CCIE EP.16 def SD-WAN (self, efficiency, Experience, Sec):
‘Sup yo! Rafael in this side. Today we are talking about Software Defined Network (aka SDN). Particularly in the Wide Area Network context, SD-WAN. For CCIE EI Lab exam, flavor of SD-WAN required is SD-WAN Viptela. Cisco also owns Meraki solutions.
The intended of this and others article in my profile is not to be formal. Instead, be more one resource for who wanna learn about network topics and CCIE Enterprise Infrastructure lab blueprint.
I strongly recommend visit e read formal documention about SD-WAN viptela available by Cisco Validade Design.
Why SD-WAN
SD-WAN is the same of applying software defined network but in WAN context. A simplest description of SDN is the concepts of break or use distributed architecture. What does it means? Wait a minute, we’ll see that in single device vs. destributed architecture session.
You should keep in mind, SD-WAN is an overlay solution which provides transport independent fabric built for delivery Secure Segmentation, Routing, Quality of Service, Service insertion, Application polices together with SLAs, traffic engineering, flexible topologies, Digital and Cloud transformation.
Single device vs. distributed architecture
When we are handling with legacy or traditional architecture, each device has its control planes that handles with networks protocols such as OSPF, BGP, LLDP, CDP, Spanning-tree, IS-IS and others. Data plane that use FIB to forward users data in network; Switch fabric to connect physical and internal components.
Another way, SDN architecture split this rules in different locations in the network. Control planes are centralized in Controllers; Switch Fabric rules to transport (mpls, Internet, 4G/LTE so on); data plane remains on edge devices like access point, routers and switches. Got it?
Cisco Viptela deployment Options
- Cisco Cloud Delivered
- Customer On-Premise
- Partner Delivered
Viptela Components
As mention above, SD-WAN viptela uses distributed architecture among some components:
vBond
Authenticate edge routers, vSmart, and vManage in overlay network.
- The Orchestration Plane, The main goal is automatic on-boarding of the SD-WAN Routers in overlay networks;
- STUN Server and must have Public IP address;
- Keyword: Authentication of overlay network components.
vManage Controller
Provides a GUI based interface to monitor, configure and maintain Viptela devices.
- Single pane of glass for Day 0, day1 and Day N operations.
- Management plane, central point to configuration and monitoring;
- Keyword: Single pane of glass / Dashboard.
vSmart Controller
Network protocol to control overlay network.
- Control plane, build and maintains network topology which data plane uses to make traffic forwarding decisions.
- Acting like as BGP router reflector. Uses Overlay Management Protocol (OMP) to reflecting routes,next hop routes, crypto keys information, and policy information.
- Keyword: OMP and Management.
WAN Edge router — vEdge/cEdge
Virtual or Physical device data forward end user traffic
- Data plane, where forwarding packets on the entire network.
- Device located in data center, branch, remote site, private & public cloud and colocation.
- vEdge: Dedicated Viptela SD-WAN router.
- cEdge: IOS XE SW-WAN routers.
- Keyword: Routers, Data plane.
SD-WAN TERMINOLOGY
SITE ID
A simple number (from 1 through 4294967295) that individually identify site in SD-WAN overlay. Each site must have yours. By default, IPsec tunnels are not formed between WAN Edge within the same site (same site-id). Extremely usel for applying policy.
SYSTEM IP
Local router identifier. Uses IPv4 format and seems much like Router ID for route protocols. Not need to be reachable through in underlay network. But you can sign this value for one loop-back interface and advertise in any vpn service that can be useful for syslog and snmp .
ORGANIZATION NAME
For device be part of the overlay network, must have the correct organization name. Because this field (OU — Organization Unit0 match in the certificate authentication when SD-WAN device brought into the overlay network.
TLOC
Transport location identify each WAN transport network. TLOC is compost with system ip address, link color and encapsulation (GRE or IPsec).
TLOC is equal interfaces connecto to the WAN.
[imagem show omp tlocs received]
COLOR
Colors are type of tag. There are two types of colors that’s include private and public. You cannot replicate a color twice time in the same vEdge or cEdge. Look more one time in the figure “SD-WAN Terminlogy”, thare are a private color using mpls transport and Public color using Internet transport (biz-internet).
Colors are pre-defined keywords: metro-ethernet, mpls, private1, private2, private3, private4, private5, private6 are private colors; Public (there is nat) colors are 3g, biz-internet, blue, bronze, custom1, custom2, custom3, default, gold, green, lte, public-internet, red, and silver.
