Menu

Poland

GRANDMETRIC Sp. z o.o.
ul. Metalowa 5, 60-118 Poznań, Poland
NIP 7792433527
+48 61 271 04 43
info@grandmetric.com

Sweden

Drottninggatan 86
111 36 Stockholm
+46 762 041 514
info@grandmetric.com

UK

Grandmetric LTD
Office 584b
182-184 High Street North
London
E6 2JA
+44 20 3321 5276
info@grandmetric.com

US Region

Grandmetric LLC
Lewes DE 19958
16192 Coastal Hwy USA
EIN: 98-1615498
+1 302 691 94 10
info@grandmetric.com

  • en
  • pl
  • se
  • Cisco Viptela SD-WAN components and connectivity (Part-1)

    Cisco Viptela SD-WAN components and connectivity (Part-1)

    Date: 19.02.2018

    Author:


    This article is the first part in the series about SD-WAN technology where we learn step by step what exactly Software Defined WAN (SD-WAN) is, how to build and use it, how and why using this concept could be beneficial for enterprises or even service providers and how to transform the current enterprise WAN to a SD-WAN solution. We are going to start with looking closely at Cisco Viptela product, however later on, we will describe other SD-WAN platforms in a similar manner.

     

    Scope: Following article focuses on Cisco Viptela SD-WAN functional components and basic connectivity concepts.

     

    Software Defined WAN. Besides the slogans.

    So what is so special about the new Software Defined WAN concept besides the many marketing slogans like “Redefining Networks for Cloud era” or “Transport independent secure fabric” or where the “66% cost reduction” comes from? First of all when we talk about SDWAN we can think of it as the practical enforcement of Software Defined Network (SDN) concept. The main point in SDN approach is network data plane and control plane disaggregation and flavour of API-based open networking for better interoperability between the systems and processes automation. Executing the SDN concept, in SD-WAN everything related to control plane logic is transferred to central brain which is called the controller. There is also management plane and API-enabled body for management purposes and CPE instances (physical or virtual routers) that execute the data plane part (also known as forwarding plane). Looking at the history of WANs we have been configuring (even still today we do) hop by hop, device by device, QOS classes, policy maps, routing, security features with great attention, but still doing some mistakes, having large administration overhead and need for network engineers expertise. With SD-WAN we can avoid significant part of above having at the same time nice bunch of additional features.

     

    Cisco Viptela SD-WAN components.

    In Cisco Viptela solution the role of network controller is played by vSmart controller (located in the cloud). We see vEdges that are CPEs and every vEdge has to be connected with vBond and vSmart to kick off full operability.  vEdge can be physical or virtual and they are typically located at customer premises but can also be installed on private and public clouds. The vManage is the tool or simply kind of a dashboard that helps administrators to clearly define WAN communication rules and manage policies from a graphical interface. Using vManage, administrators are allowed to construct different topologies depending on their needs, such as branches with single or dual MPLS/Internet lines, hub and spoke topologies or spoke to spoke connectivity. Below picture shows how the functional modules are connected to each other.

    Cisco Viptela architecture

     

    The whole concept consists of four elements:

    • vBond – initiates the bring up process of every vEdge device, at the first step it creates secure tunnel with vEdge and informs vSmart and vManage about its parameters like for instance ip address. It has to be fully connected with every device.
    • vSmart – this is a controller for your network, it is responsible for managing all control and data policies by using special Overlay Management Protocol (OMP).
    • vEdge – router which receive complete control and data policies from the vSmart, it is able to run routing protocol like OSPF, BGP to create connectivity on LAN side but also with MPLS provider if necessary. It establishes secure IPSec tunnels with others vEdges depending on selected topology.
    • vManage – fully manageable centralized portal to run and operate software defined network (SD-WAN).

     

    Every piece of above list plays a separate significant role in the whole puzzle, however to configure and operate the network typically we have to spent most of the time on vManage.

     

    Looking closely at each component.

    Let’s firstly look on a vEdge device, what parameter we should predefine to be able to use zero touch provisioning functionality. The requirements are vBond IP address to which we have to build the secure control connectivity, organization name and basic external interface WAN configuration. It can be set statically or allocated dynamically. We should do it inside VPN service which is designed to serve as a transport purpose. We have also special VPN 512  only for management purpose and others 1-511 for common use cases. Additional parameters we will apply with template directly from the vManage portal. To successfully connect vEdge device to the cloud based piece of infrastructure they are staged with pre-generated private and public keys together with certificate signed by Avnet. The certificate is loaded into TPM chip and has a root CA trust chain for Symantec Root CA.

