EMAIL SUPPORT
dclessons@dclessons.comLOCATION
USViptela Security Components
In order to see the Security in SD-WAN, first we should sow what are the issue with traditional method of securing networks.
- Very little security options on authenticating of devices who are involved in communication
- Manual intervention for generating keys and passwords for securing link between devices
- Less Securely scalable and high available solutions
Viptela Security Components
There are following three Viptela security components used to secure Viptela overlay network infrastructure.
- Authentication: It allow only authentic devices to send traffic to each other.
- Encryption: All communication between devices are encrypted, secure.
- Integrity: No group keys and key servers are involved in providing security including infrastructure
In Viptela network, the connection between devices like vBond, vSmart, vEdge in control plane and data plane are provided by Secure DTLS or TLS and IPsec method.
Security Provided by NAT Devices
In order to enhance security at branch side, a branch vEdge router can also be installed behind any NAT device. Now in this case, vEdge router can interact with NAT devices configured with method like Session Traversal Utilities for NAT (STUN) given below:
Full-Cone-NAT or One to One NAT: In this internal IP address and port is mapped to external IP address and Port.
Address-Restricted cone NAT or restricted-cone-NAT: In this internal IP address and port is mapped to external IP address and Port, but external host can send packets to the internal device only if external address has received a packet from internal address and port.
Port-restricted cone NAT: This method is highly restricted than the above NAT method, in which external host can send packet to internal address and port only if external address and port pair has received a packet from that internal address and port. In this external device must send packet from specific port to internal specific port.
Symmetric NAT:
In this each single request from same internal IP and Port to external IP and port is mapped to a unique external source IP address and port uniquely. Now when external host that receive packets from internal host can send a packet back.
In Cisco Viptela network, only one end of the NAT devices at either side of tunnel can use symmetric NAT. VEdge router behind Symmetric NAT cannot establish BFD tunnel with remote vEdge router that is behind Symmetric NAT, Port-restricted cone NAT, Address-Restricted cone NAT.
Security for Connections to External Devices
Viptela vEdge router uses Internet Key Exchange (IKE) when IPSEC tunnel between a devices with in overlay network and a device which is external to overlay network. Viptela Device uses IKEv2 to provide CIA feature that is Confidentially , data Integrity , and Authentication .
Comment
TABLE OF CONTENTS
- Onboarding & Provisioning Configuring Templates
- Authentication between vSmart & vBond
- Authentication between vSmart Controller
- Authentication between vBond & vEdge Router
- Authentication between vEdge Router & vManage NMS
- Authentication between vSmart Controller & vEdge Router
- Viptela Specific Port Terminology
- Deploy & Configure vManage & Generate Certificate
- Deploy & Configure vBond & Generate Certificate
- Deploy & Configure vSmart & Generate Certificate
- Configure vEdge & Generate Certificate
- SDWAN & NAT
- Secure DataPlane Bringup
- Enterprise CA for SDWAN Instances
- ZTP Process & PnP Overview
- Control Plane & Data Plane Operation - Unicast Routing Overview
- Configuring OMP & Its attributes
- Configure Unicast Overlay Routing
- Routing Configuration Example
- Segmentation Overview
- Configuring Segmentation
- Segmentation Configuration Example
- Data Traffic across Private WANs
- NAT in SDWAN & Data Encryption
- SD-WAN Viptela Policy Overview
- SD-WAN Centralized & Localized Control Policy Overview
- SD-WAN Centralized & Localized Data Policy
- Service Chaining
- Traffic Flow Monitoring
- vEdge Router as NAT Device
- Zone Based Firewalls
- Configure Centralized Control Policy
- Configuring Centralized Data Policy
- Configuring Cflowd Traffic Monitoring
- Configuring Zone based Firewall
- Service Chaining Configuration Example
- Configuring Service Side NAT
- Configuring Transport side NAT
- Control Policy Example 1: Hierarchical Topology
- Multi-Region Fabric
- Control Policy Example 2: Implementing Traffic Engineering
- Control Policy Example 2: Dynamic On-Demand Tunnels
RECENT POSTS
- Understanding the ENSDWI Course: Advanced Cisco SD-WAN (Viptela) Concepts
- A Complete Guide to the DCACI-A Course: Mastering Advanced Cisco ACI Concepts
- How Our Online Python Certification Will Prepare You for a Career in Network Automation
- What You'll Learn in Juniper Mist Labs: A Deep Dive into AI-Driven Wireless Networking
- 10 Benefits of Studying Cisco ISE for Network and Security Folks
- Which AWS Advanced Networking Labs Course Includes # Real World Traffic Flows and Examines Objectives?
- How Do You Practice Cisco Nexus Configuration with Online Labs, No Physical Equipment?
- Why Cisco SD-WAN Viptela Training is Necessary in the Current Cloud-First Networking Age
- 5 Best Reasons to Learn Cisco SD-Access: From Networking Issues to Automation Solutions
- What is Cisco SD-LAN? A Beginner’s Guide to Software-Defined Access
LEAVE A COMMENT
Please login here to comment.