OVERLAY MANAGEMENT PROTOCOL (OMP)
Protocol that works much like BGP and manages the SD-WAN overlay network. The protocol runs beetwen vSmarts and between vSmart and WAN Edge router. OMP information is exchanged over DTLS/TLS connections.
Route types supported (LAN side):
- Connected (Direct)
- Static
- BGP
- OSPF
Attributes:
- TLOC — System IP + color + encapsulation
- VPN ID
- Site ID
- Tag (optional)
- Preference
- Originator ID — Originator of route
- Origin — Protocol + metric
VIRTUAL PRIVATE NETWORK
Translate to traditional network it is the same of VRFs. Splitting network segment and create different route tables on the routers. VPN can uses value from 0 to 65535. But some os these are reserved:
Transport VPN
- VPN 0 is the transport VPN. interfaces that belong this VPN connect to the WAN transports. This VPN make a secure DTLS/TLS connects to the controllers. Simililar in concept to the Front Door VRF (FVRF) corved at CCIE Ep. 13 CrYpt0*DMVPN.sha
- VPN 512 is the management VPN. Is samething like the out-of-band management traffic. This VPN is ignored by OMP.
Services VPN
One or more vpn services need to be created that contains local-site interface network (LAN segment). A good way is to start use range from 1 to 511 and use higher values only if necessary. This type of VPN transmit users and service traffic and suport feature like OSPF, BGP, VRRP, QoS, Traffic shaping, and policy.
Check router diagram got from Cisco CVD:
Control Plane
Persistent connection beetwen controllers and controllers are formed using DTLS. Edge and vBond DTLS connection are ephemeral, after authentication connection is drop.
- DTLS: Security connections using DTLS is UDP based.
- TLS: Secuirty connections using TLS is TCP based.
Important to say that Edge maintains one secure connections DTLS per transport with vSmart but just one connection with vManage. Another aspect, vSmart and vManage maintains also one control connections but the number of DTLS connection beetwen vSmart/vManage and vBond is equal of the number core (vCPU). Suposse there are 8x vCPU available for vSmart, as a result, eight DTLS connections will be UP.
Orchestration Plane
Before Edge SD-WAB be able to bring up in the overlay network must make a secure connection with vBond. After connection is made and authenticated by vBond, It’s receive vSmart and vManage IP address from vBond. This process of discovery can be made manually (including creating vManaga as CA Root and signed and Install certificates and insert manually commando on edge console cli) or using automated provisioning with ZTP or PnP process.
- Zero Touch Provisioning for vEdge devices (server name ztp.viptela.com);
- Plug-and-Play for IOS XR SD-WAN devices (server name devicehelper.cisco.com).
For more detail about Cisco SD-WAN Edge onboarding:
Cisco SD-WAN: WAN Edge Onboarding
Data Plane
Session Traversal Utilities for NAT (STUN)
Any controller or SD-WAN Edge may be sometime behind a NAT. As you may know, knowning what IP address/port to connection to from outside the network is crucial to establishing control and data plane int the SD-WAN network. Because that, vBond use TLOC field to mappe Private IP/port and Public IP/port.
Data Plane Privacy and Encryption
Traffic flow among Edge uses IPsec tunnel for data encryption and decryption (BFD sessions too). In traditional IPsec implementation, IKEs is exchange between peers.
Differently, SD-WAN create keys every 12 hours with lifetime of 24 hours and Edge send thats keys to vSmart and distribute/reflect to others edges using OMP over DTLS/TLS connection.
Graceful restart
Graceful restart is a resource that benefits of split Control and Data plane in distributed architecture. I meam even control connection is loss between Edge and vSmart, there are information in data plane where edge still using to send end user traffic.
Take a look at cisco’s notes:
If an OMP peer becomes unavailable, OMP graceful restart allows other OMP peers to continue operating temporarily. When a WAN Edge router loses connection to the vSmart controllers, the router can continue forwarding traffic using last known good routing information. The default OMP graceful restart value is 12 hours and can be set to a maximum of 604,800 seconds, which is equivalent to 7 days. The IPsec rekey timer is set to 24 hours by default, and although both timers are configurable, the IPsec rekey timer must be at least two times the value of the OMP graceful restart timer. This is because the vSmart controllers distribute the IPsec keys to the WAN Edge routers, and if connections to the vSmart controllers are lost, any IPsec rekeying that occurs within the graceful restart time would cause traffic loss.
Policies
In SD-WAN Viptela context, policies could be use with many attribute and applied Centralized or Localized.
