Get CISSP Study Material for 100% Free!

Maximizing Your Network Connectivity with SDWAN Architecture

SDWAN Architecture

Introduction

In today’s digital age, enterprises constantly seek ways to optimize their networks for better performance, security, and scalability. Cisco SDWAN (Software-Defined Wide Area Networking) has emerged as a powerful solution that enables organizations to build and manage their networks with unprecedented flexibility. This article aims to provide a comprehensive overview of the components and architecture of Cisco SD-WAN, shedding light on the functions and benefits each member brings to the table.

Overview of Cisco SD-WAN

Cisco SD-WAN is a software-based approach to networking that separates the control plane from the data plane, abstracting network functionality into a centralized controller. By leveraging software-defined networking principles, Cisco SDWAN Architecture allows organizations to easily deploy and manage wide area networks, offering improved performance, reduced costs, and enhanced security.
Cisco has two solutions on SDWAN Solutions.

1. Meraki is for small and mid-sized companies that want simplicity and ease of use above everything else. Deploying the Meraki SD-WAN solution is easier than Viptela, and it would be the right choice if the organization has no specific niche requirements.

Meraki


2. Viptela has more advanced features and requires a sophisticated network design and architecture. The product is for large-scale enterprise-level networks and has a high degree of customization.

We in this article will focus on the Viptela solution as it is more used in enterprise networking. Let’s dive into the key components and their functions within the Cisco SD-WAN architecture.

 SDWAN Components

Cisco Viptela SD-WAN solution comprises four segregated planes: Orchestration plane, Management Plane, Control Plane, and Data Plane. Each plane has its functions and responsibilities and is abstract from the other aircraft.

1. vBond Orchestrator (Orchestration Plane)
2. vSmart Controllers (Control Plane)
3. vManage (Management Plane)
4. vEdge or cEdge (Data Plane)

SDWAN Overview
Cisco SDWAN Architecture Overview
The first three components (controllers) can be cloud-based or premises on the customer or provider side. EMS (Element Management System) and NMS (Network Management System) are three components. The EMS components are VMs hosted on servers, for example, an ESXi server.
  1. vBond Orchestrator:

    The vBond Orchestrator serves as the initial point of authentication for all other SDWAN components. It authenticates both the EMS components and the vEdges, ensuring secure access to the fabric. Once established, the vBond Orchestrator provides the vEdges with the public IPs and ports of the EMS components, enabling them to authenticate and join the material. Redundancy is allowing for multiple vBond Orchestrators.

  2. vSmart Controller:

    The vSmart Controllers are responsible for the control plane of the SD-WAN fabric. They handle routing updates, route filters, and security policies. Communication between vSmart Controllers and vEdges occurs through the Overlay Management Protocol (OMP), facilitating control plane configuration and updates. Redundancy and vEdges can connect to multiple vSmart Controllers for increased resilience.

  3. vManage controller:

    The vManage Controller is the central management and monitoring platform for Cisco SD-WAN. It provides a user-friendly GUI for configuration and monitoring tasks. Administrators define configuration policies on the vManage GUI, which are then transformed into the appropriate format for the vSmart Controllers to push to the vEdges through OMP. vManage also facilitates IOS upgrades and basic troubleshooting. Redundancy can be achieved by deploying multiple vManage Controllers in a cluster.

  4. WAN Edges(vEdges and cEdges):

    WAN Edges, including vEdges and cEdges, are crucial in Cisco SD-WAN deployments. They establish secure data plane connections with remote WAN Edge routers and ensure secure control plane communication with vSmart Controllers. Each site typically has one or more WAN Edges, acting as the gateway for the LAN at each location and facilitating connectivity between legacy routing and new SD-WAN OMP routing protocols.

Of these four components, the edge router can be a Cisco SDWAN hardware device or software that runs as a virtual machine, and the remaining three are software-only components. The Cloud router, Cisco vManage, and Cisco vSmart Controller software run on servers and the Cisco vBond Orchestrator software
runs as a process (daemon) on an edge router.

Control connections.

Control connections are vital in Cisco SDWAN by facilitating communication between network infrastructure components. Each controller plays a different role in the solution and interacts with the Edge routers through various protocols. For example, vSmart uses the Cisco Overlay Management Protocol (OMP) to communicate routing, TLOC, and service information among vEdges. vManage uses NETCONF to push configurations to devices, SNMP to collect data, and ICMP echo/reply to detect liveliness. Any communication between EMS controllers and WAN edge routers is through the control connections.

Control connections
Control connections

How do we make sure that each protocol is secured?

Every WAN edge router establishes one or more secured control tunnels for each SDWAN controller. The tunnels use a standard transport security protocol (DTLS or TLS).  (DTLS or TLS) protocols are very similar, and from a high level, they both serve the same goal – to provide end-to-end transport security between a router and an SD-WAN controller. The main difference is that DTLS uses UDP, and TLS runs over TCP. By default Edge router use DTLS with all EMS controllers, but it can be configured to use TLS except for connection with vBond; it has to be DTLS.

protocol

Control connections with vBond

Once we power on a vEdge router for the first time and configure it with the initial configuration, it tries to find the IP address of vBond. The vBond orchestrator is the controller that glues everything together – that’s why it is called the “orchestrator.” vBond validates the identity of vEdges, tells them whether they sit behind NAT in the underlay, how many vSmart controllers oversee the domain, and most importantly – what are the IP addresses of vManage and vSmart. The Edge router tries to establish a DTLS control tunnel to the vBond IP address over each available transport interface (TLOC). Once authenticated from vBond, vBond will send back a list with the IP addresses and ports of all other SDWAN controllers (vSmart and vManage). All DTLS control connections are for because the vEdge router does not need to keep permanent control connections to vBond once it receives all necessary information.

vBond

Control connections with vManage

Once a vEdge router receives the list with the IP addresses of all SDWAN controllers from vBond, it initiates a single, persistent DTLS control connection to vManage over only one transport.

