Cisco Viptela SDWAN: vBond as Orchestration Plane

One of the essential components in the Cisco SD-WAN architecture is vBond. vBond binds multiple components of the solution together. There can be more than one vBond in the network to achieve high availability. 

In case of multiple vBond deployment scenarios, it is recommended to configure the DNS entry that points to vBond. DNS name should tell single “A” record for all the vBond. 

As a part of the basic configuration, vBond is the only component a router knows about before joining the SD-WAN fabric. vBond DNS/IP entry is part of the system configuration. There are various ways router can learn about vBond Address: 

  • Plug and Play / Zero Touch provisioning 
  • Manual configuration on the router
  • Bootstrap configuration generated from vManage 

Once the router is plugged into the network, it tries to establish a temporary connection to the vBond. vBond verifies, authorizes, and authenticates the edge router. Once certified, vBond share the vSmart and vManage information to the edge router. 

As the edge router can reach to vManage, it gets its full configuration and shares the subnet information to the vSmart. vBond connection gets terminated once vEdge is authenticated and able to communicate to vSmart and vManage. 

NAT Traversal 
NAT traversal is another function of vBond. vBond works as a STUN server and edge router as STUN client. When a vBond receives a DTLS connection request from the client, it can detect whether the router is behind the NAT device or not. 

When the edge outer sends DTLS connection request to vBond, it writes interface IP into the outer header and within a payload of the message. NAT device if exist in between, re-writes the packet outer IP address. 

Now vBond compares both the outer and the payload IP address. If both the IPs are different, it is clear a NAT device is there in path. vBond will share the same (outer IP details to the edge router. This information will be share to the other components of the solution to talk. 

Fig 1.1- STUN NAT Functionality by vBond

vBond Deployment
When you deploy vBond special consideration to be made around IP connectivity. vBond must be publicly addressable if commodity internet link is used to connect to the controller. This can be done via 1:1 static NAT. 

Note: vBond is the only component that require 1:1 NAT. vManage and vSmart can be deployed using PAT (provided they have reachability to vBond).

Author : Pankaj Verma

No comments