Introduction to Cisco SD-WAN Control Plane
Cisco SD-WAN Control Plane is facilitated by the Overlay Management Protocol (OMP). OMP allows for a secure and scalable fabric across all transport types
- Private – MPLS, Layer 2 VPNs, and point-to-point networks or
- Public connectivity methods – Internet and LTE.
The component responsible for the control plane is the vSmart controller. This controller facilitates a scalable control plane and is responsible for disseminating all policy information to the WAN Edges. The vSmart’s functionality is normally compared to that of a BGP route reflector, the vSmart will take all routing and topology information received from the clients, calculate best-path information based off of configured policy, and then advertise the results of this to the WAN.
Security is the essential part of SD-WAN solution. Control plane tunnels are encrypted and authenticated via Datagram Transport Layer Security (DTLS) or Transport Layer Security (TLS). DTLS/TLS connections are maintained between all device in the SD-WAN overlay (vBond, vSmart, WAN Edges, and vManage). These tunnels are negotiated using SSL certificates, wherein each component will authenticate the other end and establish a one-way tunnel. In this negotiation, each device will validate that the received certificate is signed by a trusted root CA and has a valid serial number with a matching organization name.
After control plane tunnels are up, other protocols can use these sessions as well. For example, besides OMP, Simple Network Management Protocol (SNMP) and Netconf will use these secure channels. By utilizing established DTLS/TLS tunnels, we no longer need to be concerned about the disparate security native to these protocols or the flaws that may be present in them. DTLS tunnel is established between a WAN Edge and vSmart controller. By default, DTLS is the protocol of choice. DTLS communication occurs over UDP port 12346. It is recommended that this port remain open to and from the vBond to all WAN Edges.
Overlay Management Protocol
Within the Cisco SD-WAN solution, the routing protocol selected is the Overlay Management Protocol (OMP), but it would be a disservice to limit OMP to just routing. OMP is the director of all control plane information and provides the following services:
- Facilitation of network communication on the SD-WAN fabric, including data plane connectivity among sites, service chaining, and multi-VPN topology information
- Advertisement of services available to the fabric and their related locations
- Distribution of data plane security information, including encryption keys
- Best-path selection and routing policy advertisement.
OMP runs between the vSmart controllers and WAN Edge routers and advertises the following types of routes:
OMP routes (sometimes referred to as vRoutes): Network prefixes that provide connectivity services to data centers, branch offices, or any other endpoint in the SD-WAN fabric. OMP routes will resolve their next hop to a TLOC route
Transport locations (TLOCs): The TLOC is an identifier that ties an OMP route to a physical location. The TLOC is the only IP address that is known and reachable from the underlying network.
Service routes: Identifies a network service to the SD-WAN overlay. This route identifies the service’s physical location. A service could be a firewall, IPS, IDS, or any other device that can process network traffic. Service information is advertised in service routes and OMP routes.
Each WAN Edge at a site will advertise routes to the vSmart controllers. These updates are similar to traditional routing updates in that they include reachability information for prefixes the WAN Edge handles. OMP can advertise connected, static routes and routing updates via redistribution from traditional protocols such as OSPF, EIGRP, and BGP. Along with reachability information, the following attributes are also advertised:
- Site ID
TLOC: The Transport Location (TLOC) identifier is the next hop of the OMP route. This attribute is very similar to the BGP_NEXT_HOP attribute.
- System IP Address
- Encapsulation Type
- Site ID
TLOC (Transport Location Identifier) routes identify the physical location of this device on that transport. The TLOC is the only addressing that is routable to the underlay and represents the endpoint of the data plane tunnels (similar to a GRE tunnel with tunnel source and tunnel destination commands). A TLOC is made up of three attributes: the system IP address of the WAN Edge, the transport color, and the encapsulation type. If a WAN Edge has multiple transports, a TLOC route will be advertised for each interface. System IPs are used in the TLOC due to the fact that IP addresses can and will change (such as when DHCP is being utilized). A TLOC route advertisement will contain the following pieces of information:
- TLOC private address
- TLOC public address
- Encapsulation type
- Site ID
Service routes advertise a specific service to the rest of the overlay. This advertisement can then be used for service chaining policies. Service chaining allows data traffic to be routed to a remote site through one or more services (such as firewalls, intrusion detection/prevention systems, load balancers, or an IDP) before being routed to the traffic’s original destination. These services can be utilized on a per-VPN basis. Devices that provide services for the overlay must be Layer 2 adjacent for traffic to be redirected through them (that is, there cannot be any intermediate hops between the WAN Edge device and the device performing the service). Keep in mind that Layer 2 adjacency can be achieved with IPsec or GRE tunnels as well. The service route update will contain the following information:
- VPN ID
- Service ID
- netsvc1, netsvc2, netsvc3, and netsvc4
- Originator ID
- Path ID