Start with Cisco SDWAN

Start with Cisco SDWAN

With new trends like Cloud services (SaaS and IaaS), SDN solutions, and leveraging the Internet as a connecting medium across several sites that are part of a same company, WAN requirements today are changing quickly.

Your company has numerous sites that use MPLS and the Internet as backup WAN connections. Each MPLS site has one or more CE [customer edge] routers, and one of those sites serves as your data center.

Other sites use the Internet, and you might use DMVPN with a hub and spoke design. All of your sites use Microsoft SaaS, such as office 365, and your DR site is hosted in the AWS cloud as IaaS.

What a complicated topology! The solution is having a single WAN network that represents all of my sites and provides smart services. For example, if I wanted to measure bandwidth and traffic performance for my Office 365, I might change the path to reach. I might also want my DMVPN site to communicate with my MPLS site.

Fig 1.1- SD-WAN control & Data Plane

SD-WAN solution will provide

  • Centralized management and policy management, with the option to continue using my MPLS, Internet, or even G4/G5 WAN lines in an active/active mode.
  • Extending the WAN network to Cloud services such as IaaS and SaaS, with complete performance visibility and management via rich analytics.
  • Complete security, which includes end-to-end network segmentation and powerful data encryption
  • It's multi-tenant, cloud-based, highly automated, secure, scalable, and application-aware.
  • The issues and difficulties associated with typical WAN installations are addressed by the Cisco SD-WAN technology.

Common SD-WAN use cases

  • Hybrid WAN (MPLS, Internet, 4G/5G) for bandwidth augmentation
  • Application Aware Routing and SLA protection
  • Direct Cloud Access (IaaS and SaaS)
  • Cloud provisioning and management

Cisco SD-WAN solutions

  • iWAN (with help of APIC-EM , iWAN is legacy which mean not used anymore )
  • Meraki SD-WAN ( UTM with SD-WAN for small business)
  • Cisco SD-WAN (using Viptela Software for Enterprises and even SPs)

Cisco SDWAN Planes

  • The Cisco SD-WAN routers are automatically onboarded into the SD-WAN overlay with the help of Orchestration Plane.
  • Management Plane is responsible for central configuration and monitoring
  • The control plane creates and maintains the network topology and decides how traffic should be routed.
  • Data Plane is responsible for forwarding packets based on decisions from the control plane.

Components of Cisco SD-WAN

  • vManage Network Management System NMS (Management Plane)
  • vSmart Controller (Control Plane)
  • vBond Orchestrator (Orchestration Plane)
  • vEdge/cEdge Router (Data Plane)

Facts about components

  • Viptela Devices create our SD-WAN Overlay Network
  • vManage , vSmart , vBond and vEdge Default username and password is admin/admin
  • All the four Viptela Devices are software installed as VMs in EXSI or Hyper-V hypervisors
  • vEdge can come as physical or VM and can be installed on IOS XE physical router as well

Control Plane Sessions type

  • vEdge ---DTLS/TLS----vSmart
  • vEdge ---- DTLS/TLS- ---vBond
  • vEdge --- DTLS/TLS- ----vManage
  • vSmart-- DTLS/TLS- ---vSmart
  • vSmart-- DTLS/TLS- --vBond
  • vSmart-- DTLS/TLS- ---vManage
  • vBond--- DTLS/TLS---vManage

DTLS is the default using port 12346 can increment by 20 for 4 times only but vBond use 12346 only

Security in DTLS/TLS tunnels

  • AES-256 encryption algorithm provides encryption services.
  • Digital certificates are used for authentication.
  • SHA-1 or SHA-2 is responsible for ensuring integrity

Data Plane Traffic 

  • vEdge --- IPSec with active BFD-----vEdge

where BFD session is mandatory to have a successful IPSec session. 

System IP

  • IPv4 Address format and Unique identifier of a SD-WAN component
  • It functions similarly to a router ID, thus the underlay doesn't need to be aware of it or publicize it.
  • To make it simpler to connect network events with vManage data, it is recommended to publicize this system IP address in the service VPN and use it as a source IP address for SNMP and recording.
  • Logically a VPN 0 Loopback Interface, referred to as “system”
  • The system interface is the termination point for OMP.
  • For a vEdge router to be authorized by the controllers and added to the overlay network, a system IP address must be specified.

