The Internet edge is now moving to the branch, making enterprise network management more complicated. Utilizing SD-WAN architecture would meet the digital transformation and needs, including:
- Lower cost and risk WAN automation and orchestration.
- Seamless enterprise network extension to the public cloud.
- Optimal user experience for SaaS applications.
- Diverse transport-independent WAN.
- Enhanced application performance and visibility.
- End-to-end WAN traffic segmentation and encryption.
Cisco SD-WAN Architecture
The Cisco SD-WAN technology enables digital and cloud transformation for enterprise networks. It can provide secure SD-WAN access to remote locations such as offices, branch offices, campus networks, data centers, and the cloud over any IP-based underlay transport network.
Cisco SD-WAN Solution Components
The SD-WAN architecture above shows how to deploy SD-WAN fabric management components in a private cloud, public cloud, and data center. There are four primary components to the Cisco SD-WAN solutions and an optional analytics service:
vManage Network Management System (NMS)
This component is a single-pane-of-glass Network Management System (NMS) GUI for configuring and managing the entire SD-WAN solution. It allows for centralized provisioning and simplifying network changes.
This SD-WAN component is referred to as the brains of the SD-WAN solution. vSmart controllers have pre-installed credentials which authenticate SD-WAN routers that go online and allow authenticated devices to access the SD-WAN fabric.
Once authenticated, the vSmart controller establishes a permanent Datagram Transport Layer Security (DTLS) tunnel to the SD-WAN routers in the SD-WAN fabric. The DTLS tunnels establish Overlay Management Protocol (OMP) neighborships with each SD-WAN router. OMP is a Cisco proprietary routing protocol that advertises routes, next hops, keys, and policy information required to initiate and maintain the SD-WAN fabric.
The vSmart controller processes the OMP routes learned from the SD-WAN routers or other vSmart controllers to assess the network topology and compute the preferred routes to network destinations. It then broadcasts the reachability information learned from the routes to all SD-WAN routers in the SD-WAN fabric.
All control plane policies on vManage, such as service chaining, traffic engineering, and segmentation per VPN topology, are implemented by vSmart controllers. For example, if a configured policy on vManage for an application demands less than 1% loss and 150 ms latency, the policy is downloaded to the vSmart controller.
vSmart translates the policy into a format that all SD-WAN routers in the fabric can understand, and it automatically executes the policy on all SD-WAN routers. The vSmart controller works with the vBond orchestrator to authenticate new devices that join the network and orchestrate connectivity between the SD-WAN routers.
SD-WAN Routers (vEdge and cEdge)
The Cisco SD-WAN routers are available as hardware, software, cloud, and virtualized routers that sit at the perimeter of a site. They supply the Cisco SD-WAN solution’s fundamental WAN, security, and multi-cloud features.
In addition to the SD-WAN overlay control and data plane capabilities, SD-WAN routers also support router functionalities and routing policies. To share routing information, the SD-WAN routers automatically establish a secure DTLS connectivity with the vSmart controller and creates an OMP neighborship across the tunnel. Every SD-WAN router in the fabric forms standard IPsec sessions with each other.
The local intelligence in SD-WAN routers allows them to make site-local decisions about routing, high availability (HA), interfaces, ARP management, and ACLs. The SD-WAN fabric is built using the remote site routes and reachability information provided by the vSmart controller.
There are two different Cisco SD-WAN router options, which are:
- vEdge: The Viptela software runs on the original Viptela platforms.
- cEdge: The Cisco IOS-XE integrates the Viptela software. The CSR, ISR, ASR1K, ENCS, CSRv, and ISRv platforms support the Cisco IOS XE SD-WAN integration.
The Cisco IOS XE SD-WAN image is not a standard Cisco IOS XE release. Only the Cisco IOS XE features that are SD-WAN related are ported into the image. IOS XE SD-WAN routers can be provisioned, configured, and troubleshoot using vManage like vEdge routers.
The cEdge routers and vEdge routers differ primarily in SD-WAN security capabilities, as shown below:
The vBond orchestrator is an SD-WAN router responsible for authenticating and orchestrating connectivity between the vSmart controllers and SD-WAN routers. It is the sole device in the network that requires a public IP address for all SD-WAN devices to connect to it. The vBond orchestrator has three major components:
- Control Plane Connection – A permanent control plane connection is formed between a vBond orchestrator and a vSmart controller over a DTLS tunnel. The vBond orchestrator utilizes DTLS connections to communicate with SD-WAN routers that go online for easier network connection and authentication using certificates and RSA cryptography.
- NAT Traversal – When an SD-WAN router and/or a vSmart controller is behind a NAT device, the vBond orchestrator makes the initial orchestration easier using standard peer-to-peer protocols.
- Load Balancing – The vBond orchestrator automatically load balances SD-WAN routers when they come online across multiple vSmart controllers.
The optional SD-WAN component, vAnalytics, is an analytics and assurance service. It has advanced features, such as applications and infrastructure visibility, forecasting and what-if analysis, and intelligent recommendations. These features can provide SD-WAN benefits that would not be achievable without vAnalytics.
vAnalytics can also determine how much bandwidth is necessary for a location, which helps assess whether a circuit can be downgraded to a lower bandwidth to reduce expenses.
The SD-WAN routers and the vBond orchestrator are available as physical appliances and Virtual Machines (VMs). The vManage and vSmart components are only available as VMs. The VMs, including the virtual routers, can be hosted in the cloud (AWS, Azure) or on-premises using ESXi or KVM.
Download our Free CCNA Study Guide PDF for complete notes on all the CCNA 200-301 exam topics in one book.
We recommend the Cisco CCNA Gold Bootcamp as your main CCNA training course. It’s the highest rated Cisco course online with an average rating of 4.8 from over 30,000 public reviews and is the gold standard in CCNA training: