Ivy Consultants Inc.

Consulting Services for Security, Networking, Wi-Fi and Windows Server

You Are Here

Networking

Cisco Viptela SD-WAN Orchestrator

no Comments

The orchestration service for the Cisco Viptela SD-WAN service is provided by vBond. vBond connects all the other solution components together. It informs the vEdges on how and where to connect to vManage and vSmart Controllers. A dedicated Public IP address is required by the vBond and we can deploy redundant vBonds in the network for high availability (HA). 

vBond is the first contact of the vEdge router before it joins the SD-WAN fabric and this is made possible by configuring the vBond DNS/IP. vEdge can use one of the following three ways to learn the vBond Address: 

  1. Zero Touch Provisioning 
  2. Manual IP address configuration on the vEdge
  3. Bootstrap configuration generated from vManage 

As soon as the vEdge router is connected to the network, it starts to discover and establish a connection to the vBond Orchestrator. vBond Orchestrator authorizes and authenticates the vEdge router. After successful authentication, the vBond tells the vEdge on how to connect to vSmart and vManage controllers. Once the vEdge router can reach the vManage, it downloads its full configuration and shares the information with the vSmart. The connection between vEdge and vBond is terminated after vEdge is able to communicate with vSmart and vManage. 

NAT Detection 
vBond also plays the role of informing the vEdges if they are behind a NAT device and enables IPsec NAT traversal by applying Authentication Header (AH) security to the data plane tunnels. vBond functions as a STUN server and all SD-WAN devices as a STUN client. vBond can detect whether the vEdge router is behind a NAT device upon receiving a DTLS connection request. When the vEdge sends DTLS connection request to vBond, it marks the interface IP into the outer header and within a payload of the message. If a NAT device exists in between it will re-write the packet outer IP address. 

Upon reception, the vBond compares both the outer and the payload IP addresses. If they do not match, it assumes there is a NAT device is the middle. vBond then shares the Nat IP with the vEdge router which then is learnt by all other components of the solution. 

One thing to keep in mind is that vBond must have a public IP address if using internet connectivity to the controller. A 1:1 static NAT is preferable. vBond is the only component that require 1:1 NAT. Both vManage and vSmart can be set up using PAT as long as they have reachability to vBond.