Cisco Software Defined WAN

Designing, Deploying, and Securing

Your Next Generation WAN with Cisco SD-WAN

Presenter: Kerillous Samir

Prepared by : Kerillous Samir
Version 1.0 (Jan-24)
Course Content
 Introduction to Cisco SDWAN
 Cisco SDWAN component
 Control plane and data plane operation
 On boarding and provisioning
 Introduction to Cisco SDWAN policies
 Centralized data policies
 Application-Aware routing policies
 Localized policies
 Cisco SDWAN Security
 Cisco SDWAN cloud onramp
 Cisco SDWAN design and migration
 Provisioning Cisco SDWAN controllers in private cloud
Chapter 2. Cisco SD-WAN Components
 Data Plane
 Management Plane
 Control Plane
 Orchestration Plane
 Multi-Tenancy Options
 Deployment Option
SDN Concept
SDN Concept
Chapter 2. Cisco SD-WAN Components
SDN Concept
Chapter 2. Cisco SD-WAN Components
Data Plane
• Its device is vEdge.
• At each site you can have a single WAN Edge or multiple WAN Edges, depending on
redundancy requirements.
• both IPv4 and IPv6 are supported for transport within the data plane.
• data policies (such as QoS, Application-Aware Routing, and so on) are enforced
within the data plane.
• Each router will form data plane connections (IPsec)to other routers within the SD-
WAN overlay for the purposes of transporting user traffic.
Chapter 2. Cisco SD-WAN Components
Data Plane
• Each of these VPN
segments is completely
isolated from
communicating with
each other unless policy
allows it.
• , the data plane
supports OSPF, EIGRP,
and BGP for routing
protocols
Chapter 2. Cisco SD-WAN Components
Data Plane
• In the Cisco SD-WAN solution,
Virtual Private Network (VPN) is
synonymous with Virtual Routing
and Forwarding (VRF) instances
from a generic routing
perspective. VRFs and VPNs
provide a method to separate the
control and data plane into WAN Edges have built-in security to prevent
different logical parts. unauthorized access from the network. The
Segmentation in the data plane is WAN-facing interfaces only allow connections
accomplished by building
multiple, isolated routing table from authenticated sources, such as control
instances and binding specific plane and management plane elements.
interfaces to those instances.
Chapter 2. Cisco SD-WAN Components
Data Plane
• Bidirectional
Forwarding
Detection (BFD)
is used inside
IPsec tunnels
between all WAN
Edges.
• BFD cannot be
turned off, but
timers can be
tuned in the SD-
WAN fabric to
identify and illicit
a response to
potential issues
more quickly
Chapter 2. Cisco SD-WAN Components
Data Plane
Cisco XE SD-WAN Platforms Cisco vEdge Platforms Virtual Platforms

Cisco ISR1000 Series Viptela 100 Series Cisco CSR1000v

Cisco ISR4000 Series Viptela 1000 Series Viptela vEdge Cloud

Cisco ASR1000 Series Viptela 2000 Series Cisco ISRv

Cisco ENCS Viptela 5000 Series

Cisco CSP
Chapter 2. Cisco SD-WAN Components
Data Plane
• Moving security to the
branch facilitates the
capability to leverage
existing Internet transports
at the branch. This is
referred to as Direct
Internet Access (DIA), or
sometimes as Local Internet
Access Chapter 10
benefits from DIA:
•Reduced bandwidth requirements and latency on costly WAN circuits
•Guest access
•Improved user experience to Cloud SAAS and IAAS applications
 Chapter 2. Cisco SD-WAN Components
Data Plane
• Traditionally, security requirements dictate that all Internet access is backhauled
to a data center, colocation, or regional site. The reason for this was due to the
fact that it was more cost-effective to implement security at a central site due to
the cost of implementing and managing disparate security components at all
sites.
𝑆𝑒𝑐𝑢𝑟𝑖𝑡 𝑦 𝑂𝑃𝐸𝑋 +𝑆𝑒𝑐𝑢𝑟𝑖𝑡 𝑦 𝐶𝐴𝑃𝐸𝑋 > 𝐼𝑛𝑓𝑟 𝑎 𝑂𝑃𝐸𝑋

When a WAN Edge attempts to join the fabric, it attempts to build control connections across each
transport deployed at that site
This is very common with cloud deployments where the controllers are in a public or private cloud
and your MPLS transport has no connectivity to the Internet.

