[SDWAN] Overview Cisco SDWAN Components. (English)
After the overview of SDWAN in the previous article, in this article, I'd like continue to talk about the structure and components of the SDWAN network.
As everyone knows in traditional WAN, the router always has two components (planes/components) namely control-plane and data-plane.
☸️ Control-plane: Decide how data and packets are transmitted.
↔️ Data-plane: Based on the logic of the control-plane, the data-plane transmits packets out of the device port.
In SDWAN, to optimize performance and increase scalability, Data-plane and Control-plane are separated, along with Management-plane and Orchestration-plane.
The control-plane in SDWAN is separate from the Data-plane called vSmart, which is still responsible for deciding the path for data, but here vSmart will receive routing information from Edges routers and update the remaining Edges.
You can imagine vSmart almost like Route-Reflector in BGP network.
The data-plane is responsible for transporting data packets into and out of the network, in SDWAN called edge routers.
There are many models of Edge routers, but there are two main types: physical devices (ISR, C1111, ...) and virtual devices (vEdge Cloud, CSR1000v).
As shared in the previous post, SDWAN solves the security problem on the Internet, so Edge Routers will establish tunnels with each other (GRE, IPSEC), usually Tunnel IPSec is commonly used because it uses the encryption function.
By default, the Cisco SDWAN fabric at the Data-plane layer, Edge routers will automatically establish full mesh IPSec tunnels to each other.
However, in practice, setting up tunnels between sites (Edges) can be easily controlled by the customization of Centralized Policy configuration (works on vSmart, I will introduce more in-depth details in the next articles)
An example of a custom tunnel setup topology is Hub-Spokes as shown in Figure 4. Besides, It is also possible to allow regional sites or companies, and departments to set up tunnels together.
In short, the setting up of the diagram depends on the purpose and compatibility with the use of the application in the business of each customer.
Management Plane
In terms of configuration management, monitoring the status of devices, updating and maintaining devices in the network, collectively known as NMS (Network Management System), in the system-level SDWAN with full features mentioned above with "single board" (centralized management) - vManage.
Recommended by LinkedIn
Administrator easily uses Web User Interface to distribute configuration to all managed devices in the SDWAN network, in addition, grasping device status information such as Tunnels status, devices status, .. . also makes operation much easier. (About the details of using and going into each feature of vManage will be discussed in the next articles).
Note, vManage not only manages Edges routers but can also manage Controllers like vSmart, configuring Centralized Policy to customize the Tunnels connection diagram I mentioned above in the Control-plane section, also configured on vManage and distributed deploy to vSmart.
In addition to using the WebUI to manage devices in SDWAN, vManage provides the ability to automate management using APIs (API Automation) with HTTPS requests to get network information and set the configuration as well.
Orchestration Plane
The fact that a cEdge device joins an active SDWAN network requires origin verification that the device is allowed to connect and the SDWAN network.
To assist with information management and operation of authentication and orchestration of devices participating in SDWAN, an Orchestration Plane is added using a device called vBond.
To talk more about how vBond works, I will first talk about the connection between Controllers (vSmart, vManage, vBond) and Edges (cEdges, vEdges routers).
vBond establishes a secure connection with vSmart, vManage, and Edge Routers using DTLS (Datagram Transport Layer Security).
Meanwhile, vSmart and vManage connect to each other and to Edges using TLS (Transport Layer Security). (The connection between Edges and vSmart, vManage may use DTLS, depending on the configuration.)
Back to how vBond works,
When the new cEdges router is ready to connect to the SDWAN network, it will be provided with information to establish a connection to vBond (this configuration is called bootstraps-config). Except for the vBond connection information, cEdges need to be provided with some essential information such as RootCA, and Organization-name, ... (details will be mentioned in the next articles.)
In Step #0 in Figure 7, vManage updates a list of Edges that are allowed to join the SDWAN network (this list can be synchronized from the Cisco Software Center, or added manually via the vManage GUI)
Step #1 shows cEdge#3 sends the necessary information to vBond (organization-name, serial number, certificate, ...).
vBond receives the information and performs Edge#3 authentication through the Whitelist received from vManage, and at the same time confirms the certificate from Edge#3 in step #2 is valid.
Step #4 Edge#3 uses the information received to create a TLS/DTLS connection to the Controllers (vSmart, vManage), and then disconnects from the vBond.
Through the above example, hopefully, everyone has an overview of vBond as well as other components in the #cisco #sdwan network.
After knowing more about the components, to verify the working connections between the components in the #sdwan network, everyone can build their own home lab.
See you all in the next articles.