Understanding SD-WAN (Software Defined – Wide Area Network) 11-12-2019 Ananth Rao 

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 What is WAN? What are the problems with WAN? What is SD-WAN? Understanding components of SD-WAN Demo on dcloud 

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3 Wide Area Network connects Branch networks, Campus Networks, Data Center, Internet and cloud services Branch 1 Cloud Internet Branch2 Data Center MPLS MPLS Internet 4G/LTE Internet Internet 

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 Cost, Policy Control, Provisioning, Cloud access and Integrated security Branch 1 Cloud Internet Branch2 Data Center MPLS MPLS Internet 4G/LTE Internet Internet 

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 The heart of SD-WAN is the controller or the control element The control element controls the routing, policy , security, performance and gives greater visibility 

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 Data Plane Devices = vEdge , Cisco ASR/ISR routers Controller = vSmart Let’s bring in other components later. Let’s understand how vSmart and vEdge Interact 

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7 Let’s take a simple example to understand how everything works vSmart vEdge1 vEdge2 Cisco ISR System IP =1.1.1.1 System IP =1.1.1.2 System IP =1.1.1.3 System IP =1.1.1.4 MPLS Internet Internet 4G Internet MPLS 4G Internet 

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 vEdge1 vSmart Cisco ISR vEdge2 DTLS DTLS DTLS DTLS/TLS connection is formed between WAN Edge devices and Vsmart 

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 Let’s take a simple example to understand how everything works Tunnel end point = TLOC=Transport Location =System IP+ Color +Encapulation vSmart vEdge1 vEdge2 Cisco ISR System IP =1.1.1.1 System IP =1.1.1.2 System IP =1.1.1.3 System IP =1.1.1.4 MPLS Internet Internet MPLS Internet MPLS 4G Internet Tunnel Endpoint 

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10 TLOCs identify the tunnel endpoint. For example If vEdge1 has to reach vEdge2 then it can use MPLS or Internet So first vEdge1 identifies which device it has to reach. It is identified by System IP System IP has to be unique in the entire routing domain ( like OSPF router-id) Next it has to identify which circuit (MPLS or Internet or 4g) to use . That is the function of color. Next it has to identify which Encapsulation it has to use ( IPSEC or GRE) . Usually IPSEC You will understand the significance of Encapsulation later 

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11 Very Important point. vEdge CANNOT pass TLOC(s) information to other vEdge directly. They can pass it to vSMART only. So how will a vEdge get information about TLOCs in other vEdges There is a protocol which does this job. It is called as OMP (Overlay Management Protocol) OMP runs between vEdge and vSmart. So vEdge1 will pass information about the TLOCs to vSMART in the DTLS connection vSMART will distribute it to other vEdge devices using DTLS connection 

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12 vEdge1 vSmart Cisco ISR vEdge2 OMP runs between vSmart and vEdge 

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13 vSmart vEdge1 vEdge2 Cisco ISR System IP =1.1.1.1 System IP =1.1.1.2 System IP =1.1.1.3 System IP =1.1.1.4 MPLS Internet Internet MPLS Internet TLOC 1= 1.1.1.1 +MPLS +IPSEC TLOC 2= 1.1.1.1+ Green + IPSEC 

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14 Now all the Edge devices have got TLOCs of other edges Next each vEdge will establish IPSEC connection with the TLOC’s of other vEdge It means That if vEdge1 wants to communicate with a TLOC of other vEdge2 it will establish a IPSEC connection However all the IPSECs connections are preestablished OMP manages all the key exchanges 

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15 vEdge1 vSmart Cisco ISR vEdge2 IPSEC OMP manages IPSEC key exchange OMP in DTLS 

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16 Each Edge device can be connected to many networks. We can have many VRFs(Virtual Routing and Forwarding) on each vEdge router In Cisco SD-WAN world these VRF’s are called as VPNs Each VPN or VRF is given a number ( Except for 0 and 512) and are called service VPNS 0 is Transport VPN. 512 is out of band management VPN 

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17 vEdge1 vSmart Cisco ISR vEdge2 Sales Admin Sales Sales Admin VPN0 VPN0 VPN0 VPN 1 12.12.12.0/24 VPN 1 13.13.13.13.0/24 VPN 2 VPN 2 VPN 2 

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18 All the service VPNS are advertised from each edge device is advertised by OMP to other vEdges. Traffic from one VPN/VRF cannot reach other VPNs/VRFs So traffic from VPN 1 cannot contact a device in VPN 2 

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19 vEdge1 vSmart Cisco ISR vEdge2 Sales Admin Sales Sales Admin VPN0 VPN0 VPN0 VPN 1 12.12.12.0/24 VPN 1 13.13.13.0/24 VPN 2 VPN 2 VPN 2 

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20 Say a device in VPN 1 on vEdge1 with IP address 12.12.12.1 wants to communicate with a 13.13.13.1 on vEdge2 in VPN1 The vEdge1 has the following information In order to reach 13.13.13.1 it has to decide which TLOC to use Next it has to decide which TLOC to use. Say it uses MPLS + IPSEC encapsulation Remember the IPSEC tunnels are prebuilt between the vEdge devices So vEdge1 device will tag traffic from 12.12.12.1 to 13.13.13.1 with VPN 1 tag and send it to vEdge2 over the TLOC vEdge2 will receive it and because of the tag VPN 1 it knows that traffic belongs to VPN 1 . It removes the tag and sends the traffic to 13.13.13.1 by consulting VPN 1 routing table 

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21 vEdge1 vSmart vEdge2 IPSEC OMP manages IPSEC key exchabge OMP in DTLS VPN 1 12.12.12.1/24 VPN 1 13.13.13.1/24 

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22 vEdge1 vSmart vEdge2 MPLS + IPSEC OMP manages IPSEC key exchabge OMP in DTLS VPN 1 12.12.12.1/24 VPN 1 13.13.13.1/24 To reach 13.13.13.1 I have to choose the TLOC MPLS+IPSEC advertised by OMP 

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23 vEdge1 vSmart vEdge2 13.13.13.1 +VPN 1 over IPSEC OMP manages IPSEC key exchabge OMP in DTLS VPN 1 12.12.12.1/24 VPN 1 13.13.13.1/24 

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24 vEdge1 vSmart vEdge2 IPSEC OMP manages IPSEC key exchabge OMP in DTLS VPN 1 12.12.12.1/24 VPN 1 13.13.13.1/24 So the traffic is for VPN 1. I will consult VPN1 routing table and the pass the traffic to the concerned device 

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25 There are 2 more controllers The first one is vManage. vManage is used to manage all the devices. It provides the GUI to the solution. Using vManage we can send configs to devices, create policies on vSmart and many other things. All devices (vSmart and Edge devices) maintain DTLS connection with vManage 

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26 vEdge1 vSmart Cisco ISR vEdge2 DTLS DTLS DTLS vManage DTLS DTLS 

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27 Next question is , how will the vEdge devices know how to contact vSmart and vManage That is the function of vBond. vBond is also called orchestrator 

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28 vEdge1 vSmart vEdge2 DTLS DTLS vManage DTLS vBond DTLS DTLS DTLS DTLS 

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29 

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30 SD-WAN use cases Cloud onramp SD-WAN security How to bring up the controllers and edge devices Let us know whether you want these topics in the feedback 

Thank you.