Introduction to Cisco SD WAN
The Cisco SD WAN solution is a distributed architecture, which means Cisco has separated the data plane from the control plane and management plane. This architecture differs from traditional networking in that it allows you to support large-scale networks while reducing operational and computational overhead. This solution separates the data plane, control plane, and management plane from each other. Because the control plane knows about all routes and nodes on the network, routing table can be calculated only once and can distribute this to all the necessary nodes as a single routing update rather than have every router send routing updates to the others, with each determining its own Routing Information Base (RIB).
This greatly reduces the overhead on the network and enables you to reduce required resources on the routers so that you can bring additional features and capabilities to your edge devices. Because you have a complete view of the network, you can create a common network policy across the entire SD WAN fabric—with the need for the management plane to program it once. As new devices are added to the network, they receive the same policy as well, ensuring the network is operating as expected.
Cisco SD WAN Components:
This component is very essential because it provides initial authentication for participation on the fabric and acts as the glue that discovers and brings all other components together. Multiple vBond servers can be deployed to achieve high availability. Though a WAN Edge can point to only a single vBond, it is recommended to have the WAN Edge use DNS and have a single A record point to all vBond IPs.
When the WAN Edge tries to resolve the DNS record for the vBond, it will receive each IP address and try to connect to each one sequentially until a successful control connection is made. When a WAN Edge first joins the overlay, the only thing it knows about is the vBond. It receives this information via one of four methods:
- Plug and Play
- Zero Touch Provisioning
- Bootstrap configuration
- Manual configuration
The WAN Edge will attempt to build a temporary connection to the vBond over each transport. Once the control plane connectivity is up to vSmart and vManage, the connection to the vBond will be torn down. At the time that the WAN Edge connects to the vBond, it goes through an authentication process.
Each component authenticates each other and, if successful, a Datagram Transport Layer Security (DTLS) tunnel is established. The vBond then distributes the connectivity information for the vSmart and vManage to the WAN Edge. This is why the vBond is essentially referred to as the glue of the network, as it tells all the components about each other.
It is responsible for collecting network telemetry from our vEdge devices and alerting on events and outages in the SD-WAN environment. On vManage, device configurations like Device Templates and overlay traffic engineering policies should be created using REST API. On-Premise deployments can be hosted on either ESXi or KVM hypervisors, with a minimum of 16 vCPUs, 32GB of dedicated RAM and 500GB of storage. One vManage instance can support up to 2,000 devices and can be deployed as part of a cluster containing 6 instances.
As the name depicts, it is the brain of the system. vSmart controllers advertise data plane policies of routing and security. They are positioned centrally in topology with all vEdges peering with a vSmart (vEdges never form control plane peering’s between each other). vSmart works as BGP route reflector or DMVPN NHRP. The component that provides control plane functionality is vSmart. vSmart is the brain of the SD-WAN fabric, is highly scalable and can handle up to 5,400 connections per vSmart server with up to 20 vSmarts in a single production deployment. With these numbers, a deployment can support very large WANs.
vSmart is responsible for the implementation of control plane policies, centralized data polices, service chaining, and VPN topologies. It also handles the security and encryption of the fabric by providing key management. Separating the control plane from the data and management plane allows the solution to achieve greater scale while simplifying network operation. The protocol the vSmart uses to communicate all this information is called Overlay Management Protocol (OMP). Though OMP handles routing, it would be a wrong to consider it simply a routing protocol. As such, OMP is used to manage and control the overlay beyond just routing.
vEdge is the hardware component that is installed at sites. They are responsible for the data plane of the Cisco SD WAN fabric as they bring up IPsec or GRE tunnels between the sites. Each router will form data plane connections to other routers within the SD-WAN overlay for the purposes of transporting user traffic. Data plane connections are only established between data plane devices. These tunnels are secured via Internet Protocol Security (IPsec).
WAN Edges have built-in security to prevent unauthorized access from the network. When the WAN Edge initially gets connected to the network, it first tries to reach out to a Plug and Play (PNP) or Zero Touch Provisioning (ZTP) server.
There are two methods of deployment of vEdge — Physical and Virtual.
- Physical platforms that are supported are the Cisco Integrated Services Router (ISR), Cisco Advanced Services Router (ASR), and Cisco vEdges.
- Virtual platforms are supported on public or private clouds. Supported virtual platforms are the Cisco Cloud Services Router (CSR1000v) running XE SD-WAN and Cisco vEdge Cloud.
The data plane is where user traffic will be routed and forwarded across the WAN. The data plane is similar to routers that would be deployed in a traditional WAN, though in Cisco SD WAN, these are referred to as WAN Edges. vManage was introduced as the management plane, where all Day 0, Day 1, and Day N functions will be performed, including WAN Edge configuration, routing and control policies, troubleshooting, and monitoring. The next important component is vSmart.
vSmart is the brain of the Cisco SD WAN fabric and is responsible for calculating and deploying all control and data policies as well as handling the distribution of encryption keys for data plane connectivity. The final component is vBond. vBond makes up the orchestration plane and is responsible for authenticating components on the fabric in addition to distributing control and management plane information to the WAN Edges. The vBond is the component that aids in discovery of the fabric for all other components (such as when devices are behind NAT).