 Control connections with vSmart

Following the successful DTLS tunnel to vManage, the vEdge router initiates a persistent control connection to the vSmart controller over each transport interface.

vSmart

Here is a show of control connections from vEdge.
To summarize the control connections:

1. One transient DTLS control connection to the vBond orchestrator over each connected WAN transports only during onboarding.
2. One persistent DTLS control connection to vManage over a single WAN transport.
3. One persistent DTLS/TLS control connection to vSmart over each connected WAN.

persistent
persistent

Data Plan connections

By default, once the control connections are up with sdwan controllers. vSmarts advertise routes and encryption keys to WAN Edges in OMP updates. WAN Edge router will try to use that info to establish a tunnel with the other edge routers. Depending on the configuration, the encapsulation for this tunnel will be IPSEC or GRE.

Data Plan connections
Data Plan connections

BFD stands for Bidirectional Forwarding Detection. It is a network protocol used in various networking technologies, including SDWAN, to detect and monitor the availability and quality of paths between network devices. BFD operates at the network layer and provides fast and efficient detection of link failures.

In the context of SD-WAN, BFD is commonly used in conjunction with IPsec tunnels. BFD neighborships are after the IPsec tunnels are established between SD-WAN devices. The purpose of these BFD neighborships is as follows:

Keepalives:

BFD sessions act as keepalives between the SD-WAN devices. They exchange periodic control packets to verify the connectivity and availability of the IPsec tunnels and the underlying network paths. Suppose a BFD session detects a link failure or a tunnel disruption. In that case, it can quickly notify the SDWAN controller, which can then initiate the necessary actions to reroute traffic and restore connectivity.

BFD also provides measurements of link quality parameters such as packet loss, delay, and jitter. By monitoring these metrics, the SD-WAN controller can assess the network paths’ performance and make intelligent traffic routing decisions. For example, suppose a BFD session detects excessive packet loss or high latency on a specific tunnel. In that case, the controller can choose an alternate path with better performance for the corresponding application traffic.

Link Quality Measurements

Furthermore, BFD can be used for Path MTU Detection (PMTUD). Path MTU refers to the maximum size of an IP packet that can be transmitted without fragmentation over a particular path. BFD can assist in determining the appropriate path MTU by exchanging control packets with the IPsec tunnels. This helps ensure the IP packets are appropriately sized for transmission, avoiding fragmentation and potential performance issues.

SDWAN Segmentation

Virtual private networks (VPNs) provide segmentation. Each VPN is equivalent to a VRF, isolating one another and having forwarding tables.

 There are two unmodifiable VPN numbers: VPN 0, transport VPN used for the underlay traffic, and VPN 512, used for the Out Of Band (OOB) management.

SDWAN Segmentation
SDWAN Segmentation

Transport VPN 0: or the underlay VPN, is to establish the tunnels between the vEdges and each other and between the vEdges and the EMS. Accordingly, VPN 0 can carry the control protocols (OMP and BFD) and tunnel negotiations of the fabric.
Service VPNs: Carry the data traffic, which will be encapsulated inside the IPSEC tunnel built over VPN 0. The service VPN number will be inside the fabric.

The default setting isolates and separates each service VPN number from every other service VPN number. This default behaviour can change by configuring a route leaking policy to leak routes from one VPN to another. Interfaces of the WAN Edge router are for the VPN number. If traffic goes between two interfaces that are members of the same service VPN, they can reach normally, but if they are in different VPNs, they cannot contact each other.

SDWAN General Concepts

Separating transport from the service side of the network

Separating the vehicle from the service side of the network abstracts the wide-area network (WAN) away from the applications running on top. This approach has many benefits, such as:
1. Network admins can influence the routing decisions into the WAN independently of the communication between users or applications.
2. The solution can insert labels into packets and assign attributes to WAN circuits for optimal policy-based routing, load balancing, and network segmentation/slicing. 3. Security can apply to the transport side independently of the users’ traffic.
4. Any mix of public and private WAN transports can use in an active-active ECMP fashion.

Separating control, data, and management planes: This allows centralized control of the whole fabric using centralized policies and Monitoring systems.
Secure the Data Plane Automatically: WAN Edges build IPSEC tunnels to secure customer traffic.
Managing the material through centralized policies: Having a separate control plane allows us to manage the solution centrally via Policies and Templates.
Secure zero-touch provisioning and onboarding of new devices: Cisco SDWAN offers a fully automated process for onboarding new WAN edge devices. It allows network administrators to provision new sites with minimal effort and involvement. A new unconfigured vEdge automatically discovers the network using either one of the following processes – Zero Touch Provisioning (ZTP) if the device runs Viptela OS or Cisco Plug and Play (PNP) if the device runs IOS-XE.

Conclusion

Cisco SDWAN revolutionizes the way enterprises build and manage their wide area networks. Leveraging software-defined principles offers organizations enhanced network performance, increased security, and simplified management. Understanding the components and architecture of Cisco SDWAN is crucial for deploying and optimizing this powerful networking solution. With its versatile features like vBond Orchestrator, vSmart Controllers, vManage Controller, and WAN Edges, Cisco SDWAN provides a comprehensive solution for modernizing enterprise networks. Embracing SD-WAN technology empowers organizations to meet the evolving demands of their digital landscape and stay ahead in today’s competitive business environment.

Related Posts

Related Posts

Get CISSP
Study material for 100% Free!

Your Gateway to Cybersecurity Excellence - No Cost Attached!