Confidential 3 Wide Area Network connects Branch networks, Campus Networks, Data Center, Internet and cloud services Branch 1 Cloud Internet Branch2 Data Center MPLS MPLS Internet 4G/LTE Internet Internet
Confidential 4 Cost, Policy Control, Provisioning, Cloud access and Integrated security Branch 1 Cloud Internet Branch2 Data Center MPLS MPLS Internet 4G/LTE Internet Internet
Confidential 5 The heart of SD-WAN is the controller or the control element The control element controls the routing, policy , security, performance and gives greater visibility
Confidential 7 Let’s take a simple example to understand how everything works vSmart vEdge1 vEdge2 Cisco ISR System IP =1.1.1.1 System IP =1.1.1.2 System IP =1.1.1.3 System IP =1.1.1.4 MPLS Internet Internet 4G Internet MPLS 4G Internet
Confidential 9 Let’s take a simple example to understand how everything works Tunnel end point = TLOC=Transport Location =System IP+ Color +Encapulation vSmart vEdge1 vEdge2 Cisco ISR System IP =1.1.1.1 System IP =1.1.1.2 System IP =1.1.1.3 System IP =1.1.1.4 MPLS Internet Internet MPLS Internet MPLS 4G Internet Tunnel Endpoint
Confidential 10 TLOCs identify the tunnel endpoint. For example If vEdge1 has to reach vEdge2 then it can use MPLS or Internet So first vEdge1 identifies which device it has to reach. It is identified by System IP System IP has to be unique in the entire routing domain ( like OSPF router-id) Next it has to identify which circuit (MPLS or Internet or 4g) to use . That is the function of color. Next it has to identify which Encapsulation it has to use ( IPSEC or GRE) . Usually IPSEC You will understand the significance of Encapsulation later
Confidential 11 Very Important point. vEdge CANNOT pass TLOC(s) information to other vEdge directly. They can pass it to vSMART only. So how will a vEdge get information about TLOCs in other vEdges There is a protocol which does this job. It is called as OMP (Overlay Management Protocol) OMP runs between vEdge and vSmart. So vEdge1 will pass information about the TLOCs to vSMART in the DTLS connection vSMART will distribute it to other vEdge devices using DTLS connection
Confidential 13 vSmart vEdge1 vEdge2 Cisco ISR System IP =1.1.1.1 System IP =1.1.1.2 System IP =1.1.1.3 System IP =1.1.1.4 MPLS Internet Internet MPLS Internet TLOC 1= 1.1.1.1 +MPLS +IPSEC TLOC 2= 1.1.1.1+ Green + IPSEC
Confidential 14 Now all the Edge devices have got TLOCs of other edges Next each vEdge will establish IPSEC connection with the TLOC’s of other vEdge It means That if vEdge1 wants to communicate with a TLOC of other vEdge2 it will establish a IPSEC connection However all the IPSECs connections are preestablished OMP manages all the key exchanges
Confidential 16 Each Edge device can be connected to many networks. We can have many VRFs(Virtual Routing and Forwarding) on each vEdge router In Cisco SD-WAN world these VRF’s are called as VPNs Each VPN or VRF is given a number ( Except for 0 and 512) and are called service VPNS 0 is Transport VPN. 512 is out of band management VPN
Confidential 18 All the service VPNS are advertised from each edge device is advertised by OMP to other vEdges. Traffic from one VPN/VRF cannot reach other VPNs/VRFs So traffic from VPN 1 cannot contact a device in VPN 2
Confidential 20 Say a device in VPN 1 on vEdge1 with IP address 12.12.12.1 wants to communicate with a 13.13.13.1 on vEdge2 in VPN1 The vEdge1 has the following information In order to reach 13.13.13.1 it has to decide which TLOC to use Next it has to decide which TLOC to use. Say it uses MPLS + IPSEC encapsulation Remember the IPSEC tunnels are prebuilt between the vEdge devices So vEdge1 device will tag traffic from 12.12.12.1 to 13.13.13.1 with VPN 1 tag and send it to vEdge2 over the TLOC vEdge2 will receive it and because of the tag VPN 1 it knows that traffic belongs to VPN 1 . It removes the tag and sends the traffic to 13.13.13.1 by consulting VPN 1 routing table
Confidential 22 vEdge1 vSmart vEdge2 MPLS + IPSEC OMP manages IPSEC key exchabge OMP in DTLS VPN 1 12.12.12.1/24 VPN 1 13.13.13.1/24 To reach 13.13.13.1 I have to choose the TLOC MPLS+IPSEC advertised by OMP
Confidential 24 vEdge1 vSmart vEdge2 IPSEC OMP manages IPSEC key exchabge OMP in DTLS VPN 1 12.12.12.1/24 VPN 1 13.13.13.1/24 So the traffic is for VPN 1. I will consult VPN1 routing table and the pass the traffic to the concerned device
Confidential 25 There are 2 more controllers The first one is vManage. vManage is used to manage all the devices. It provides the GUI to the solution. Using vManage we can send configs to devices, create policies on vSmart and many other things. All devices (vSmart and Edge devices) maintain DTLS connection with vManage
Confidential 27 Next question is , how will the vEdge devices know how to contact vSmart and vManage That is the function of vBond. vBond is also called orchestrator
Confidential 30 SD-WAN use cases Cloud onramp SD-WAN security How to bring up the controllers and edge devices Let us know whether you want these topics in the feedback
page2me
yoshidashingo
ryuichi1208
tsumita
abemii
estie
kaminashi
salaboy
negi111111
oracle4engineer
msato
sonatard
shujisado
nonsquared
tammyeverts
samanthasiow
cromwellryan
lauravandoore
ammeep
scottboms
bermonpainter
smashingmag
philnash
malarkey
