Relatore: Alessandro Legnani, Cisco CCIE e IP Network Architect di IT Global Consulting Srl
Sintesi e sinergia perfetta di un nuovo protocollo di routing (e non solo) con il caro vecchio e robusto IPsec (senza le problematiche ike). Perché inventarsi l’ennesima forma di tunnelig per il data plane?
Quanto sopra è la chiave del successo della soluzione sdwan Cisco/Viptela che la rende enormemente scalabile e unica sul mercato.
Cisco SDWAN - Why should I care ? 1
1. Reduce Opex Cost
2. Operate faster and independently from underlay network
3. Integrate Latest Cloud & Network Technologies (Office365, AWS, Azure…)
4. And it perfectly scales out (7k vEdges UCs)
Cisco SDWAN – At a Glance
The SD-WAN “fabric” is basically an overlay software network that runs over standard network
transport services (underlay), including the public Internet, MPLS, LTE/4GE. Insource MNGT/
POLICY while you can outsource DP and CP
Cisco SDWAN – New fully enriched routing protocol
OMP (Overlay Management Protocol) is the new routing protocol that carries the routes, next hops,
multicast info, keys, and policy information needed to establish and maintain the overlay network.
It´s a TCP based and extensible protocol that runs (inside authenticated DTLS tunnels) between
vEdge (aka Wan-Edge) routers and vSmart Controllers (and among vSmart themselves)
Cisco SDWAN - Data Plane Establishment
Optimized bullet-proof IPSEC tunnels (without IKE flaws) are in charge of Data Plane Encapsulation,
Integrity and Confidentiality
Cisco SDWAN - Key features 1/3
• Centralized routing intelligence and enables per-
segment (VPN) topology.
• Secures the network automatically.
• Influences reachability through centralized policy.
• Simplified orchestration and provisioning.
• Multi-Tenancy (single vManage in MT Mode)
Cisco SDWAN - Key feautures 3/3
• Path Liveliness and Quality Measurements (Up/Down, loss/latency/
jitter, IPSec MTU discovery) through BFD
• BFD uses hello (Up/Down) interval, poll (App-Aware SLA) interval and
multiplier for detection and it is fully customizable
• Intelligent application steering
• Interactive SLA-monitoring/influence
• Improved Convergence (TLOC repetitive ARP request)
Cisco SDWAN– Inner Flexibility and Security ! 1
• Place your CP wherever you want
• Use competitors/internet “pipes”
• Automated building of full mesh Ipsec
tunnels without sending a single discovery
packet (no IKE)
• Man-in-the-Middle is dead !
Cisco SDWAN - Main Components 1/4 1
• Centralized network mngt
• Simple graphical dashboard
• Supports REST API, CLI, Syslog, SNMP, NETCONF
• Real time alerting
• Stores certificate credentials
• Store configurations for all SD-WAN components.
As all components come online in the network, they
request their certificates and configurations from the
vManage NMS. When the vManage NMS receives these
requests, it pushes the certificates and configurations to the
SD-WAN network devices
Cisco SDWAN - Main Components 2/4 1
• Centralized brain of the overlay fabric
• Establishes OMP peering with vEdges
• Acts like a BGP Route Reflector
• Enables central control and central data
policy creation and distribution (TE, Service
Chaining, VPN segmentation, ad hoc
• Orchestrates secure data plane connectivity
between the edges (IPSEC tunnels)
Cisco SDWAN - Main Components 3/4 1
• Orchestrates connectivity among
management, control and data plane
• 1st point of authentication
• Requires public IP address
• All other components need to know the
• Facilitates NAT Traversal (STUN Server)
SymNat !X" SymNat/PortRestricted
• Authorizes all control connections (white list
• Distribute list of vSmart to all vEdges
Cisco SDWAN - Main Components 4/4 1
• Wan edge router of the site
• Leverages traditional routing protocols like
• Applies policies on data plane traffic
• Provides secure data plane
• Either HW devices or SW VNF support
OMP Q&D Dive - Thoughts behind OMP creation .. 2
• Link-State is not fine because all devices must have the same view and
I cannot filter information
• But ISIS is attractive because adjacency is not dependent on interface
IP address (=> Site-ID).
