This article is the first part in the series about SD-WAN technology where we learn step by step what exactly Software Defined WAN (SD-WAN) is, how to build and use it, how and why using this concept could be beneficial for enterprises or even service providers and how to transform the current enterprise WAN to a SD-WAN solution. We are going to start with looking closely at Cisco Viptela product, however later on, we will describe other SD-WAN platforms in a similar manner.
Scope: Following article focuses on Cisco Viptela SD-WAN functional components and basic connectivity concepts.
So what is so special about the new Software Defined WAN concept besides the many marketing slogans like “Redefining Networks for Cloud era” or “Transport independent secure fabric” or where the “66% cost reduction” comes from? First of all when we talk about SDWAN we can think of it as the practical enforcement of Software Defined Network (SDN) concept. The main point in SDN approach is network data plane and control plane disaggregation and flavour of API-based open networking for better interoperability between the systems and processes automation. Executing the SDN concept, in SD-WAN everything related to control plane logic is transferred to central brain which is called the controller. There is also management plane and API-enabled body for management purposes and CPE instances (physical or virtual routers) that execute the data plane part (also known as forwarding plane). Looking at the history of WANs we have been configuring (even still today we do) hop by hop, device by device, QOS classes, policy maps, routing, security features with great attention, but still doing some mistakes, having large administration overhead and need for network engineers expertise. With SD-WAN we can avoid significant part of above having at the same time nice bunch of additional features.
In Cisco Viptela solution the role of network controller is played by vSmart controller (located in the cloud). We see vEdges that are CPEs and every vEdge has to be connected with vBond and vSmart to kick off full operability. vEdge can be physical or virtual and they are typically located at customer premises but can also be installed on private and public clouds. The vManage is the tool or simply kind of a dashboard that helps administrators to clearly define WAN communication rules and manage policies from a graphical interface. Using vManage, administrators are allowed to construct different topologies depending on their needs, such as branches with single or dual MPLS/Internet lines, hub and spoke topologies or spoke to spoke connectivity. Below picture shows how the functional modules are connected to each other.
The whole concept consists of four elements:
Every piece of above list plays a separate significant role in the whole puzzle, however to configure and operate the network typically we have to spent most of the time on vManage.
Let’s firstly look on a vEdge device, what parameter we should predefine to be able to use zero touch provisioning functionality. The requirements are vBond IP address to which we have to build the secure control connectivity, organization name and basic external interface WAN configuration. It can be set statically or allocated dynamically. We should do it inside VPN service which is designed to serve as a transport purpose. We have also special VPN 512 only for management purpose and others 1-511 for common use cases. Additional parameters we will apply with template directly from the vManage portal. To successfully connect vEdge device to the cloud based piece of infrastructure they are staged with pre-generated private and public keys together with certificate signed by Avnet. The certificate is loaded into TPM chip and has a root CA trust chain for Symantec Root CA.
vEdge base configuration:
System
organization-name „NAME”
vbond b.b.b.b
!
vpn 0
interface eth0
ip address 1.2.3.4/xx or ip dhcp-client
!
no shutdown
!
ip route 0.0.0.0/0 x.x.x.x
In few words, vEdge exchanges certificate with vBond which also validates vEdge serial number and chassis identifier. Once this part is completed vBond informs vSmart and vManage of newly attached device IP address. Finally it shares to vEdge a complete list of vSmart and vManage instances. Then the just provisioned DTLS tunnel between vBond and vEdge is terminated.
Picture 1 – vManage status before vEdge attachment
vedge# show control connections
PEER PEER PEER SITE DOMAIN PEER PRIV PEER PUB GROUP
TYPE PROT SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT LOCAL COLOR STATE UPTIME ID
--------------------------------------------------------------------
vbond dtls - 0 0 198.18.1.11 12346 198.18.1.11 12346 biz-internet connect 0
Above control connection is created between vEdge and vBond during the initialization process, at the beginning device has only single tunnel with vBond, though when the process completes the device will pick up full control connectivity with vSmarts and vManages over every possible means of transport.
vedge# show control connections
PEER PEER CONTROLLER
PEER PEER PEER SITE DOMAIN PEER PRIV PEER PUB GROUP
TYPE PROT SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT LOCAL COLOR STATE UPTIME ID
--------------------------------------------------------------------
vsmart dtls 12.12.12.12 10 1 198.18.1.12 12346 198.18.1.12 12346 biz-internet up 0:00:00:32 0
vsmart dtls 12.12.12.12 10 1 198.18.1.12 12346 198.18.1.12 12346 mpls up 0:00:00:18 0
vmanage dtls 10.10.10.10 10 0 198.18.1.10 12346 198.18.1.10 12346 biz-internet up 0:00:00:32 0
Later we should define a template for rest important part of configuration like users VPNs or management protocols. Then we could attached it to device as per below picture.
Picture 2 – Template attachment process
Picture 3 – Template fulfilment process
During this process we could assign and modify dynamic variables which could vary based on location.
Picture 4- Template attached
Finally everything was fine and device receive complete configuration according to pushed template.
Picture 5 – vManage status after vEdge attachment
When we have parts of SDWAN connected, we can go forward with the planning and configuration tasks.
In next article we are going to focus on Cisco Viptela policy architecture and configuration.
Hi Jacek, nice article.
I try to build my own Viptela Lab. When I want to add VBond or vSmart to vManage
I can not see hostname, system IP or Site ID of vBond or vSmart.
Can you pls. what I am missing?
maybe because of the tunnel interface , you have to build the network then turn on the tunnel interface in each device
Hi Jacek Ozga,
May i know if i can run only two vManage controllers in same fabric. As per viptela docs, for cluster it should have at least 3 vManage to form Cluster. If its possible, will two vmanage will be running as Active/Standby ? and how they communicate (using same message bus)?
Looking forward to your reply.
Thx.
Nasir
Hey Jacek – great article(s). Would you be willing to share where you got the visio icons from?
Thanks
J
Hi,
What happens if vSmart goes down for any reason ? vEdge will stop sending traffic ?
What is configuration needed to work sdwan simulator on personel laptop.
maybe because of the tunnel interface , you have to build the network then turn on the tunnel interface in each device
Great Article !
Kind Regards,
Rashid G.
2x CCIE #33275
Hi, I want some information and some advise, could you please give your e-mail?
Please send your request to info@grandmetric.com