In this lesson, we will explore the main principles that the Cisco Software-defined Wide-area Network (SD-WAN) architecture has adopted to solve the inefficiencies of the traditional WAN. The solution utilizes some well-known and time-tested network technologies in combination with some new innovative ideas. It transforms the complex legacy WAN infrastructure into a secure and scalable overlay fabric. Cisco SD-WAN achieves this by using the following techniques:

• Separating transport from the service side of the network
• Separating control, data, and management planes
• Secure the Data-Plane Automatically
• Managing the fabric through centralized policies
• Secure zero-touch provisioning and onboarding of new devices

Separating transport from the service side of the network

The first fundamental technique that Cisco SD-WAN utilizes is the separation of the service and transport sides of the network.

When an organization with a traditional WAN architecture grows, the wide-area network becomes increasingly expensive and complex to manage. One of the main reasons is that there is no clear separation between users, applications, switches, and routers on the service side of the network and the WAN links and service providers’ devices on the transport side. Subsequently, the transport routers need to know the non-transport prefixes, making it hard to influence the WAN routing decisions without affecting the services running on top. Figure 1 illustrates a traditional WAN with no clear separation between service and transport sides and highlights the main inefficiencies.

Cisco SD-WAN uses the time-tested concept implemented in all service providers’ networks, where the MPLS cloud is just a transport network that does not need to know any customer prefixes. The function of the MPLS network is only to transport packets from an entry point to an exit point of the transport cloud. Similarly, Cisco SD-WAN separates the transport side of the network into a dedicated transport segment - VPN0. The function of the transport side is to route packets from one transport router to another. A router on the transport side needs to know only how to reach the destination router on the other side of the transport cloud. It does not need to know about any service-side prefixes. 

Separating the transport from the service side of the network abstracts the wide-area network (WAN) away from the applications running on top. This approach has many benefits such as:

• Network admins can influence the routing decisions into the WAN independently of the communication between users or applications.
• The solution can insert labels into packets and assign attributes to WAN circuits for optimal policy-based routing, load balancing, and network segmentation/slicing.​
• Security can be applied to the transport side independently of the users' traffic.
• Any mix of public and private WAN transports can be used in an active-active, ECMP fashion.

Separating control, data, and management planes

The second fundamental technique that Cisco SD-WAN utilizes is the separation of control, data, and management planes.

The decoupling of control and data planes is a well-accepted concept within software-defined networking. The “control plane” is the set of protocol messages used to control the network infrastructure. It is typically represented by the in-band exchange of topology and link-state information between network devices in the form of OSPF/BGP or any other routing protocol updates. Traditionally each network device runs its own instance of the control plane in firmware, makes independent routing calculations, and determines its own Routing Information Base (RIB). Topology changes require routing updates to be propagated box-by-box across the entire network. This process quickly becomes very complex and inefficient in large environments with many routers.

That is why, to scale, most traditional routing protocols have techniques designed to break a large topology into smaller routing domains such as OSPF areas, BGP confederations, IS-IS levels, and so on. Additionally, techniques such as aggregation and redistribution are often used to help further the topology scale. Most network engineers are painfully familiar with scaling inefficiencies of traditional routing protocols.

Cisco SD-WAN has taken the more modern SDN approach to the network architecture. The solution decuples the control plane from the data plane of all WAN edge routers and implements all control functions into a centralized software controller called vSmart. It also decouples all management functions and implements them in a separate centralized controller called vManage. Additionally, the solution introduces another network “plane” that runs vertically along the other two planes - a centralized orchestration plane implemented into a dedicated controller called vBond. Cisco vBond ensures that all devices allowed to join the overlay fabric are authenticated and white-listed. It makes sure that the infrastructure can be trusted and is well secured against rogue devices. 

The centralized management approach allows us to control and operate the network as-a-system which is much more efficient than the traditional distributed method: 

• Management Plane - The centralized management plane (vManage) has a complete view of the network and pushes templates and policies across the entire environment. It creates a network-wide configuration standardization which significantly decreases the chance for misconfigurations and human errors. In large-scale environments with 1000+ nodes, it is much more efficient to only edit a configuration template once on vManage and push it down to all devices instead of pre-configuring 1000+ devices manually box-to-box. vManage is also responsible for the software updates of the entire SD-WAN fabric and its integrations with other cloud services. This controller is the single-pane-of-glass for managing, operating, and troubleshooting the entire SD-WAN fabric. 
• Control Plane - The centralized control plane (vSmart) knows about all nodes and available paths in the environment.  Upon a state change in the network, the controller re-calculates the centralized routing table only once and distributes it to all nodes as a single routing update. Individual network devices do not need to perform routing calculations or exchange any control plane information between them. This centralized control-plane approach is much more efficient than the traditional routing, where each device recalculates every time a state changes occur in the network.
• Data Plane - Because network devices do not need to store and perform complex routing calculations anymore, more hardware resources are available for packet forwarding. The edge devices download all necessary control and management information from the controllers and send back network telemetry for their status.