Organization Name
  • SD WAN overlay identifier and must match on all SD-WAN components.
  • The name is case-sensitive and must be surrounded with “ “.
  • You must configure the name of your organization before you can generate a CSR
  • The organization name is included in the CSR [Certificate Signing Request].
  • It must be the same on every device in your overlay network and coincide with the name on all Cisco SD-WAN network devices' certificates.
  • CSR is a communication that a potential digital identity certificate applicant sends to a certificate authority. The public key for which the certificate should be issued, identification details (such a domain name), and integrity protection are often included (e.g., a digital signature).
Site ID
  • Determines a node's logical position and is configured on every WAN edge and controller.
  • When not unique, the same location is assumed and value 1 through 4294967295.
  • This ID must be the same for all of the vEdge devices that reside at the same site.
  • A site could be a data center, a branch office, a campus, or something similar.
  • A site ID is required to be configured in order for a vEdge router to be authenticated by the controllers and brought into the overlay network.
  • By default, IPSec tunnels are not formed between vEdge routers within the same site.
Domain ID
  • Configure the identifier for the vEdge device overlay network domain
  • A numeric identifier for the vEdge device overlay network domain
  • The domain identifier must be the same for all vEdge devices that reside in the same domain
  • Currently, the vEdge software supports only a single domain.
  • Range: 1 through 4294967295 (a 32-bit integer)
  • Default: 1 (value that is configured when the vSmart controller or vEdge router is first booted)
  • Every SD-WAN site has a site ID.
  • Every vEdge has a system IP (can be mapped to loopback)
  • The routing information shared by each set of vSmarts and vEdges belongs to the same Domain ID.
  • Per overlay, only one Domain ID
  • These are all present in the same "Organization."

SDWAN Transport Concept

A Transport Network (also known as a transport cloud or Underlay Network) connecting all of the Cisco vEdge devices and other network hardware elements must be present in order to bring up the hardware and software components in a Cisco SD-WAN Overlay Network.

These parts are often found in data centers and branch offices.

The transport network's sole function is to link all of the network components in the domain.

Any type of transport network, including the Internet, MPLS, Layer 2 switching, Layer 3 routing, LTE, or any combination of transports, may be used with the Cisco SD-WAN system.

From one transport router to another, packets are transported through the transport network. The only routes to the next-hop or destination router that the transport network must be aware of. The prefixes for non-transport routers need not be known to the transport network (routers that sit behind the transport routers in their local service networks).

Network administrators can affect router-to-router communication independently of user or host-to-user communication by separating network transport from the service side of the network.

SDWAN Color Concept

The color characteristic on vEdge routers aids in identifying a specific WAN transport tunnel.

  • On a single vEdge router, the same color cannot be used twice.
  • One of the TLOC factors connected to the tunnel is the color.
  • Colors have meaning on their own.
  • vEdge routers' color feature makes it easier to recognize a particular WAN transport tunnel.
  • The same color cannot be used twice on one vEdge router.
  • The color is one of the TLOC elements related to the tunnel.
  • Colors themselves have meaning.
  • To connect to the remote side vEdge router in a private network, they employ private addresses.
  • As there is expected to be no NAT between two endpoints of the same colour, they are meant to be utilized on private networks or in environments without NAT addressing of the transport IP endpoints.
  • A vEdge router that employs a private colour will make an effort to connect to other vEdge routers through IPSec tunnels utilizing the native, private, underlay IP.
  • 3g, business, internet, blue, bronze, custom1, custom2, custom3, default, gold, green, lte, public-internet, red, and silver are the colors used by the general public.
  • The vEdge routers will attempt to create tunnels to the post-NAT IP address using public colors (if there is NAT involved).
  • The carrier parameter in the configuration determines whether you use the private or public IP address if you are using a private colour and need to utilize NAT to connect with another private colour.
  • When one or both are utilizing NAT, this option will allow two private colors to create a connection.