Skip to main content
SD-WAN Concepts

SD-WAN Concepts

·1255 words·6 mins
Mike Curtis
Author
Mike Curtis
Maintaining a live technical reference library.
Table of Contents

Use Cases
#

Some use cases for SD-WAN are.

  • SD-WAN can allow for bandwidth augmentation. Keep one app to internet links while another uses mpls.
  • APP SLA; Picks path based on SLA for critical apps, BFD probes can monitor each link for latency.
  • Secure segmentation; Can be used to pick a link based sensitivity of traffic.
  • Direct internet access and direct control access; can be used to allow internet based traffic out locally instead of out the central site.
  • Multi-cloud connections; can be used for connection to providers such as AWS, Microsoft, and Google from the DC or remote sites
  • Cloud on ramp interconnect; uses a single provider for connectivity into cloud providers, such as megaport or equinix.
  • Regional Secure Perimeter; Can force traffic to traverse a firewall, either all traffic or based on application.

SD-WAN Basics
#

  • Management Plane; holds all the policies and templates, allows for monitoring and troubleshooting, and provides the interface with the solution
  • Orchestration plane; controlled by vBond.
    • Endpoints connect to the vBond which connect to the vManage and vSmart Controllers to orchestrate connectivity.
    • vBond can help with the detection for NAT if there is a firewall in the way of an endpoint and vBond.
  • Control Plane; a centralized repository that contains elements for DTLS/TLS, routes, security polices, forwarding polices, and more.
    • vSmart handles the overlay routing, facilitates the encryption between the cEdges and vEdges, pushes the polices for controlling traffic.
  • Data Plane; this is your WAN edge router. Encrypts and decrypts traffic between endpoints. Does the data plane implementation of polices.

Hosting Options
#

The SD-WAN can be hosted in 2 versions, either in a Cisco hosted DC which offers easier support and maintenance or on-prem. In either the customer is responsible for the configuration templates and upgrade of edge devices.

Terminology
#

  • VPNs; a container of LAN side networks. Can be used to provide segmentation between networks.
    • Within SD-WAN VPNs start at VPN0 ans is system defined, this VPN is used for control plane traffic, WAN transports are tied to VPN0 and IPsec tunnels terminate to these interfaces
    • VPN512 is used for out of band management.
    • VPN1-511 are used data traffic as defined by the system administrator.
  • Colors; Acts as a label, it is tied to a interfaces to help identify the of transport. They can be public or private (lte, mpls, etc)
  • System-ID; This is a like a router ID within routing protocols. Has a format of x.x.x.x
    • TOLCS; used to identify the encapsulating interface of a remote router. This is mainly based on the system-ID but can also include interface IP and color, This can matter if you have a router with MPLS and an internet connection and run VPN’s over both. An example would be MPLS would be tagged as red and internet as silver.
      • The TLOC acts as the route with the next hop information

Overlay Management Protocol
#

This is the protocol that allows the advertising of networks between the vSmart and vEdge devices. This protocol is TCP based and runs inside of a TLS/DTLS Connection and is tied to VPN0.

  • TLOC Route; This is the method for advertising route entries, connects locations to physical networks. Some attributes that are advertised on the TLOC Routes are
    • Site-ID
    • Encap-SPI
    • Encap-Authentication
    • Encap-Encryption
    • Public IP
    • Public Port
    • Private IP
    • Private PORT
    • BFD-Status
    • and more..
  • OMP Routes; This is used on the vEdge side to advertise to the vSmart devices. can be used to advertise attributes such as the following.
    • TLOC
    • Site-ID
    • LABEL
    • VPN-ID
    • TAG
    • Orginator System IP
    • Orgin Protocol
    • Orgin Metric
  • Data Plane Privacy; encryptions keys are generated by the device and advertised to via the OMP update to the vSmart to other vEdges so that they can build direct tunnels. The keys are per transport, and used on a per device direction.

Data Tunnels
#

Tunnels may not be able to be established if the SD-WAN is behind certain NAT types. Such as Symmetric NAT on one side and port /address Restricted on the other side or Symmetric and Symmetric on the other side. it depends on who is able to initiate the connection.

Natting
#

  • Staic NAT; Addresses are a 1:1 mapping, can use the same internal ports but map to a different public port, traffic can be initiated from public or private entities.
    • Address Restricted; based on static nat but has filtering, external hosts can communicate if that host has communicated with the internal host before.
  • Dynamic port address translation; dynamic mapping for when private host connect to resources on the public side, external hosts cannot connect to internal hosts.
    • Address Restricted; external hosts can communicate if that host has communicated with the internal host before.

Path Selection
#

Load sharing is done on a per session basis in a load sharing or weighted manner. Application pinning can also be done so that links will be pinned to a certain interface. Two options are strict or loose. Strict will cause traffic to be dropped if the primary interface goes offline. The last option is application aware routing with an SLA Metric, this allows you to choose a link based of an attribute such as latency.

Segmentation
#

VPN’s are containers the group of LAN Networks and if done via VRF and virtual routing. This Segmentation can be done at an interface or sub interface level. Multiple VPNs can be built within a single IPsec Tunnel. These tunnels can be built-in a number of ways.

  • Full Mesh
  • Hub and Spoke
  • Partial Mesh
  • Point-to-Point

Data and Control Plane Connectivity
#

Control Management connections use UDP and use a series of ports based on the third octet. the port schema is used to help overcome limitations with NAT.

  • 12345, 12446, 12546, 12646, 12746, 12846, 12946, 13046 The port used for connections is the base port and the offset port combined.

Note about impact if connectivity is lost

  • Loss of vBond and a router reloaded it would not be able to authenticate.
  • If vManage is lost logging and telemetry would be lost but the network would still run.
  • If vSmart is lost the cached time for OMP and the key lift would come be used. But if down long enough the keys would expire and the tunnels would go down.

These SDWAN edge devices(VPN0) do need access to all 3 Services either via the internet or a private link. Data Tunnels use a series of ports in a similar manor to the control ports but uses the forth octet.

  • 12346, 12366, 12386, 12406, 12426 The port used for connections is the base port and the offset port combined.

Edge Design
#

WAN edge design has a few things that need to be kept in mind.

  • Organization-Name is unique to the whole fabric
  • System-IP is the device identifier
  • Site-ID is the site identifier
  • VPN0 is considered the untrusted zone while the inside VPNs are trusted
    • With in on VPN0 zone each interface with have a TLOC associated with each interface, This is so that the solution can identify the location of each interface(MPLS or Internet)
    • The WAN VPN/VRF (VPN0) is the global routing table and integrates with the underlay
    • Static routing is the most common option, BGP and OSPF are also supported.
  • VPN512 is a separate routing domain and it does not us the overlay networks.
  • LAN VPNs are routered using OMP and can support a number of protocols / routing. Connected, Static, BGP, OSPF, EIGRP.

Connection note. the edge devices connect to the vBond and the vBond help to orchestrate the connections to the vManage and vSmart.

 Oracle SBC Troubleshooting Notes