Trick
One option is to disable control connections on that transport via the max-control-connections command
Chapter 2. Cisco SD-WAN Components
 Data Plane
 Management Plane
 Control Plane
 Orchestration Plane
 Multi-Tenancy Options
 Deployment Option
Chapter 2. Cisco SD-WAN Components
Management Plane
• Responsible appliance is vManage.
• vManage is also highly scalable, depending on the needs of the environment.
• Cluster or single node.
• When vManage is clustered, redundancy can be provided
• A single cluster is made up of three or more vManage NMSs but must always be
an odd number to avoid a split-brain scenario.
• A vManage cluster can manage up to 6,000 WAN Edges, with each cluster node
handling 2,000 WAN Edges.
• All configuration for the SD-WAN fabric should be performed within vManage
• device configurations are built in vManage via feature or CLI templates.
Chapter 2. Cisco SD-WAN Components
Management Plane
• Each WAN Edge will form a single
management plane connection to
vManage. If the device has multiple
transports available, only one will be used
for management plane connectivity to
vManage
• If a transport hosting the management
plane connection experiences an outage,
then the WAN Edge will briefly lose
connectivity to vManage and any changes
made will get pushed when the device
reconnects.
Chapter 2. Cisco SD-WAN Components
Management Plane
• vAnalytics gives the network
administrator predictive analytics
to provide actionable insight into
the WAN.
• vAnalytics requires additional
licensing and isn’t on by default
• note that vManage should be used
for a real-time, raw data view of the
network, while vAnalytics should
be used as a tool to review the
historical performance of the
network—which provides forward-
looking insight into network
adjustments.
Chapter 2. Cisco SD-WAN Components
 Data Plane
 Management Plane
 Control Plane
 Orchestration Plane
 Multi-Tenancy Options
 Deployment Option
Chapter 2. Cisco SD-WAN Components
Control Plane
• Responsible appliance is vSmart.
• vSmart is the brain of the SD-WAN fabric.
• vSmart is highly scalable and can handle up to 5,400 connections per vSmart server
with up to 20 vSmarts in a single production deployment.
• vSmart is responsible for the implementation of control plane policies, centralized
data polices, service chaining, and VPN topologies.
• vSmart also handles the security and encryption of the fabric by providing key
management.
• With the Cisco SD-WAN solution, all routing information is learned by all vSmarts.
• vSmarts then calculate the routing table and distribute it to the WAN Edges.
• A WAN Edge can connect to up to three vSmarts at a time but only needs
connectivity to one to get policy information.
Chapter 2. Cisco SD-WAN Components
Control Plane
• Each vEdge establish control connection to each vSmart through each color.
• a single control connection to the controller is sufficient for a vEdge to
receive control plane information.
• vEdges keep one permanent DTLS tunnel per transport interface for
control-plane resiliency.
• The protocol the vSmart uses to communicate all this information is
called Overlay Management Protocol (OMP).
• OMP runs between vSmart and the WAN Edges inside of a secured
tunnel. When a policy is built via the management plane, this policy is
distributed to vSmart via NETCONF, and the vSmart will distribute this
policy via an OMP update to the WAN Edges.
Chapter 2. Cisco SD-WAN Components
Control Plane
Chapter 2. Cisco SD-WAN Components
Control Plane
• vSmart operates similarly to a BGP route reflector in iBGP
• The vSmart receives routing information from each WAN Edge and can apply policies
before advertising this information back out to other WAN Edges.
• The control plane is also responsible for encryption of the fabric. key exchange and
distribution have been moved to the vSmart.
• Each WAN Edge will compute its own keys per transport and distribute these to the
vSmart. The vSmart will then distribute them to each WAN Edge, depending on defined
policy.
• For redundancy at least two vSmarts geographically dispersed.
• vSmarts will maintain a full mesh of OMP sessions among themselves and exchange
control and routing information.
• If there are more than two vSmarts in the network, control connections from the WAN
Edges will be load balanced. If a vSmart goes down, these control connections will get
rebalanced across the remaining vSmarts.
Chapter 2. Cisco SD-WAN Components
Control Plane
• If there is a situation where control connectivity was established but, due to an
outage, has been lost, then data plane connectivity will continue to flow. By
default, WAN Edges will continue forwarding data plane traffic in the absence of
control plane connectivity for 12 hours, utilizing the last-known state of the
routing table WAN Edges will be updated with any policy changes that were made
during the outage. When the control connection is restored, the route table is
flushed and the newly received route table is installed. This will cause a brief
outage to the data plane when this occurs.
Chapter 2. Cisco SD-WAN Components
 Data Plane
 Management Plane
 Control Plane
 Orchestration Plane
 Multi-Tenancy Options
 Deployment Option
Chapter 2. Cisco SD-WAN Components
Orchestration Plane
• component in the Cisco SD-WAN solution is the vBond
• This component is so important because it provides initial authentication for
participation on the fabric
• Multiple vBond servers can be deployed to achieve high availability
• WAN Edge can point to only a single vBond. -- DNS
• vEdge receives information via one of four methods:
• Plug and Play
• Zero Touch Provisioning
• Bootstrap configuration
• Manual configuration
• The WAN Edge will attempt to build a temporary connection to the vBond over each
transport. Once the control plane connectivity is up to vSmart and vManage, the
connection to the vBond will be torn down.
Chapter 2. Cisco SD-WAN Components
Orchestration Plane
• vBond responsible for
• authentication of vEdges and controllers
• distributes the connectivity information for the vSmart and
vManage to the WAN Edge

In case of vBond outage SDWAN will not impacted but new devices
couldn`t join fabric
Chapter 2. Cisco SD-WAN Components
 Data Plane
 Management Plane
 Control Plane
 Orchestration Plane
 Multi-Tenancy Options
 Deployment Option
Chapter 2. Cisco SD-WAN Components
Multi-Tenancy Options
Chapter 2. Cisco SD-WAN Components
Deployment Options
 Chapter 2. Cisco SD-WAN Components
Plane Data Management Control Orchestration
Appliance vEdge vManage vSmart vBond
Clustering N/A Odd > 3 nodes At least 2 up to 20 Any number but vEdge
will join one
Connections  To all vEdges  Ipsec • Single control To each vEdge via each Temp connection to
 To vManage  single connection to each transport each vEdge and it turns
connection  DTLS vEdge down once control and
management
 To each vSmart  via connection became up
each transport  DTLS

Failure scenario Site down if no redundancy Run with cashed config Keep forwarding using No impact for current
and resync when current RIB and RIB will but no new can join
reconnects be flush once
reconnect
Deployment • Physical • Cisco-hosted cloud
option • Onsite virtually • Public cloud
• On-prem
Chapter 2. Cisco SD-WAN Components