     

    Connecting vEdge to vBond

    vEdge base configuration:

    System
     organization-name „NAME”
     vbond b.b.b.b
    !
    vpn 0
     interface eth0
      ip address 1.2.3.4/xx or ip dhcp-client
      !
      no shutdown
     !
     ip route 0.0.0.0/0 x.x.x.x

     

    In few words, vEdge exchanges certificate with vBond which also validates vEdge serial number and chassis identifier. Once this part is completed vBond informs vSmart and vManage of newly attached device IP address. Finally it shares to vEdge a complete list of vSmart and vManage instances. Then the just provisioned DTLS tunnel between vBond and vEdge is terminated.

    vManage Cisco Viptela

    Picture 1 – vManage status before vEdge attachment

     

    vedge# show control connections
    PEER    PEER PEER            SITE       DOMAIN PEER                                    PRIV  PEER                                    PUB                                               GROUP
    TYPE    PROT SYSTEM IP       ID         ID     PRIVATE IP                              PORT  PUBLIC IP                               PORT  LOCAL COLOR     STATE           UPTIME      ID
    --------------------------------------------------------------------
    vbond   dtls -               0          0      198.18.1.11                             12346 198.18.1.11                             12346 biz-internet    connect                     0

    Above control connection is created between vEdge and vBond during the initialization process, at the beginning device has only single tunnel with vBond, though when the process completes the device will pick up full control connectivity with vSmarts and vManages over every possible means of transport.

    vEdge control connections to vSmart and vManage

    vedge# show control connections
                                 PEER                                          PEER                                              CONTROLLER
    PEER    PEER PEER            SITE       DOMAIN PEER                                    PRIV  PEER                                    PUB                                               GROUP
    TYPE    PROT SYSTEM IP       ID         ID     PRIVATE IP                              PORT  PUBLIC IP                               PORT  LOCAL COLOR     STATE           UPTIME      ID
    --------------------------------------------------------------------
    vsmart  dtls 12.12.12.12     10         1      198.18.1.12                             12346 198.18.1.12                             12346 biz-internet    up              0:00:00:32  0
    vsmart  dtls 12.12.12.12     10         1      198.18.1.12                             12346 198.18.1.12                             12346 mpls            up              0:00:00:18  0
    vmanage dtls 10.10.10.10     10         0      198.18.1.10                             12346 198.18.1.10                             12346 biz-internet    up              0:00:00:32  0

    Configuration templates

    Later we should define a template for rest important part of configuration like users VPNs or management protocols. Then we could attached it to device as per below picture.

    vManage 2 Cisco Viptela

    Picture 2 – Template attachment process

     

     

    vManage template fullfilment Cisco Viptela

    Picture 3 – Template fulfilment process

     

    During this process we could assign and modify dynamic variables which could vary based on location.

    template attached vManage Cisco Viptela

    Picture 4- Template attached

     

    Finally everything was fine and device receive complete configuration according to pushed template.

    Cisco Viptela vEdge attachment vManage

    Picture 5 – vManage status after  vEdge attachment

     

    When we have parts of SDWAN connected, we can go forward with the planning and configuration tasks.

    In next article we are going to focus on Cisco Viptela policy architecture and configuration.

    Author

    Jacek Ozga

    12 Comments
    Rashid Ghazanfar
    27 February 2018 at 15:33

    Great Article !

    Kind Regards,
    Rashid G.
    2x CCIE #33275

     
    Ahmad
    3 December 2019 at 07:48

    Hi, I want some information and some advise, could you please give your e-mail?

     
    Marcin Dryjanski, Ph.D.
    3 January 2020 at 09:33

    Please send your request to info@grandmetric.com

     
    Silvester
    30 June 2018 at 10:20

    Hi Jacek, nice article.
    I try to build my own Viptela Lab. When I want to add VBond or vSmart to vManage
    I can not see hostname, system IP or Site ID of vBond or vSmart.
    Can you pls. what I am missing?

     
    mariam
    22 December 2021 at 18:18

    maybe because of the tunnel interface , you have to build the network then turn on the tunnel interface in each device

     
    Nasir
    31 July 2018 at 07:08

    Hi Jacek Ozga,
    May i know if i can run only two vManage controllers in same fabric. As per viptela docs, for cluster it should have at least 3 vManage to form Cluster. If its possible, will two vmanage will be running as Active/Standby ? and how they communicate (using same message bus)?

    Looking forward to your reply.

    Thx.
    Nasir

     
    Joel
    4 February 2019 at 19:32

    Hey Jacek – great article(s). Would you be willing to share where you got the visio icons from?

    Thanks

    J

     
    David
    29 April 2020 at 09:12

    Hi,

    What happens if vSmart goes down for any reason ? vEdge will stop sending traffic ?

     
    Raju
    2 December 2021 at 17:03

    What is configuration needed to work sdwan simulator on personel laptop.

     
    mariam
    22 December 2021 at 18:19

    maybe because of the tunnel interface , you have to build the network then turn on the tunnel interface in each device

     

    Leave a Reply

    Your email address will not be published. Required fields are marked *


    Grandmetric