Cisco Viptela SD-WAN : vSmart as a Control Plane

The control plane in Cisco SD-WAN is known as the vSmart. vSmart is the brain of the SD-WAN overlay. All the control plane policies, centralized data policies, and VPN topology policies are configured on vSmart by vManage. In addition, to control plane functions, vSmart also handles the security and the encryption functions by providing the key-management process. 

It is the key thing to note that architecture matters a lot in SD-WAN. Cisco SD-WAN follows the distributed architecture where the control plane is separated from the data plane (router). By separating the control plane from the data plane add scalability to the network in many ways. 

For example, traditional routing protocols such as link-state (OSPF, ISIS) used to be configured on each router. Each router maintains the complete network state and links information to calculate the destination best path, that is a CPU-intensive task. 

If we talk about distance vector routing protocols, they don’t have the complete picture of the network. Traffic is forwarded to the next-hop blindly without complete path performance information. 

In Cisco SD-WAN vSmart gets the subnet information from each edge routers and performs the path-calculations on the received information. It works as a BGP route-reflector because it shares the received routing information with other routers. 

So now, the routers don’t need to process the best route calculations to all destinations. They need to forward the traffic. The memory and the additional CPU process can now be utilized to perform the other innovations such as security functions (Application-aware firewall, IPS/IDs, URL-Filtering, AMP etc.), app-hosting, and edge-computing.

One more advantage of the separation of the control and data plane is Simplicity. Router don’t need to form the adjacencies to other routers to get the routing update. 

Each edge router forms a routing neighborship to vSmart controller only. Routing adjacencies are greatly reduced and simplified. Network route updates from the vSmarts are easy to troubleshoot and predict.

OMP- Overlay Management Protocol
Overlay Management Protocol in Cisco SD-WAN is used by vSmart to perform the routing functions. It will be underestimating statement to say OMP is just a routing protocol. In fact, it handles more than just routing. Centralized control plane policies configured through vManage distributed to vSmart using NETCONF and from vSmart, these policies are distributed to vEdges using OMP updates.

Also, it plays a vital role in ensuring the security for the user traffic between locations. By default, a secure DTLS/TLS tunnel to vSmart is form from all the edge routers, now it is not required to have the traditional IKE Phase 1 in cisco SD-WAN for securing the IPsec SAs. 

Each edge router calculates its security keys per link and distributes to the vSmart. vSmart then redistributes the same to each edge router, depending on the policies. The vSmart also responsible for re-keying of IPsec Security Associations when expired. 

This way moving all the processing to centralized controller, add scalability to the solution where each router don’t need to exchange the key association, negotiation and distribution.

Fig 1.1- SD-WAN control & Data Plane

High Availability
Multiple active/active vSmart instances can exist in the network to meet the high-availability and scalability requirement. Once the router receives the policies and routing information from the vSmart and due to some outage, if vSmart is not available, data-plane forwarding (traffic between sites) don’t get impacted. 

By default, this graceful restart timer is 12 hours. During the vSmart outage in the network, new centralized policies cannot be configured and enforced on routers. Therefore, it is recommended to have at least two vSmart instance in network at different geographic locations. 

These vSmart component form the OMP session and ensure the consistent network state information. They both can be active/active mode to meet the scalability requirement.

Fig 1.2- OMP Sessions Establishment

OMP sessions are established between the vSmarts and vSmart and Edge routers. There is NO OMP session between the Edge routers.

Author : Pankaj Verma