Next Generation Routing-II Cisco SDWAN

Let’s start SDWAN journey with Cisco SDWAN Solution. Cisco acquired Viptela August 2017 with an intent to offer SDWAN solution to enterprises. 

SDWAN certainly reduces the network complexity which is a road-blocker to meet the requirements evolving enterprise landscape. Organizations that are going through digital transformation are getting more mobile and IoT data traffic, SaaS applications and Cloud adoption. The traditional way of networking is complicated and is not scalable.   

Cisco SDWAN is an enterprise grade solution that is inline to the evolving landscape. It fully integrates routing, security, centralized policy and orchestration features for large network. It is highly scalable, secure, cloud-delivered and application aware with rich analytics abilities. It provides following benefits:
  • Centralized Management & Policy Management resulting reduced cost to implement changes and deployment time
  • Optimizing bandwidth and reducing costs, customer can have mix of transport medias such as MPLS and low-cost broadband or 3G/LTE connections in active/active fashion
  • Transport independent network that can provide connectivity to datacenter or cloud environment
  • Deployment flexibility, due to separation of control and data plane solution can be deployed through cisco cloud or on-premises, WAN edge routers can be physical or virtual that support private data center, remote-sites or cloud environment
  • Robust and comprehensive security ensure the strong data plane encryption, end-to-end segmentation, certificate based two-factor authentication, control traffic protection, application firewalling and integration to cloud provided solution (Cisco Umbrella) and other security functions. 
  • Application Visibility and application aware policy deployments to ensure SLA enforcement for enhanced end-user application experience
Fig 1.1- Cisco SDWAN Architecture and Components
Cisco SDWAN solution has separate Orchestration, Management, Control and Data Plane. The solution components include: 

  • Management Plane is responsible for managing and monitoring the network
  • Control Plane is responsible to build the network overlay topology and control traffic flow
  • Data Plane is responsible to forward packets
  • Orchestration Plane is responsible for on-boarding the SD-WAN routers 
Primary components of the solution include vBond (Orchestration Plane), vManage (Management Plane), vSmart (Control Plane) and vEdge (Data Plane).
  • vBond: it is a software component that perform the authentication and verification of the vEdge devices. It orchestrates vSmart and vManage connectivity.
  • vManage: it’s a software component that is network management solution. It provision network devices and monitor the network. Simplified GUI is the strength of the solution that takes care of configuring routing and security functions centrally.
  • vSmart: it’s a software component and is the brain of the solution. It establishes the secure connection to vEdges and learns the networks information to build the network topology. Policies configured through vManage pushed to vSmart and finally executed on vSmart or vEdge.

Above topology covers various aspects of the Cisco SDWAN solution. There are two sites and two Internet links. All software controller components (vBondvManage, and vSmart)  hosted in Cisco cloud. Each site has vEdge routers to connect to the WAN links. 

vEdge router used to connect to the WAN links (also known as transports) and every link assigned a color. Color is used to identify carriers on the router. In above topology “biz-internet” and “public-internet” is used to identify each internet link uniquely.

vEdge routers form the secure connection to vSmart Controller using DTLS/TLS tunnel. This tunnel ensures the security for control communication between vEdge and vSmart.  vEdge routers connect to other vEdge through IPSec tunnels over each transport. 

Once the IPSec tunnel is formed Bi-directional Forwarding Detection runs under this tunnel to measure the performance of each transport. It measures various performance metrics like delay, loss and jitter and path failure.

Color attribute is used to identify each transport link, therefore, should be unique on a router. Color has significant meaning based on the types - public and private color. When vEdge uses private color, it will attempt to build IPSec tunnel using the private underlay IP address. When vEdge uses the public color, it will try to construct the IPSec tunnel using the post-NAT IP address (Internet routable IP address). 

Overlay Management Protocol
OMP is the routing protocols that builds and manages the overlay network. OMP configured by default on vEdge routers and runs between vEdge router and vSmart. This protocol carries the prefix routes, security keys, policy configurations over the DTLS or TLS connection between them. vSmart control by default without any defined policies. 

In simple terms, it works as route-reflectors. It gets routes prefix information from vEdge and distributes the same to other vEdge. With this default configuration, full-mesh topology implemented where each vEdge builds the tunnels with all other reachable vEdge. OMP uses following update packets: 
  • OMP routes these are prefixes learned by vEdge from LAN side interfaces (Service Side interfaces).
  • TLOC Routes are tunnel endpoints. TLOC routes uniquely identified by System IP address, link color, and encapsulation (GRE / IPSec)
  • Service routes represent services such as firewall, wan optimizations. It is used to implement the service-chaining that ensure traffic should traverse to services
Next Step : OMP Routing Protocol

Below topology explains the concepts of color, DTLS, OMP and TLOC in details. DTLS tunnel established between vEdge and the vSmart. OMP runs over this DTLS tunnel. Each transport link identified by colored Circles (T1 – T3). IPSec tunnel built between each TLOC over each WAN link. Once IPSec tunnel established, BFD is enabled automatically over the tunnel to monitor the liveliness of the link and other performance parameters.    

Fig 1.2-Color and TLOCs

Virtual Private Network(VPN)
VPNs are used to provide the segmentation in general, and it is used in SD-WAN to achieve the end-to-end segmentation. Each VPN is isolated from one another and have their routing tables. Interfaces are mapped to these VPNs and therefore cannot be part of one VPN. There are two VPNs (VPN0 and VPN512) are implicitly configured. VPN 0 is the transport VPN all the WAN links fall under VPN 0. 512 VPN is Management VPN used for out-of-band management traffic. 

Other VPNs are known as Service side VPNS that map to LAN side VLANs (if, segmentation required). It is a 4-byte number and can be in the range between 1 – 655530. Service Side VPNs are one or more LAN Side VLANs (Service VPN). These VPNs can run services like dynamic routing protocols (OSPF, BGP), first-hop router protocol (VRRP), QoS traffic policing. Service-side traffic forwarded to IPSec Tunnel and therefore service side prefixes to be redistributed into OMP to provide service side VPN subnets. 

Static routes and connected interfaces routes are redistributed into OMP automatically. Manual redistribution of OSPF and BGP routes is required into OMP to avoid loops. Below diagrams shows the different VPNs on vEdge Router.    

Fig 1.3-SDWAN router VPNs

I take a halt here and hope you find it informative and able to explain the various components of the solution. Next article will cover “how to bring-up devices in SD-WAN network”.