I great article about this topic could be find in Tomy Tim’s article — Las centralized Polices y Localized Polices.
Hands On
Disclamer
This lab was based on CCIE EI LAB Pratice available by Cisco, where You and I could rent for a rack (remote lab) and pratice SDN exame topics. because of copyright, When I replace a lab by my own some information on the topology was changed.
Read more about
TOPOLOGY REFERENCE
TOPOLOGY #1 — Overview
TOPOLOGY #2 — SD-WAN VPN to SD-ACCESS VNI
Objectives:
- Create and Mapping SD-WAN VPN Services to SD-ACCESS VNI;
- Use VPNv4 to learning prefixes from SD-ACCESS;
- Allow network traffic between VPN Services with has the same ID among all sites;
- Isolate VPN Service Guest, Only allow use internet locate in DC;
- Leak Route from Legacy network to SD-WAN and vice versa (except VPN Guest)
If you never have seen viptela dashboard, where we go. It looks like something like that when working in version 20.3.2:
To mapping VPN Services and VNIs, I used some templates like: template VPN, tamples VPN Interfaces, BGP template and OSPF templete with Device templete.
Feature templates
Device template
Features templates associated to device templates based on site configuration
Centralized Polices
It was used to route leak between VPN/VNI/VRFs on OMP. SD-WAN VPN services leaked (with tags) to legacy and Legacy leaked to SD-WAN.
Localized Policy
Localized policy was used to prevent routing looping.
ROUTE LEAK TO ALLOW VPN GUEST ACCESS INTERNET
Here use VRF lite between DC route with veges. In thate case, vedges at data center.
Edge config
Vedge Data center
vedge21# show run vpn 199
vpn 199
router
bgp 65002
address-family ipv4-unicast
redistribute omp
!
neighbor 10.2.123.1
no shutdown
remote-as 65002
!
!
!
interface ge0/2
ip address 10.2.123.2/24
no shutdown
!
!vedge21# show ip routes vpn 199
Codes Proto-sub-type:
IA -> ospf-intra-area, IE -> ospf-inter-area,
E1 -> ospf-external1, E2 -> ospf-external2,
N1 -> ospf-nssa-external1, N2 -> ospf-nssa-external2,
e -> bgp-external, i -> bgp-internal
Codes Status flags:
F -> fib, S -> selected, I -> inactive,
B -> blackhole, R -> recursivePROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
---------------------------------------------------------------------------------------------------------------------------------------------
199 0.0.0.0/0 bgp i ge0/2 10.2.123.1 - - - - F,S
199 10.2.123.0/24 connected - ge0/2 - - - - - F,S
199 10.2.255.211/32 bgp i ge0/2 10.2.123.1 - - - - F,S
199 10.4.199.0/24 omp - - - - 1.1.4.1 biz-internet ipsec F,S
199 10.5.199.0/24 omp - - - - 1.1.6.1 biz-internet ipsec F,S
199 10.5.199.0/24 omp - - - - 1.1.6.2 biz-internet ipsec F,S
199 10.51.199.0/30 omp - - - - 1.1.6.1 biz-internet ipsec F,S
199 10.52.199.0/30 omp - - - - 1.1.6.2 biz-internet ipsec F,SROUTER DATACENTER!iBGP beetween router and vedge
router bgp 65002
bgp log-neighbor-changes
neighbor 200.99.23.1 remote-as 19999
!
address-family ipv4 vrf Guest
network 0.0.0.0
network 10.2.255.211 mask 255.255.255.255
neighbor 10.2.123.2 remote-as 65002
neighbor 10.2.123.2 activate
exit-address-family
!
! WAN interface in legacy network (global routing table)
interface Ethernet0/0
ip address 200.99.23.2 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
no mop enabled
no mop sysid
!
! LAN interface VRF Guest
interface Ethernet0/3
vrf forwarding Guest
ip address 10.2.123.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
end
!
! Routing leak with PAT and Static Route
ip nat inside source list NAT interface Ethernet0/0 vrf Guest overload
ip route vrf Guest 0.0.0.0 0.0.0.0 200.99.23.1 global
!
ip access-list standard NAT
permit 10.0.0.0 0.255.255.255
Verification
Fluxo of data plane
OMP routes validates from Vedge at Branch #2
VPN Guest without corporate networks but thare are default routes
VPN 200 with corporate networks and default routes
Comunication among Legacy and VPN services among branches except isolated Guest network.
User at VPN GUEST internet traffic flow
User at VPN 200 internet traffic flow
