SD-WAN

Traditional WAN challenges: - Goal of WAN is to connect the remote locations together such as braches,
DC, HQ etc. WAN technologies can be Internet, MPLS, Metro-Ethernet, Frame-relay, CPN, fiber etc
resulting in high complexity in maintaining the QoS, Routing, Adjacencies. MPLS is expensive but provide
high reliability where Internet is cost effective but reliability is very low.

Software define Network split the network into underlay (Physical network) and overlay model (logical
network). Underlay topology is the physical topology what we have while the overlay is what we want.
This is accomplished using the tunnel.

Cisco SD-WAN is based on Viptela and preferred solution for organizations that require improved
security, advanced routing and complex topology along with cloud instances.

Meraki SD-WAN is recommended solution for organizations that require unified threat management
solutions which is all in one package for security solutions.

Benefits of SD-WAN: - SD-WAN allow us the ability to develop the tunnels between the edges using the
concept of VXLAN’s / IPSec. In SDN, we have controller that allow us to configure the policy and push it
to all the edge devices. These policies can be defined based on the applications. SD-wan allow us the
ability to leverage the traffic forwarding ability on multiple WAN interfaces based on the type of
application.

Cisco SD-WAN Solution:- It has four main components.

1. vMANAGE {Management Plane}:- controller used for all configuration via HTTPs GUI and pushes
the policies to vSMART using the NETCONF

2. vSMART (Control Plane or brain of the solution) It has preinstalled credentials to authenticate
SD-WAN routers and responsible for control plane as it collects the policies from vMANAGE and
pushes it to EDGEs over the DTLS tunnels using Overlay management protocol. OMP can
advertise routes, next-hop, keys and policy information. It also finds the best route to
destination network and advertises it in SD-WAN fabric.

3. Cisco SD-WAN routers are vEDGE and cEDGE (Data Plane) are end devices such as routers that
receive all configuration policies from vSMART. Overlay tunnels are established between the
vEDGES using the IPSec. cEDGE is similar to vEDGE with CSR, ASR, ISR, ENCS that supports all the
features such as HSRP, Voice, serial interfaces that are not supported by vEdges. cEDGE supports
AMP, URL filtering, IPS, CISCO trust anchor module which are not present in vEdge. They are
available as hardware, software, virtualized, on remote office, campus, DC
 4. vBOND act as a orchestration plane. It authenticates and provides connectivity between
vManage, vSmart and SD-WAN routers. Major functions of vBOND are control plane connection
and authentication, NAT traversal and load balancing.

SD-WAN allow us the ability to configure the template to define all the policies and push these policies
down to all the vEdge routers providing simple management.

In basic licensing, SD-WAN only support the hub and spoke topology, if we need a full or partial mesh
or point-to-point we need a license of SD-WAN.

Load balancing in SD-WAN with multiple connections is done based on one of the mechanism. We can
choose different methods for different applications. Like we can use Application aware SLA for Voice and
Active – Active for normal HTTP and FTP traffic

a. Active – Active is a simple load-balancing mechanism

b. Weighted Active – Active is used if one of the links is high speed. It sends traffic in a proportion
fashion
c. Active – standby pinning per Application based is for forwarding the traffic based on type of
application and traffic type like sending the Voice on much reliable path while sending the data
on higher bandwidth link.
d. Application Aware SLA forwards the traffic based on the jitter and delay on the link. Metric are
tracked and forwarding decisions are made based on this metrics. It allows us using the two
internet links as WAN connectivity.

These applications traffic is identified based of two different methods

1. Deep packet inspection : Cisco product requires licensing and more powerful. It will identify the
type of traffic and forwards the information to vManage for data analysis.
2. 6-tuple lookup: It checks Source and destination IP, Source and destination port, DSCP value and
IP protocol number.

CISCO SD-WAN programmability:-

1. NETCONF uses XML inside SSH. SSH connection is established to send XML command. It is a
human readable language.
2. RESTCONF use to configure DNA-C. Configurations are tested and pushed to client via Postman.
3. REST API’s: (Representational state transfer) It uses HTTP / HTTPS connection to send the
configuration to device. It uses two markup languages XML and JSON
 vManage is configured using the GUI through HTTPs or REST API’s through POSTMAN
application. These configuration policies are pushed to vSmart using the NETCONF. vSmart uses
Overlay management protocol (OMP) to send these policies to vEdges. OMP protocol provides
the Edge devices information about Control Plane, Policies, best routes,

