Cisco Catalyst SDWAN: Underlay & VFR Fragmentation

Cisco Catalyst SDWAN: Underlay & VFR Fragmentation

Cisco Catalyst SD-WAN so called Software Defined WAN solution, where control plane or management plane is separated from the physical devices, while in the Viptela solution we have following architecture, where we have data-plane on the physical devices (obviously), Control Plane by VSmart or VBond Management tool, Management Plane via VManage and Orchestration.

Make sure you also aware, Cisco rebranded the name of the components of Cisco Catalyst SDWAN solution as below

  • Cisco vManage ----> Cisco Catalyst SD-WAN Manager
  • Cisco vBond ---> Cisco Catalyst SD-WAN Validator
  • Cisco vSmart ----> Cisco Catalyst SD-WAN Controller

Cisco Catalyst SDWAN
Fig 1.1- Cisco Catalyst SDWAN 

In this specific article, we are going to talk about the Underlay & VFR Fragmentation in Cisco Catalyst SDWAN solution. Underlay and VFR (Virtual Fragmentation and Reassembly) are important concepts in Cisco SD-WAN (Software-Defined Wide Area Networking) that help optimize and manage network traffic in a Cisco SD-WAN deployment.
Let's explore these concepts in more detail:

When a packet is approaching the size of the maximum transmission unit (MTU) of the encrypting switch's physical egress port and is encased with IPsec headers, it will most likely surpass the MTU of the egress port. 

This situation fragments the packet after encryption (post-fragmentation), requiring the IPsec peer to undertake reassembly before decryption, decreasing its performance. To reduce post-fragmentation, configure the MTU in the upstream data route so that the majority of fragmentation happens before encryption (pre-fragmentation). 

By transferring the reassembly job from the receiving IPsec peer to the receiving end hosts, pre-fragmentation for IPsec VPNs minimizes performance deterioration.

MTU (Maximum Transmission Unit) and fragmentation are critical elements to learn in Cisco SD-WAN. The maximum size of a packet that may be sent over a network without being fragmented is referred to as MTU. When a packet is too big to fit inside the MTU of a network link, it is fragmented and sent in smaller chunks. At the receiving end, these fragments are rejoined.

Data packets in the Cisco Catalyst SD-WAN network can be reassembly in one of two ways: the default mode or the reassembly mode.

Packets are essentially reconstructed by default in the default mode. Each network feature receives the whole payload of the virtually reassembled packet after receiving the first fragment. The remaining characteristics reconstruct the packet after the last fragment is received. 

The original packet is split apart, and the internal information structure of each fragment is exchanged. Based on the fragment-offset sequence, the fragments are then put in a queue for re-fragmentation. Using data from the fragment headers, including fragment identifiers, sequence numbers, and offsets, the VFR method reconstructs the packets.

On the other side, fragment header information is not stored while using the reassembly mode, which physically reassembles the packets. The internal fragment information structure is released when the last fragment is received and the fragments are reassembled.

Underlay Fragmentation

Large data packets that exceed the MTU (Maximum Transmission Unit) size supported by the Cisco Catalyst SD-WAN network architecture are processed via underlay fragmentation. Each data packet has a maximum size that it can transmit without being fragmented over the network. The MTU specifies this maximum size. 

Underlay fragmentation is the process of breaking down a big data packet into smaller fragments at the network layer. Underlay fragmentation allows for the transmission of packets that exceed MTU limits by breaking them down into smaller fragments and assuring their effective delivery.

Virtual Fragmentation Reassembly (VFR)

The VFR (Virtual Fragmentation Reassembly) actively fragments and reassembles packets in Cisco Catalyst SD-WAN networks. While travelling via a VFR-enabled Cisco IOS XE Catalyst SD-WAN device, the packets are fragmented to increase transit efficiency. The broken packets are reassembled by the VFR to match the original incoming packet. The reassembled packet comprises important Layer 4 or Layer 7 information required by the target device for proper reception.

The practice of breaking down a big data packet into smaller fragments at the network layer is referred to as underlay fragmentation. Underlay fragmentation ensures the reliable delivery of packets that exceed the MTU limits by breaking them down into manageable parts.

You may configure interfaces on Cisco Catalyst SD-WAN Validator, Cisco SD-WAN Manager, and Cisco Catalyst SD-WAN Controller devices to utilize ICMP for path MTU (PMTU) discovery. When PMTU discovery is enabled, the device automatically negotiates the maximum MTU size supported by the interface in an attempt to reduce or eliminate packet fragmentation.

The Cisco Catalyst SD-WAN BFD software on the Cisco IOS XE Catalyst SD-WAN device automatically executes PMTU discovery on each transport connection (that is, for each TLOC, or colour). BFD PMTU discovery is enabled by default, and it is strongly advised that you do not disable it. Use the bfd colour pmtu-discovery configuration command to explicitly tell BFD to conduct PMTU discovery.

Why VFR and Underlay Fragmentation?

  • VFR allows the Cisco IOS XE Firewall to generate dynamic access control lists (ACLs) to defend the network from fragmentation attacks.
  • VFR is in charge of identifying and preventing different fragment assaults.
  • If a fragment overlap is found, VFR drops all fragments within a fragment chain.
We will talk about the boost mode and the configuration related to VFR and Underlay Fragmentation in Cisco Catalyst SDWAN in our next article.