SD-WAN Solution Overview & Components

SD-WAN Solution Overview

With Cisco SD-WAN Solution, it provide separation in each level like

• Separation in Orchestration
• Separation in Management Plane
• Separation in Control Plane
• Separation in Data Plane

Cisco Viptela Architecture is defined in different layer. With each layer it has specific functions like described below:

• The Orchestration layer or plane provides automatic onboarding of SD-WAN routers in SD-WAN enabled Overlay
• The Management plane helps in central configuration and monitoring of SD-WAN components and Overlay
• The Control Plane is helpful in building and maintaining network topology and based on control plane takes decision for all traffic flows
• The Data plane is responsible for forwarding data traffic based on decision taken from control plane

Below is the Overview diagram for Cisco Viptela Architecture solution plane:

Now let’s go in deep dive for each SD-WAN plane and its mapping components:

SD-WAN Components:

In Cisco Viptela Architecture solution, the following are the components used:

vBond (Orchestration plane )

• It is the Orchestrates control and management plane that is vSmart and vEdge
• vBond is software based components provides first point  or initial authentication (white-list model) to all vEdge devices
• vBond distributes list of vSmarts/ vManage to all vEdge routers
• vBond Facilitates NAT traversal also requires public IP Address [could sit behind 1:1 NAT]
• Highly resilient in nature

vBond is used to provide initial authentication to participates into fabric and bring all components together. In a SDWAN fabric, we can deploy multiple vBond Servers for high availability. When We have Multiple vBond Servers, WAN Edge uses DNS and have a single A record to pint to all vBond IPs. When WAN Edges, tries to resolve the DNS record for vBond, it will receive each IP address and will try to connect each one sequentially until a successful control connection is done.

When a WAN Edge, first joins to overlay, it only knows about vBond. It receives this information by below four methods.

• Plug and play
• Zero touch Provisioning
• Bootstrap Configuration
• Manual Configuration

Initially WAN Edge will try to connect to vBond and goes through an authentication process. Both Wan Edge and vBond, authenticates each other and once this authentication is successful, DTLS ( Datagram Transport layer Security ) tunnel is established. vBond then distributes the connectivity information for vSmart and vManage. Once the control Plane connectivity is up between vSmart and vManage, the Connection to vBond is torn down.

vManage ( Management Plane )

• Single pane of glass for Day0, Day1 and Day2 operations
• Multitenant with web scale
• Centralized provisioning to configure all Cisco SD-WAN Devices via Policies and Templates
• Troubleshooting and Monitoring all Cisco SD-WAN devices
• It helps in Software upgrades
• GUI with RBAC
• Programmatic interfaces (REST, NETCONF)
• Highly resilient

vManage is highly Scalable, we can also provide redundancy while having vManage Cluster. These vManage Multiple Clusters can be deployed regionally or globally. By default, vManage is deployed in single Tenant Mode.

A Single vManage cluster has three or more vManage NMS but one should always have odd number of vManage in Clusters to avoid Split Brain Scenarios. A vManage Cluster can manage up to 6000 WAN Edges, with each vManage Node handles 2000 WAN Edges.

vManage Authentication can be done via Multiple Sources like RADIUS, TACACS, and SAML 2.0 for user having External Network Connectivity.  

With the help of vManage, we can configure and control, Network topology, Routing, QOS, Security. Device Configuration are done in vManage via feature or CLI template. vManage is also used for Troubleshooting and Monitoring.

