage of vEdge Router public IP address
- Provisional DTLS tunnel between vBond and vEdge is terminated
 |
| Fig 1.2- UDP Protocol |
Note:
- vBond orchestrators do not support multiple cores. vBond orchestrators always use DTLS tunnels to establish control connections with other Viptela devices, so they always use UDP.
- The UDP port is 12346
- vBond IP’s are not Elastic, its recommended to permit UDP/12346 to/from any from the vEdge
- vEdge’s can port hop to establish a connection, its recommended to permit all 5 UDP ports inbound to all vEdges