However, implementing the control and management plane into centralized controllers has many additional advantages over the traditional decentralized architecture:

• The centralized controllers do not need to lie in the data path and can be anywhere on the transport side - on-prem, in a private cloud provider, or consumed as a SaaS from an MSP.
• The centralized controllers can be virtual appliances (VMs) or software containers that use off-the-shelf compute and storage hardware. 
• Scale challenges associated with distributed routing protocols such as OSPF, IS-IS, and full-mesh BGP on the transport side of the network are eliminated. However, the SD-WAN mode of operation devices can still run these protocols with other non-SD appliances if necessary.
• The network can achieve segmentation without the need for complex signaling protocols such as MP-BGP, VRFs, MPLS, etc. 

Secure the Data-Plane Automatically

Another essential technique that Cisco SD-WAN utilizes is the automatic establishment of IPsec tunnels over every WAN transport. Once an edge device vEdge router joins the Cisco SD-WAN control plane, it automatically tries to form an IPsec tunnel to every other vEdge transport interface that it knows about. This behavior results in a full mesh of IPsec tunnels between all transport links of all vEdges that aren’t at the same location (with the same site-id). The IPSEC tunnels use pre-shared keys for better performance. The keys are pushed to the devices and rotated regularly by the vSmart controller. It uses the secure channel of the established DTLS connection to download the keys to all edges. Additionally, vEdge routers exchange the encryption keys associated with these IPsec tunnels through the vSmart controller, which is a considerable improvement compared to traditional WAN. 

In traditional IPsec environments, routers handle the key exchange using the Internet Key Exchange (IKE) protocol. We won’t get into details about how IKE works, but the point is that each router (n) generates and exchanges a unique key with every other remote router in the network. This means that in a fully meshed network, each router has to manage n² key exchanges and (n-1) keys. For example, in a network with 1000 routers, each router must handle 1 000 000 key exchanges and maintain 999 keys. Cisco SD-WAN does not utilize IKE at all, instead, routers exchange keys through the centralized control plane.

The automatically established full-mesh of IPsec tunnels is referred to as the Cisco SD-WAN overlay fabric. It ensures that the data traffic going between all locations is secured. 

This approach has many benefits:

• The overlay fabric of IPsec tunnels ensures that the network is not prone to attacks and exploits from the transport side.​
• The fabric ensures that user and application flow transverse the ISP networks encapsulated with new headers and encrypted. It also provides the integrity of the transmitted data.
• The centralized orchestration plane (vBond) ensures that all devices allowed to join the overlay fabric are authenticated and white-listed. The centralized orchestrator makes sure that the infrastructure is trusted and secured against rogue devices.
• The overlay can be established over any physical transport the devices get connected to. These transports are known as an underlay network.

Managing the fabric through centralized policies

Having a separate control plane allows us to manage the solution in a centralized fashion via Policies and Templates. A Centralized policy configured on vSmart influences how the controller routing information is advertised among the WAN edge routers. This allows network administrators to apply network-wide routing changes without having to configure each device manually.

This approach has many benefits:

• The centralized controller has a complete view of the environment and can make routing decisions based on auxiliary information such as SLA policies, application types, segment types, etc.
• Network administrators can implement business logic from a single-pane-of-glass, achieving efficiency at scale and minimizing the number of touchpoints for provisioning.
• The WAN network can scale horizontally - adding more WAN edge routers and remote sites does not affect the rest of the network devices because the centralized controllers handle all control plane calculations.

Secure zero-touch provisioning and onboarding of new devices

Cisco SD-WAN offers a fully automated process for onboarding new WAN edge devices. It allows network administrators to provision new sites with minimal effort and involvement. A new unconfigured vEdge automatically discovers the network using either one of the following processes - Zero Touch Provisioning (ZTP) if the device runs Viptela OS or Cisco Plug and Play (PNP) if the device runs IOS-XE. Figure 6 illustrates a high-level overview of the onboarding process.