Traditional WAN was designed to route traffic from remote sites to the company's data centers using private MPLS circuits. However, the business trends have moved the applications out of the data center and into the public clouds such as Microsoft Azure and Amazon Web Services (AWS). Nowadays, moving the users' traffic from branches to the enterprise DC and then out to the cloud or the Internet and back is inefficient, expensive, and not scalable. Also, the rapid digital transformation of enterprises creates new requirements for security, cloud and Internet connectivity, WAN management, and application performance.
Cisco SD-WAN is a Wide Area Network (WAN) overlay architecture that applies the principles of Software-Defined Networking (SDN) into the traditional WAN. It is designed to meet the needs of modern enterprise applications and the rapidly growing security requirements.
Cisco Viptela SD-WAN solution provides the following improvements over the traditional WAN design:
- Connecting any location in a fast, secure, and highly available manner using Zero-Touch Provisioning (ZTP).
- Establishing a transport-independent WAN using any type of underlying transport.
- Abstracting the underlying WAN infrastructure away from the services and applications that run over the network such as WAN Routing, Segmentations, Analytics, IaaS, and Multitenancy.
- Providing end-to-end security from remote sites to the Internet, Cloud, and SaaS applications.
- Providing a single pane of glass (SPOG) for management, analytics, and configuration policy across the enterprise WAN.
- Providing southbound REST APIs that enable enterprises to create their own unique services and meet any niche requirements.
Figure 1 summarizes the key architectural improvements over the Traditional WAN design. Let's now look at the components of the Cisco SD-WAN solution.
Cisco Viptela SD-WAN solution is made up of four segregated planes - Orchestration plane, Management Plane, Control Plane, and Data Plane. Each plane has its own functions and responsibilities and is abstracted away from the other planes. For example, if you replace a device in the data plane, that does not affect the control/management or orchestration plane. The same applies if you replace a controller in the Control plane or the Management Plane.
Compare this to the Tradition WAN design where each device participates in the data plane (forwarding actual packets), in the control plane (for example running OSPF, BGP, PIM and participate in the topology formation), and in the management plane (is actively managed via CLI).
Cisco vMange is the Management Plane of the SD-WAN system. It runs the user interface of the system and is the dashboard network administrators interact with daily. It is responsible for collecting network telemetry data, run analytics, and alert on events in the SD-WAN fabric. It is also the tool that admins use to create device templates, push configurations, and perform overlay traffic engineering.
Cisco vManage can be deployed on-prem, in the public cloud, or in the Cisco cloud-hosted environment. It is significantly resource-intensive and most customers go with the cloud options.
Cisco vBond is the Orchestration Plane of the SD-WAN system. Its job is to orchestrate the process of onboarding new unconfigured devices to the SD-WAN fabric. It is responsible for the authentication and whitelisting of vEdge routers and control/management information distribution.
Cisco vSmart is the Control Plane of the SD-WAN system. vSmart controllers are the brain of the overlay fabric. They advertise routing, policies, and security. They are positioned as hub routers in the control plane topology and all vEdge routers peer with all vSmart controllers. For experienced network engineers, vSmart controllers are like BGP Route-reflectors or DMVPN NHRP routers. However, it is important to understand these appliances are not part of the Data Plane and do not participate in packet forwarding.
Cisco vEdge devices represent the Data Plane of the SD-WAN system. They sit at the WAN edge and establish the network fabric and join the SD-WAN overlay. If you look at the architecture shown in figure 1, everything southbound of the vEdge routers is typically traditional networking - offices, data centers, and branches. Everything northbound of the vEdge routers is the SD-WAN system itself. vEdge routers exchange routing information with the vSmart controllers over the Overlay Management Protocol (OMP). If for example, we have a campus network running OSPF. At the vEdge devices, the OSPF routes are redistributed into the SD-WAN fabric to the vSmart controllers via OMP and then the vSmart controllers populate this routing information to other vEdge devices if it is required by the WAN topology.
The WAN Edge routers could be Viptela platforms or Cisco IOS-XE devices. They can be virtual or physical appliances. vEdges are auto-configured by the system. Back in the Viptela days, this process was called Zero-Touch Provisioning (ZTP) and nowadays with the Cisco devices, it is called Cisco Plug-and-Play (PnP). Both terms actually mean the same and are interchangeable.
Overlay Management Protocol (OMP)
The Cisco vSmart controllers use the Overlay Management Protocol (OMP) to manage the overlay network fabric. Upon joining the SD-WAN fabric, each vEdge router establishes one permanent secure connection to the vSmart controller via each available transport as shown in figure 4. These connections, usually DTLS, are then used by the vEdges to exchange control plane information to the controller such as prefixes, crypto keys, and policy information.
It is important to note that OMP peering is never made between the vEdge routers onsite. This is due to the separation of control and data plane in the SD-WAN architecture.
Three types of routes are advertised with OMP:
- OMP routes (vRouter) are prefixes at the local site that are redistributed into OMP and advertised towards the controllers. These might be OSPF or BGP routes, or any other routing information present on the site.
- TLOC routes (Transport locations) are the tunnel endpoints on the WAN Edge routers that connect to the transport networks. These routes are represented by three components- the system IP address, link color, and encapsulation type.
- Service routes are used to exchange services such as firewall, IPS, application-specific optimizations, and load-balancers.
Let's leave the things here and continue with our exploration of the Cisco SD-WAN architecture in the next lesson.
Let me try to summarize into a short table what the Software-Defined WAN brings compared to the Traditional WAN design.
|Traditional WAN||Software-Defined WAN|
|Integration||Hardware Centric||Software Centric|
|Extension||Closed||Programmable via REST APIs|
|Drivers||Network Intent||Business Intent|