When I am in a NAT environment my IP is not predictable (=> Site-ID)
• BGP is path vector, is for bulk-data transfer, very scalable but based on
AS identity (=> base it on Site-ID instead). Change it from AS-PATH
protocol to a VPN Protocol (encompassing mpls functionalities) while
keeping the extendibility (AFI, SAFI, Attributes)
• Do not forget STP in term of poor CP choice (think about very large
scale driven by IoT in near future)
• The problem with IPSEC (DP) is its CP IKE (essentially built for P2P
connectivity), replace IKE doing key-distribution in bgp style using an
SSL encrypted tunnel leveraging an ad-hoc attribute (when I give you
my route I also give you my encryption keys) . In this manner we could
easily encrypt the entire internet
• What about using IPsec UDP-based to encrypt mpls ? (RFC 4023)
• Loop Avoidance in mind (keep origin information intact)
• Take care also of Multicast info distribution (sources, receivers,
OMP Q&D Dive – .. that led to these features 2
• Authentication via crypto endpoints
• Encrypted CP peering
• Massively scalable key distribution for DP
• Largely scalable overlay routing
• Service Side (LAN) routing (IPv4,IPv6) used to identify end-nodes and services
(LBs, FWs) and is independent of underlay topology
• SERVICE side is overlay
• TLOC (IPv4,IPv6) is assigned by any 3rd party carrier/transport network
• TLOC is like NH of BGP and I can now assign a full set of attributes to it
• TLOC is underlay
OMP Q&D Dive – At a Glance 2
The Overlay Management Protocol (OMP) is the
protocol responsible for establishing and
maintaining the control plane.
It provides the following services:
• Orchestration of overlay network
communication, including connectivity among
network sites, service chaining, and VPN
• Distribution of service-level (LAN) routing
information and related location mappings
• Distribution of data plane security parameters
• Central control and distribution of routing
OMP uses TCP as its transport protocol.
OMP Q&D Dive - TLOC routes attributes 2
• Public IP and Port
• Private IP and Port
OMP Q&D Dive - Service Side route attributes 2
• Originator System IP
• Origin Protocol
• Origin Metric
OMP Q&D Dive - Network Services route attributes 2
I can advertise to all what services are available in particular site to make service-chaining and
service move much easier
• Originator System IP
OMP Q&D Dive - Service Chaining 2
Service chaining (centralized control policy) allows data traffic to be routed through one
or more network services, such as FWs, LBs, and IDS/IPS devices, en route to its
OMP Q&D Dive - Best-Path Algorithm 2
1. Check whether the OMP route is valid. Installed in FIB only if the TLOC to which it points is active. For a TLOC to be active,
an active BFD session must be associated with that TLOC. BFD sessions are established by each vEdge router, which creates a
separate BFD session with each of the remote TLOCs. If a BFD session becomes inactive, the vSmart controller removes
from the forwarding table all the OMP routes that point to that TLOC.
2. If learned from the same device, select the OMP route with the lower administrative distance (OMP AD 250)
3. If the AD are equal, select the OMP route with the higher OMP route preference value.
4. If the OMP route preference values are equal, select the OMP route with the higher TLOC preference value.
5. If the TLOC preference values are equal, compare the origin type, and select one in the following order (select the first match):
6. If the origin type is the same, select the OMP route that has the lower origin metric.
7. If the origin metric are the same, select the OMP route the higher router ID.
8. If the router IDs are equal, select higher private IP address.
9. If a vSmart controller receives the same prefix from two different sites and if all attributes are equal, the vSmart controller
chooses both of them (up to 4 ECMP). From vEdge better than from another vSmart
OMP Q&D Dive - Messages Types 2
OMP supports a variety of message types to enable routing control using the transport networks such as:
• HELLO : sent periodically between peers to indicate that each peer is alive and reachable;
• HANDSHAKE: first message sent by each side after a TCP connection is established. It includes the
site-id of the site where the route originated. The site-id may be used for route selection and loop
detection. HANDSHAKE includes a Hold Time, which is a value that is set by the overlay controller
(OC) and specifies the time between HELLO messages and UPDATE messages between the overlay
controller (OC) and a overlay edge router (OER).
• ALERT : It is used by a peer on one end of a connection to notify the peer at the opposite end that an
error condition has been detected.
• UPDATE : It is used to transfer routing information between peers in the overlay domain. An UPDATE
message is used to advertise feasible routes that share common path attributes to a peer, or to
withdraw multiple unfeasible routes from service. An UPDATE message may simultaneously
advertise a feasible route and withdraw multiple unfeasible routes from service.
• QUERY : It is used to send a request for a specific route for which an aggregate or less specific rout
exists. This message is sent by an edge-device once it finds out that a group of prefixes received is
equipped with the Query attribute.
OMP Q&D Dive – Control and Data Policies 2
• Control policy, which affects the flow of routing information in the network's control plane
• Data policy, which affects the flow of data traffic in the network's data plane
• Control policy is the equivalent of routing protocol policy, and data policy is equivalent to
what are commonly called access control lists (ACLs) and firewall filters.
OMP Q&D Dive - Basic or Advanced Policies 2
Basic policies to influence or determine basic traffic flow through the overlay network such as
managing the paths along which traffic is routed through, and permitting or blocking traffic
based on the address, port, and DSCP.
You can also enable vEdge local policies such as class of service and queuing, mirroring, and
Advanced Policies offer specialized policy-based network applications such as:
• Service chaining, which redirects data traffic to shared devices in the network, such as
firewall, intrusion detection and prevention (IDS), load balancer, and other devices, before
the traffic is delivered to its destination. Service chaining obviates the need to have a
separate device at each branch site.
• Application-aware routing, best path for traffic based on real-time network and path
• Cflowd, for monitoring traffic flow.
