👉 👉 ⭐ For Sponsored/Guest Articles, please email us on 📧 ⭐

Part 1: Cisco SD-WAN Implementation Exam Prep Series (ENSDWI) 300 - 415

SD-WAN Architecture 
Cisco SD-WAN has 3 controller components that are known as vManage (NMS), vSmart (Control Plane) and vBond (Orchestrator). These components are flexible in deployment and can be deployed in AWS, Azure public clouds. 

These components also support on-prem deployment for agencies where cloud access is not available as per the security guidelines. Supported format for controller software are .ova and .qcow2 that can be instantiated. 

Fig 1.1- Cisco Viptela SDWAN

vManage is the NMS for Cisco SD-WAN controller. Also considered to be the single window to perform the monitoring and configuration tasks. All the device configuration is controlled through templates and these are defined in vManage. 

Not only device templates, centralized, local polices are also defined on vManage and sent to vSmart (centralized polices) and to edge routers (local polices). vManage can be deployed in HA mode across geographically separate locations. 

As the solution is horizontal scalable the capacity to handle large number of devices can be achieved through clustering of multiple instances of vManage. Minimum 3 instances can be deployed in a cluster. 

vSmart implements the control plane of the Cisco SD-WAN overlay solution. It maintains the connections that forms the secure overlay network. Also known as the brain of the solution. Edge router forms the secure DTLS/TLS tunnel to vSmart – OMP (routing adjacencies) are formed inside the secure tunnel. vSmart forms the OMP adjacencies with other vSmart and Edge routers to send the routing and policy updates. 

It is responsible to share the crypto key information to edge routers for encryption and decryption purpose. vSmart receives the lan subnet information (vRoutes/OMP routes) from edge router along with the TLOC (uniquely identifies each link in fabric – combination of System IP + Color + Encapsulation). It enforce the control polices on edge router.

vBond implements the orchestration plane of the Cisco SD-WAN solution. This component binds all other components together. vBond plays a critical role while on-boarding the device as it is the first point on contact. 

vBond is the only component known to a new router once authenticated and authorized, vBond orchestrate the connection between the router and vManage & vSmart. vBond forms the temporary DTLS secure tunnels to vBond – which is terminated once router get connected to vManage and vSmart.   

Edge Router (cEdge/vEdge)
Edge router provides the secure data plane communication between the locations. Cisco manufactured SD-WAN devices are known as cEdge and Viptela manufactured devices were known as vEdge. 

cEdge meet wide variety of the use-cases in customer environment such as – small site will LTE connectivity can have ISR 1000 series devices, site that need on-board security devices routers with more memory (min. 8GB) can be deployed, voice support can be activated with ISR 4000 and Catalyst 8000 series routers. 

These routers in SD-WAN implement that Data plane component that support both hardware (ISR 1000, ISR 4000, ASR 1000) and virtual form factors (CSR 1000v, vEdge Cloud, ISRv routers – supported on VMWare ESXi, KVM, AWS - Amazon Machine Image, Azure – Hyper V). Not all the Cisco devices support SD-WAN. 

For more details on the supported hardware, refer the latest release-note.  Cisco SD-WAN solution support HA for edge router where both routers are active towards the WAN. LAN site HA implemented through VRRP. 

Edge router forms different secure tunnels to ensure the control traffic security. DTLS tunnel is form between the Edge router and vBond. A DTLS/TLS tunnel is formed for vSmart (TLS in case behind the firewall). DTLS tunnel to vManage. A Secure IPsec Tunnel is formed between the routers installed at remote locations. 

Author: Pankaj Verma 

No comments