SD-WAN Component:-
  vEdge:- It is responsible for data plane. vEdge are the routers that goes to the remote locations.
VXLAN/IPSEC tunnels are used to establish the tunnels with the other vEdge in SD-WAN based
on our overlay network need. For redundancy on vEdges VRRP is used. vEdges does not support
Cisco proprietary protocols because it is a Viptela based. Cisco later came up with cEdge to
support all those features such as HSRP, EIGRP, IPS, AMP and so on.
 cEdge:- similar to vEdge but support all the Cisco features. Models that are supported for cEdge
are ASR 1000,ISR 1000, ISR 4000, ENCS. Cisco IOS to support SD-WAN capability must be at least
18.3.0 and above IOS. vEdge and cEdge should not be run in same location due to
incompatibility of QoS, DHCP, NAT etc on same site. vEdge and cEdge which can be physical or
virtually deployed
 vSmart:- vSmart controller are only virtual. It can be deployed in public, private cloud or on-
prem DC. vSmart provides information to vEdges such as security, QoS, other vEdge location
which allows vEdges to establish the VXLAN tunnels between them. It sends the policies to
vEdge using Overlay management protocol which is a TCP based Datagram Transport layer
security DTLS protocol.
 vBond:- responsible for orchestration plane. It is deployed virtually / physically and requires a
public IP and if NAT is used it must have one-to-one mapping. vBond receives the registration
request from Edges which contain both private and public IP. vBond Authenticate and forwards
the request to vManage if it approves / authorizes the vEdge based on white-list predefined.
After completion of authorization as defined on white-list definition by administrator, vSmart
push polices to vEdge. vBond also helps to establish VXLAN tunnels between the vEdges if they
are using NAT (NAT Traversal). VXLANs tunnels are established by opening the ports on both
edges.
 vManage:- responsible for management and control of SD-WAN from single point. REST API is
use to configure this Cisco vManage. POSTMAN allows REST API calls directly to vMANAGE. Most
of the configuration is GUI but we still require CLI for troubleshooting and initial skinny
configuration.
 vAnalytics is an optional analytics and assurance tool and requires additional licensing. It
provides visibility into application, forecasting and recommendation.

Controller Deployment:-

Public model:- Controllers are deployed in a public cloud which can be accessed via DC through internet.
In Public models such as AWS we have the redundant controllers. vBond and vSmart act in Active-Active
mode while vManage operates in Active-standby mode as it is an Out-of-band management device.
Inside the AWS, these appliances have private IP which will be NAT to Public IP for accessing from
remote location. CISCO will manage all this devices from appliance perspective.

Hybrid model with public IP:- allow us the ability to deploy controller inside DC, manage service provide
or on cloud but we have to manage all this appliances.

Hybrid model with private ip: It is used if the WAN provider does not allow us to inject public IP’s inside
the WAN infrastructure.
Cisco SD_WAN products:

Zero Touch provisioning:- In traditional network, if we want to add a new remote site, we need to send
the tech on site to install or add basic configuration as there was no shortcut to this. ZTP allows ability to
simply connect the device and it will discover SD-WAN and connect to fabric.

 Admin role is to configure a template that contains all configuration policies and white-list
containing list of authorized vEdges.
 All the configurations in SD_WAN is done using the templates
 Installer will only need to connect the device to network and power it on. vEdge will connect to
ZTP cloud server (CISCO) to get information about vBond. vBond will connect the vEdge to
vManage and vSmart, based on the white-list information, vManage sends policies to vEdge.
 Security is provided based on the pre-installed certificate ID that comes with vEdges. vSmart and
vManage to protect the vEdge is connecting to valid controller and vice versa. vEdge also has
DDoS protection with DHCP, DNS and ICMP enabled on it. VEdges comes with two certificates
one for proving who vEdge is and another for identifying the vSmart and vManage
 ZTP is efficient, convenient and secure
 Every device will have two different certificates. Root certificate and ID-cert, Root certificate is
for CA server and ID-cert is for individual devices
 ZTP is only supported on physical devices as it required serial number, chassis number and Cisco
or Symantec CA server.

Application Awareness and DPI: - It allows ability to forward the packets on different WAN links based
on the application. In SD-WAN, we can define security, path-selection, analytics, QoS and priority for
the applications and the way they need to be forwarded. The traffic is forwarded based on the latency,
jitter, delay which are tracked using bidirectional forwarding detection.

Traffic is identified based on two different methods

 a. 6-tuple
b. Deep packet Inspection

Note: Maximum number of WAN connections that can be establish on CISCO SD_WAN edges are seven.

VPN:- Also called VRF in Cisco terminology. It is used by the service providers to segregate the customer
routes from each other. Same as VRF in MPLS-VPN, in SD_WAN it is achieved using the VXLAN tunnels.
VPN 0 is used to define the infrastructure of underlay network mostly connects to transport like internet
and MPLS. VPN 512 is reserved for out-of-band management, Vmanage uses VPN 512 to send the
configuration information to vEdges. We can use 65,530 VPN’s except 0 and 512.

Cloud OnRamp for IaaS:- It allow us ability to extend SD-WAN feature-set in public cloud. We can
virtually deploy vEdge in public cloud to connect VM and is only supported on AWS and Azure. vEdge
inside the cloud will allow us the ability to connect the VM to SD-WAN fabric. vManage can be used to
configure the virtual vEdge that is inside the cloud.

Cloud OnRamp for SaaS :- While using the services that are in SaaS cloud, we need to select the best
path to reach the SaaS cloud. It is done using the HTTP probes that are send to SaaS cloud on dual direct
internet access (DIA) on remote site and based on this metric it picks the best route or ISP to forward
the traffic. This metric (jitter, delay and loss) is shared between the vEdges via OMP. The path is selected
based on Vipetela Quality of Experience (0 is worst – 10 is best) can be observed in vMANAGE. If there is
only one DIA on remote site then it will monitor the metric of DIA and over the Fabric where another
remote site act as regional hub which sends it metric to vSMART which forwards this metric information
to other vEDGE in OMP. Based on local DIA and metric received from regional hub (including loss and
latency over fabric) it selects best path.

vAnalytics module:- It requires additional licenses and can be activated inside the vManage. It provides
DPI to find utilization, capacity, application based vQoE, bandwidth usability, reliability and so on.