Control Plane & Data Plane Operation - Unicast Routing Overview
Control Plane Operation
In Cisco Viptela, OMP protocol is used for Control plane operation. OMP allows secure and scalable fabric across different type of transport like MPLS, layer2 VPN, P2P Connection, Internet as well as LTE connectivity.
vSmart is the component of SDWAN responsible for Control plane Operation. vSmart takes all routing information from its clients, calculates the best path information based on configured policy and then advertise the result to all WAN edge.
For Control plane operation, Control plane tunnels are created, which are encrypted and authenticated via Datagram Transport layer Security (DTLS) or Transport layer Security (TLS).
Below figure describes how OMP is encrypted by DTLS or TLS.
DTLS or TLS connections are maintained between all personas in SD-WAN overlay (vBond, vSmart, WAN Edge, and vManage). These tunnels are negotiated using SSL Certificates, where each component will authenticate other end and establish a one-way tunnel. In this negotiation each device will validate that the received certificate is signed by a trusted root CA and has a valid serial number with matching organization name.
Below figure shows DTLS tunnel Authentication process
By Default, DTLS protocol is used for communication over UDP port 12346. TLS is also supported if there is specific requirement for secure tunnel. vSmart and vmanage are deployed as virtual machine that support multiple cores (up to eight). Each core has a base port associated to it. Inbound DTLS/TLS connection will initially target port is 12346, how ever they can be transitioned to one or other base port, based on this technology, vManage and vSmart are able to distribute control connection load across CPU. Below table shows core-to-port mapping.
Once Control plane are up other protocol can also use this session for other purpose, those protocol can be SNMP, Netconf etc.
Unicast Routing Overview
In Cisco Viptela Solution, the Overlay network is managed and controlled by Overlay Management Protocol (OMP). This OMP protocol establish and maintain the Viptela Control plane and provides following Services:
- Orchestration of
- Routing and secure connectivity between sites
- Service chaining
- VPN topologies (Segmentation)
- Distribution of Routes
- Distribution of data-plane security parameters
- Central Control and Distribution of routing policies
OMP is the Control plane protocol which exchanges the routing, policy, and management information between vSmart, vEdge. This Protocol is enabled by default and upon device restart, it establish or initiates the OMP peering between themselves via DTLS, AES-256 key encryption over System IP address. Once the routing, Policy, security services are propagated to vEdge, this are used by vEdge for data plane connectivity and transport.
OMP interact with all legacy Routing including Static Routing, OSPF, BGP, EIGRP. OMP do not peers with all members in routing domain, instead peering only occurs between WAN edges and vSmart Controller.
OMP also supports graceful start, which allows WAN Edges to cache forwarding information if connectivity to the vSmart controllers become unavailable. In this case, WAN Edge will continue to use routing information tat was last received. This feature is enabled by default, on vSmart controller and WAN Edge routers with a default timer of 12 hrs, and this timer can be modified with minimum value of 1 sec and max value of 7 days.
OMP Route Advertisements
As soon as vEdge learns the routes are services from local site, it advertises these all information to vSmart controller along with its transport location mapping called as TLOC which are further called as OMP routes or routes.
It is due to OMP routes, vSmart learn the topology of the overlay network and services available in that network. As all vEdge devices advertises its imported to vSmart Controller and based on policy decisions the controller further distributes the routing information to other edge devices. The Edge devices will never advertises its routing information directly to another vEdge devices.
OMP Route Types
There are Three Types of Routes
OMP Routes (vRoutes)
- Prefixes learned from site-local (i.e. service side)
- Like prefixes of BGP
- Transport Locator
- Ties OMP route to physical location (i.e. vEdge)
- Like next-hop of BGP
- Service Chaining
- Ties OMP route to an advertised network service
OMP routes (vRoutes)
OMP routes are those routes or prefixes which are used to establish the reachability between end points. These OMP routes represent a services in DC, Service in Branch Office or it is a collection of hosts in any location of overlay network.
At each site, vEdge router advertise the OMP routes to vSmart controller and these routes contain routing information that vEdge has learned from that local site.
Following are OMP routes that is advertised by vEdge at local site.
- Connected (Direct)
OMP routes advertises the following attributes:
- TLOC—Transport location identifier of the next hop for the route. It is similar to the BGP NEXT_HOP attribute. A TLOC consists of three components:
- System IP address of the OMP speaker that originates the OMP route
- Color to identify the link type
- Encapsulation type on the transport tunnel
- Origin—Source of the route, such as BGP, OSPF, connected, and static, and the metric associated with the original route.
- Originator—OMP identifier of the originator of the route, which is the IP address from which the route was learned.
- Preference—Degree of preference for an OMP route. A higher preference value is more preferred.
