Ivy Consultants Inc.

Consulting Services for Security, Networking, Wi-Fi and Windows Server

You Are Here

Networking

Cisco Viptela SD-WAN Explained

no Comments

With the wide adoption of SD-WAN, lots of vendors have come up with their proprietary SD-WAN solutions as there is no regulatory authority for. There are, however, forums like MEF, that are trying to standardize the Services like SD-WAN. Cisco acquired Viptela to offer SD-WAN service to its customers.

SD-WAN offers many benefits such as ease of deployment (Zero Touch Provisioning), Network automation and control (centralized Control), Traffic segmentation, security, policy based application priority, real time analytics and reporting etc.

Cisco Viptela SD-WAN architecture is comprised of the following (3 Controller components vManage (NMS), vSmart (Control Plane) and vBond (Orchestrator). These components are flexible in deployment and can be deployed either in AWS, Azure public clouds or on-prem.

Viptela Solution Components and Features

  • vManage
    • Centralized Management
    • REST-API Gateway
    • Centralized Configuration Management
    • Monitoring
    • Capable of Operating in Clustered Mode
    • Provided as a virtual machine image that can run on ESXi/KVM/Cloud Hypervisors
    • all device configuration templates and policies are defined in vManage then sent to vSmart
  • vBond Orchestrator
    • Helps to make a bond between the Viptela devices
    • Secure Bring Up of devices
    • No separate image for vEdge itself
    • Agent Process Local to vEdge
    • Provided as a virtual machine that can run on ESXi/KVM/Cloud Hypervisors
    • Requires Internet reachable IP address
    • Can have multiple vBond controllers for HA/Scale
  • vSmart Controller
    • Routing Information
    • Central VPN Policy Management
    • Traffic Engineering
    • Encryption Key Propagation
    • Service Chaining
    • Provided as a virtual machine that can run on ESXi/KVM/Cloud Hypervisors
    • Can have multiple controllers for HA/Scale
  • vEdge
    • Various vEdge routers ( hardware and Virtualized supporting 100Mb to 10Gb)
  • Viptela Secure Extensible Network
    • Secure Control Plane (DTLS/TLS)
  • Secure Data Plane (IPSec/BFD)
    • Zero Trust Model
    • Strong Certificate Authentication
    • White List based ACL’s
  • Smart Policies
  • Network Segmentation
  • Feature Templates
  • vAnalytics
  • Cloud Express
  • Viptela System bring up
  • Overlay Management Protocol (OMP)
    • the distribution of routing information across all sites within a VPN is enabled by Overlay routing
    • OMP plays a key role in routing, secure connectivity between sites, service Chaining and VPN topologies

Configuration methodology

  • Configure IP Address in all controllers
  • Check Reachability of all controllers
  • Add vBond and vSmart devices in vManage
  • Configure Org name, generate and install certificates (Symantec) in each controller using vManage
  • Configure vBond address in vSmart and vManage

Creating Control Connections

  1. Certificates are exchanged for mutual authentication
  2. vBond validates vSmart against whitelist
  3. vSmart and vManage validates Certificate Org
  4. Establishes DTLS/TLS Control Connections

Some key points to remember:

  • Certificates and Org name are used for mutual Authentication
  • Before bringing up the devices, basic configuration templates can be defined in vManage
  • Configuration templates are pushed when the devices are authenticated and added into the network

Bring Up Sequence of Events for Controllers

  • The vManage NMS software starts on a server in the data center
  • The vBond orchestrator is launched on a server in the DMZ
  • The vSmart controller is launched on a server in the data center
  • The authentication between vManage NMS <–> vBond orchestrator and vManage NMS <–> vSmart controller happens
  • The vSmart controller and the vBond orchestrator authenticate each other
  • The vManage NMS sends configurations for the vSmart and vBond devices.

Bring Up Sequence of Events for vEdges

  • The vEdge routers start in the network
  • The vEdge routers authenticate themselves with the vBond orchestrator
  • The vEdge routers authenticate themselves with the vManage NMS
  • The vManage NMS sends configurations to the vEdge routers
  • The vEdge routers authenticate themselves with the vSmart controller

vBond is the Glue

  • vBond is always in the DMZ zone
  • vBond acts as a middle-man to enable both vSmart and vEdge to find each other and authenticate
  • Creates a provisional tunnel between vEdge and vBond
  • Provides information about vSmart and vManage
  • If Configured as ZTP (Zero Touch Provisioning) Server also provides the necessary certificates for vEdges to authenticate between vSmart and vEdge

Design

Strengths

■ Decoupled data and management planes. vSmart provides centralized component that controls the routing. Scalable architecture.

■ Strong SaaS integration and leverages. Cisco Umbrella integration, Supported on ISR, multiple security controls, including a unified threat management functionality.

■ Runs on compatible existing ISR hardware, Viptela vEdge hardware, and has multiple virtual appliance form factors deployed on Cisco ENCS (initially encountered lots of issues) , including Cisco Cloud Services Router 1000V (CSR 1000V), vEdge Cloud and ISRv.

Weaknesses

■ Overlapping solutions for some use cases. Many types of virtual appliances, lack of feature similarity between the vEdge and ISR offerings, including advanced Umbrella integration and Zscaler integration.

■ IOS XE and Viptela integration issues.

■ Late in the market, for features like WAN path conditioning, packet duplication, forward error correction (FEC) and TCP optimization, available only since April 2019.

References

https://en.wikipedia.org/wiki/SD-WAN

https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/SDWAN/SD-WAN-End-to-End-Deployment-Guide.pdf