Each WAN Edge device forms a single management plane connection with vManage. If the Edge device has different Transport Connectivity, only one transport Link will be used to form management Session with vManage. If We have vManage Clusters in our network, in that case Control Connection will be load balanced across cluster nodes. If the transport Link, which has form management Session with vManage, goes down or experiences any outage, in that case WAN Ede will lose connectivity to vManage and if any changes are done in that particular period, changes will get pushed when WAN Edge device gets reconnect with vManage.

vManage is also used to perform vAnalytics. It helps in performing trending, capacity planning of circuit, review of Application Performance. If we want to have vAnalytics, we require additional license.

vSmart ( Control Plane )

• Facilitates fabric discovery and establish secure connection to each vEdge routers
• Dissimilates control plane information between vEdges via OMP
• Distributes data plane and app-aware routing policies to the vEdge routers
• Implements control plane policies, such as service chaining, multi-topology and multi-hop
• Dramatically reduces control plane complexity
• Highly resilient

vSmart is used to form control plane of SD-WAN Network. vSmart is highly scalable and can manage up to 5400 connections per vSmart Server and up to 20 vSmart Servers in a single Production network.

With the vSmart, we can implement Control plane policies, centralized Data plane Policies, Service Chaining, VPN topologies along with Security and Encryption of fabric by providing key management. vSmart learns all routing information and then calculates routing tables and then finally distributes it to WAN Edges.

Any Wan Edge can connect up to three vSmart at a time but only needs connectivity to One vSmart to get policy information.

OMP Protocol is used by vSmart to communicate all policy Information, Routing table. OMP is used to manage, and control overlay along with Routing, key management, Configuration updates etc. OMP runs between vSmart and WAN Edge inside of secured tunnel. When any policy is built on vManage, With the Help of management Plane, this Policy are distributed to vSmart via NETCONF and then vSmart distributes this policy to WAN Edges via OMP.

WAN Edges, shares the routing information to vSmart, and vSmart than apply policies before advertising this information to rest of other WAN Edges.

vSmart is used to distribute Key (Key management), Each WAN Edge will compare its own keys per transport and distribute it to vSmart. vSmart in return, distribute this key to each WAN Edges depending upon defined policy. vSmart is also used to rekeying of IPSEC Security Association when they expire.

Once Control Connectivity has been established, but after some time, due to outage, it got broken, in that case data plane connectivity will continue to flow. In absence of Control Plane Connectivity, by default WAN Edges will continue to forward data using data plane for next 12 hrs., by utilizing last known routing table information. Once Control Plane Connectivity got re-established, WAN Edges will be updated with any policy change that were made during outages. When Control Plane Connectivity gets restored, Old Routing Information is flushed, and newly routing table is installed.

vSmart maintains a full mesh of OMP session among themselves and exchange control and routing information, through each vSmart operates autonomously. If there are two vSmart  in the network , Control connection from WAN Edges will be load balanced , and if a vSmart goes down , these control connection will get rebalanced across remaining vSmart.

vEdge ( data Plane )

• WAN edge router ( Cisco vEdge or Cisco XE SD-WAN Routers)
• Provides secure data plane with remote vEdge routers
• Establishes secure control plane with vSmart controllers (OMP)
• Implements data plane policies like application aware routing , QOS etc.
• Exports performance statistics
• Leverages traditional routing protocols like OSPF, BGP and VRRP
• Support Zero Touch Deployment
• Physical or Virtual form factor (100Mb, 1Gb, 10Gb)

The following diagram provides some brief overview of Cisco Viptela Design Solution

In above SD-WAN topology, it has two sites connected via two independent WAN circuit, It has two SD-WAN vSmart controllers, vBond orchestrator and one vManage that resides on internet.

At each site, we have vEdge routers on which the WAN circuits are directly connected, and these WAN circuits or transport are assigned different color such as MPLS, private1, biz-internet, metro-Ethernet.

Here in this topology, biz-internet color is assigned for one of the internet transport and color public internet is used for other internet transport.  

The vEdge routers form DTLS (Datagram transport layer security) or TLS (Transport Layer Security) control connection to vSmart controller over each transport. These vEdge routers connects to each other with IPSEC tunnel over each transport. Now by using RFC 4023, we can implements segmentation across SD-WAN overlay , which builds separate instance of Data plane depending upon Business requirements and regulations. 

These VPN segments are completely isolated to each other and can only communicates with each other unless policy allow it. These VPNs are carried in single IPsec tunnel.