- Service—Network service associated with the OMP route.
- Site ID—Identifier of a site within the Viptela overlay network domain to which the OMP route belongs.
- Tag—Optional, transitive path attribute that an OMP speaker can use to control the routing information it accepts, prefers, or redistributes.
- VPN—VPN or network segment to which the OMP route belongs.
With the Help of following command, we will be able to see the OMP Routes
TLOC route are those routes which identify the transport location. A TLOC identify location that connect the physical WAN transport to WAN interface on vEdge Router. TLOC is identified by 3-tuple which is
- System IP
TLOC advertises the following attributes:
- TLOC private address—Private IP address of the interface associated with the TLOC.
- TLOC public address—NAT-translated address of the TLOC.
- Carrier—An identifier of the carrier type, which is generally used to indicate whether the transport is public or private.
- Color—identifies the link type.
- Encapsulation type—Tunnel encapsulation type.
- Preference—Degree of preference that is used to differentiate between TLOCs that advertise the same OMP route
- Site ID—Identifier of a site within the Viptela overlay network domain to which the TLOC belongs.
- Tag—Optional, transitive path attribute that an OMP speaker can use to control the flow of routing information toward a TLOC. When an OMP route is advertised along with its TLOC, both or either can be distributed with a community TAG, to be used to decide how send traffic to or receive traffic from a group of TLOCs.
- Weight—Value that is used to discriminate among multiple entry points if an OMP route is reachable through two or more TLOCs.
IP address used in TLOC is fixed system IP address of vEdge Router. Let’s understand the TLOC
The encapsulation is that used on the tunnel interface. It can be either IPsec or GRE. vEdge router that has two WAN connections and it has two TLOCs. The system IP address of the router is 126.96.36.199. The TLOC on the left is uniquely identified by the system IP address 188.8.131.52, the color metro-ethernet, and the encapsulation IPsec, and it maps to the physical WAN interface IP address 184.108.40.206. The TLOC on the right is identified by the system IP address 220.127.116.11, the color biz-internet, and the encapsulation IPsec, and it maps to the WAN IP address 18.104.22.168.
Service routes are those routes that represent any services that are connected to local sites. Routes of network-services connected to vEdge.
Service Routes advertises a specific service to SDWAN overlay network. This advertisement is also used for service chaining policies. Service chaining allow data traffic to be routed to a remote site through one or more service, such as firewalls, IPS/IDS, load balancers. These services are utilized on a per VPN basis.
In order to enable service chaining, following workflow should be used:
- The Network administrator defines the service via a feature template.
- WAN Edge router advertise the service available to vSmart controller along with its OMP and TLOC routes.
- Network admin applies a policy defining traffic that must flow through these advertised services. Traffic will always be process by the service before being forwarded to final destination.
Let’s understand the below example to see how service changing works:
Here, Client network has Central hub and two remote sites. Business wants that all traffic from remote site must be inspected by firewall at Central hub. For that to achieve, Network admin define a service chaining policy to enable this traffic flow.
The Site offering the service (Hub) will advertise a service route via SAFI – Subsequent Address family Identifier in the OMP network layer reachability information (NLRI). This information is advertised to vSmart controller and is then propagated to WAN Edges.
Attributes of Service Routes:
- VPN id
- FW, IDS, IDP, VPN or generic net-svc
Below is the figure that describes all routes in one diagram.
OMP Routes: Route Distribution
When OMP is enabled, it automatically redistributes following routes that it learn either locally or from its routing peers.
- OSPF intra-area routes
- OSPF inter-area routes
In order to avoid routing loops, and less optimal routing, when redistribution is done following types of routes requires explicit configuration.
- OSPF external routes
Now to avoid distributing very large number of routing information from an Edge to overlay network, Routes learned from on vEdge via OMP are not automatically redistributed in to another routing protocols on that routers. If redistribution is desired redistribution must be enabled locally on each vEdge router.
To indicate the route origin, OMP includes or set the origin and sub-origin type in its advertisement and while selecting routes, vEdge and vSmart considers the origin a sub-origin types.
OMP also carries the metric of original routes with Metric 0 is said as directly connected routes.
Manual Commands for Redistribution are
OMP also carries metric from the redistributed protocol, below table list WAN Edge default Administrator Distances.
If the network has multiple exit points to the WAN can suspect routing loops. This commonly occurs when two or more routers have manual redistribution from WAN routing protocol and the LAN routing protocol.
Below figure shows, two WAN Edges and routing protocol like OMP and OSPF are doing manual redistribution.
OMP has native built in loop prevention mechanism when interfacing with EIGRP, OSPF and BGP. Let’s see below steps, how OSPF Down bit can be utilized to prevent a routing loop.