Cisco SD-WAN :: The Blackbelt Notes Part 1

As I dive into the world of SD-WAN via Cisco’s Blackbelt Academy a lot of details come clear. How is it setup? Is it really actually DMVPN based, like most others say, and not so new at all? Or is it just old tech with a fancy and expensive gun around it?

Let’s break up the basics!

Cisco’s (by acquiring Viptela) deployment is defined based on 4 abstracted planes (Actually 5 as we’re not going to cover vAnalytics):

  • Orchestration Plane
  • Management Plane
  • Control Plane
  • Data Plane

Orchestration plane is setup via Cisco vBond. vBond needs to be installed with a public IP address or 1:1 NAT in order to be reachable for all controllers. vBond orchestrates both Control and Management plane. It always acts as a server component to other SD-WAN components whereas other components would act as a client to the vBond. vBond is used as a sort of Witness to facilitate secure channeling from vEdges to the vSmarts. vBond has a persistent DTLS channel with the vSmart controllers.

Management plane is setup via Cisco vManage. It’s basically the management controller for day0, day1 and day2 operations. It provides traffic visibility, troubleshooting and monitoring capabilities. It’s also the place where a changes are conducted, deployment are done and upgrades are performed from. vManage can be installed in a Active/Cold Standby setup.

Control plane is the centralized brain of the whole SD-WAN solution. It is setup via Cisco vSmart. vSmart runs peering to other vSmart controllers and all vEdge devices. Multiple vSmart controllers can be used to scale out the solution and are in Active/Active setup.

Data plane is the plane where data flows. It consists of vEdge devices which act as edge routers. vEdges establish a secure connection with all vSmart controllers. vEdges come in both physical or virtual devices. It encrypted and decrypts user traffic that being pushed over the SD-WAN fabric.

How does this all interact?

OMP! Overlay Management Protocol is the protocol that creates the whole SD-WAN fabric. It sits on top of the TCP stack. It creates secure tunnels based on TLS/DTLS encryption between vEdge and vSmart communications, but also as a full mesh between vEdges. Via these tunnels policies can be deployed, information can be gathered .

Screenshot taken from Cisco SD-WAN Validated Design Guide

SD-WAN can be deployed in Public, Private and Hybrid cloud solutions. It can even connect to CoLocations for connectivity to AWS, Azure or Google Cloud. Cisco provided a flexible enterprise solution (Viptela and Cisco based) and a simple SD-WAN deployment (Meraki based) for less demanding customers.

Any Questions? The answer is 42!

Leave a Reply