• Make vEdge a NAT device, to allow traffic destined for the Internet or other public network
can exit directly from the vEdge router.
OMP Q&D Dive - Centrilzed or Localized Policies 2
Centralized policy refers to policy provisioned on vSmart controllers
Localized policy refers to policy that is provisioned locally, on the vEdge
OMP Q&D Dive - Centrilzed Policy (CP or DP) 2
• Centralized control policy applies to the network-wide routing of traffic by affecting the
information that is stored in the vSmart controller's route table and that is advertised to
the vEdge routers. The effects of centralized control policy are seen in how vEdge routers
direct the overlay network's data traffic to its destination. The centralized control policy
configuration itself remains on the vSmart controller and is never pushed to local routers.
• Centralized data policy applies to the flow of data traffic throughout the VPNs in the
overlay network. These policies can permit and restrict access based either on a 6-tuple
match (source and destination IP addresses and ports, DSCP fields, and protocol) or on
VPN membership. These policies are pushed to the affected vEdge routers
OMP Q&D Dive - Localized Policy (CP or DP) 2
• Localized control policy, which is also called route policy, affects the BGP and OSPF
routing behavior on the site-local network.
• Localized data policy allows you to provision access lists and apply them to a specific
interface. Simple access lists permit and restrict access based on a 6-tuple match (source
and destination IP addresses and ports, DSCP fields, and protocol), in the same way as
with centralized data policy. Access lists also allow provisioning of class of service (CoS),
policing, and mirroring
OMP Q&D Dive - Graceful Restart 2
It allows OMP peers to continue operating if one of the peers becomes unavailable.
If a vSmart becomes unavailable, its peer vEdge router continues to forward traffic, using
the last-known good routing info received from the vSmart controller.
Similarly, if a vEdge router becomes unavailable, its peer vSmart controller continues to use
the last-known good routing info that it received from the dead vEdge.
OMP graceful restart is enabled by default on vSmart controllers and vEdge routers. The
default graceful restart time is 43,200 seconds (12 hours).
When OMP graceful restart is enabled, a vEdge router and a vSmart cache the OMP info that
they learn from their peer. This information includes OMP routes, TLOC routes, service routes,
IPsec SA parameters, and centralized data policies.
When one of the OMP peers is unreachable, the other peer uses the cached information.
The router also periodically checks whether the peer has again become available. When it´s
back on line and the router re-establishes a connection to it, the router flushes its local cache
and considers only the new OMP info from the restored peer to be valid and reliable.
ip address 10.0.16.19/24
ip route 0.0.0.0/0 10.0.16.19
ip address 126.96.36.199/24
ip route 0.0.0.0/0 188.8.131.52
ip address 10.0.19.15/24
advertise ospf external
ip address 172.16.10.16/24
ip route 0.0.0.0/0 172.16.7.16
ip address 172.16.7.16/24
OMP Q&D Dive – Config
Migration Approaches – Best Practice/Sequence 3
• Investigation and Planning
• Factors to be considered
Migration Approaches – DC always first 3
• Interim communication between
migrated and non-migrated sites is a
• SD-WAN are in parallel to existing
• Seamless migration is paramount and
is NOT plug-and-play
• Looks simple but it´s complex
Migration Approaches – Replace CE 3
• SD-WAN to Legacy comms via DC/
• SD-WAN to Legacy comms via underlay
Migration Approaches – Retain CE 3
• SD-WAN to Legacy comms via underlay • SD-WAN to Legacy comms via DC/
Extras – ZTP Zero Touch Provisioning
• DHCP on Transport side (WAN)
• DNS to resolve ztp.viptela.com/
• PIM-SM v2
• IGMP v2
• Multicast optimization by eliminating
redundant packet replication
• Designated replicators
• RP must be provided by a router on local-site
• Auto-RP is supported
• PIM not configure on transport side (VPN0),
OMP takes care of source/receivers/
replicators location info distribution
• Multicast by default can use up to 20% of
interface bw (adjustable)
• Data-policy, ACL, Mirroring not supported for
Extras – SDWAN+SR (for SP Managed CEs) 4
IP 16001 16002 16003 IP 16001 16002 IP 16001IP 2001 IP
1) Share App Path
2) PCEP to configure SR Policy
Binding SID !"
3) SR: Binding SID
Segment Routing can be used by a SP to offer underlay
transport SLA, for OverTheTop (overlay) VPN with SLA
SR-TE Policy requires a separate BSID, each SR-TE is
associated 1-to-1 with a Binding-SID. At PE, the BSID label is
popped, and the SR-TE segment IDs/path list is pushed
• SP does not hold any per-flow state in its core
• SP does not hold any complex L3-L7 flow classification
• SP does not share any info of its infrastructure, topology,
capacity, internal SID
• SDWAN instance does not share any info of its traffic
classification, steering policy or business logic
SR-TE path list
Extras - Competitors 4
Gartner Magic Quadrant for WAN Edge Infrastructure,18 October 2018