Topology
General Idea about SDWAN
vedge Router -- viptela Router
cedge -- Cisco Router
Types of VPN
Service VPN -- for data
VPN other than 0 & 512
Management VPN -- VPN512
It carries out of band network management traffic among sdwan devices in the network.
Transport VPN -- VPN0
It carries control traffic between vSmart & VEdge. Also, between vSmart & vBond orchestrator.
show ip route vpn0
Between vsmart & vedge -- OMP protocol
vedge to controllers (vbond/vsmart/vmanage) -- DTLS
vedge to vedge -- IPsec
Data traffic will be sent through ipsec tunnel only
If internal routers need to know about the network learned from peer through OMP protocol then it has to be distributed in IGP.
BFD --> Hello sent inside IPsec tunnel
Supported devices for SDWAN
vManage can maintain up to 2000 edges. A cluster of 3 is suggested if more devices are in the network.
Moreover, the group can be created for vManage and we can define on vedge which vManage to connect.
vEdge will maintain only one DTLS tunnel to vManage & change vMange only when it goes down.
If the tunnel between VManage & vEdge is down then the configuration cannot be pushed to it even if the tunnel between vEdge & vSmart is up.
IPsec tunnels don't get affected if the DTLS tunnel is down unless IPsec keying timer gets expired.
In case of OMP disconnection data plane traffic will be sent up to 12 hours by default which could be fine tune from 1 sec to 7 days.
When the user did change through vManage then communication is transferred from vManage to vSmart through a protocol called "netconf" & further vSmart sends that to vEDGE through an OMP update.
vEdge can be configured either in Vmanage mode or cli. In CLI mode config changes can be done through CLI.
Orchestration Plane (vBond): Smart account at software.cisco.com to create an organization profile
CSV file has the following info
Org Name
Place
vBond ip
vedge s/n, h/w
Each Wan-facing interface has to be associated with a "tag" called color.
Each transport (MPLS, Internet, etc) will try to establish a DTLS tunnel to vSmart but there cannot be multiple DTLS tunnels between transport and vSmart.
OMP
Let's consider the following diagram.
1) OMP Routes: Routes in the routing table (except VPN 0 & VPN 512)
It consists of the following parameters
Public IP (Underlay): 3.3.3.3
Color: Public-INT
Encapsulation: IPsec
Site-ID: 9.9.9.9
System-ID: 1.1.1.1
All vE1 will try to establish a tunnel to other vE2 with all available transports.
vE1
3.3.3.3 --> 6.6.6.6 (Success)
3.3.3.3 --> 192.168.1.2 (fail)
192.168.1.1 --> 6.6.6.6 (fail)
192.168.1.1 --> 192.168.1.2 (Success)
vE2
6.6.6.6 --> 3.3.3.3 (Success)
6.6.6.6 --> 192.168.1.1 (fail)
192.168.1.2 --> 3.3.3.3 (fail)
192.168.1.2 --> 192.168.1.1 (Success)
2) TLOCs: Transport Location (Overlay) or simply next hop.
It consists of following parameters:
a) System IP
b) Encapsulation
c) Color
Here in vE1 there are two TLOCs for OMP VPN1 route 10.0.0.0/24
1.1.1.1/IPsec/Public --> First
1.1.1.1/IPsec/MPLS --> Second
Hence, VSmart will share TLOCs to vE2 for VPN1 route 10.0.0.0/24 as follows:
OMP/VPN1/10.0.0.0/24 --> 1.1.1.1/IPsec/Public
OMP/VPN1/10.0.0.0/24 --> 1.1.1.1/IPsec/MPLS
3) Service Route: It is basically a device configured in a particular VPN say VPN9 as a service. Let's say there is HUB & SPOKE network and all traffic from Site1 to Site2 & vice-versa has to be transferred from HUB(HO) then Fw or IPS device can be configured to service.
Orchestration Plane (vBond)
The Cisco vBond is the initial control connection between Cisco vSmart Controllers and vEdge routers. It ensures SD-WAN fabric onboarding.
It creates DTLS tunnels to the Cisco vSmart Controllers and vEdge routers to authenticate each node that is requesting control plane connectivity.
Management Plane (vManage)
Cisco vManage is a centralized network management system. It allows you to configure and manage Cisco edge network devices.
Cisco vManage software runs on a server in the network. It isn’t physical hardware.
Control Plane (vSmart)
A vSmart Controller is a virtual appliance that exists either cloud or On-Premises. It isn’t physical hardware and runs as a VM on ESXi or a hypervisor on a server.
The Cisco vSmart Controller oversees the control plane of the Cisco SD-WAN overlay network, establishing, adjusting, and maintaining the SD-WAN fabric.
It controls the flow of data through the overlay network. vSmart controller works with the vBond orchestrator to authenticate the vEdge routers as they join the network.
OMP (Overlay Management Protocol): The OMP protocol is a routing protocol similar to BGP that manages the Cisco SD-WAN overlay network.
Data Plane (vEdge/cEdge)
Cisco SD-WAN vEdge routers are delivered as hardware, software, cloud, or virtualized components that sit at the perimeter of a site, such as a remote office, branch office, campus, or data center.
vEdge routers are placed at the customer sites or at the data center sites at the edge of the network. They can either be hardware devices placed on the premises or software vEdges also called a vEdge cloud.
vEdge router receives complete control and data policies from vSmart, it is able to run routing protocol like OSPF, and BGP to create connectivity on the LAN side but also with the MPLS provider if necessary. It establishes secure IPSec tunnels with other vEdges.
Cisco Viptela SD-WAN Fabric Setup Steps
Step 1
Spin up the vManage VM on a server with System IP, vBond IP, and Organization name.
Spin up the vSmart VM on a server System IP, vBond IP, Organization name, etc.
Spin up the vBond VM on a server System IP, vBond local command, Organization name, etc.
Step 2
Once all the devices authenticate and validate each other with the help of the certificate exchange and form the permanent secure DTLS connection in between them (vBond to vSmart, vSmart to vMange, vBond to vManage).
Step 3
Once authenticated the vManage NMS sends the configuration to vSmart and vBond devices.
Step 4
vEdge router has the vBond IP address as part of the initial base configuration and hence connects to the vBond and authenticates themselves with vBond over DTLS connection.
Once authenticated the vBond shares the IP address & serial number of the vSmarts to vEdge and also the IP address of vManage.
vEdge then authenticates itself with the vManage and receives its full configuration from the vManage through a permanent DTLS connection formed between them.
vEdge also authenticates with the vSmart controllers in the network over a secure DTLS connection.
Once authentication is successful a permanent DTLS connection is formed between them and OMP peering is established between both the devices.
Over this OMP peering session vEdge router relays the control plane information to the vSmart so that vSmart can learn the network topology.
Control plane information includes the LAN side prefixes learned on the vEdge via static or dynamic routing. These are advertised to the vSmart and also TLOC (transport location) is advertised which is the address of the interface that connects to the WAN transport network.
vSmart controllers install the OMP updates in the routing database and advertise these to other vEdge routers in the overlay network.
Comments