INTRODUCTION

What is SD-WAN?
A Software-defined Wide Area Network (SD-WAN) is a software defined overlay approach to
manage WAN networks that allows enterprise to use any combination of transport medium
including MPLS, Internet Satellite and 4G/LTE and others to securely connect users to
applications by decoupling the hardware from its control mechanism.

To securely and intelligently direct traffic across the WAN, an SD-WAN employs a centralized
control mechanism. This improves application efficiency and provides a high-quality user
interface, resulting in higher business productivity, greater agility, and lower IT costs due to
transport independence across different connection types.

Why is it changing the network game?

Traditional WANs based routers were not for cloud based architecture. Backhauling of all traffic
from branch offices to a center, headquarters, or data center, where security inspection services
can be implemented, is usually required in traditional WAN network. Backhaul delays degrade
application performance, resulting in a bad user experience and productivity loss. Traditional
large scale WANs are usually cost effective as it includes expensive network appliances like
firewalls, IP/IDS, router and switches and expensive private network carriers and it is time
consuming to configure and manage decentralized and complex network devices. [1]

SD-WAN Network Traditional Network

Figure 1: SD-WAN Network Figure 2: Traditional Network

In SD-WAN, as control plane is centralized, the connectivity betweeen the data and control plane
will have complexity of O(n) while in the case of traditioal network where conrol and data plane
is integrated, the complexity of the connectivity is O(n²). So SD-WAN based architecture is highy
scalable.

Why SD-WAN is needed?

SD-WAN model is designed to fully support cloud based, on premise data centers, public or
private cloud hosted applications, IaaS and SaaS services such as Office 365, MEGA and Dropbox,
while delivering the highest levels of application performance as applications are moving to
cloud, unlike traditional router based WAN. Enterprises need continuous UP time and quick and
secure access to every location or site in the world whether it is data center or cloud based
hosted.

Figure 3: WAN evolving to manage a changing application landscape [2]

SD-WAN dynamically uses multiple available connections (Satellite, MPLS, Internet, 4G/LTE) to
find the best distribution route for traffic across the entire network, shaping bandwidth as
required to minimize jitter and packet losses, and providing the best user experience regardless
of location. The more advanced solutions would attempt to automatically direct traffic to the
optimal link and if there is any transport issue, on-demand action will automatically be triggered
based on the policies to ensure performance of the link. [3]
 Benefits of SD-WAN
Central Management and Control

A centrally located control plane or virtual manager monitors all network activity including
transport health, UP time of devices and alerting of problems, and enabling the remote
remediation of issues. The control plane allows the automatic push of templates and
configuration to each network node and add accessibility to common software platforms to every
location quickly and efficiently. In addition, it delivers real-time analytics and reporting.

Network Agility

It allows for fast adaptation to evolving needs, such as adding connections to cloud-based
services, setting up new branches or remote offices, and dynamic routing of all traffic for
optimized application and data delivery, since it is cloud-delivered and software-based.

Ease of Deployment

SD-WAN allows for various deployment options including completely cloud or software or
Hardware based, or a hybrid. When SDWAN enabled device gets onboard, configurations are
pushed from centralized control plane.

Cost Reduction

As per Gartner report, SD-WAN deployment is 2.5 times less expensive than traditional WAN
architectures. The root of this reduction is attributed to:

 Using existing infrastructure to transmit all traffic and access cloud applications (MPLS,
Internet, Satellite, 4G/ LTE).
 Payment plans allow pay-as-you-go plans helps in reducing the cost as you have to pay
for what you have used and no on-going maintenance and upgrade fees.
 ZTP (Zero touch provisioning) that allows quick site deployments and time to accessibility
as all deployment functions are managed from the central location.
 No need to deploy application-specific hardware or software as each branch is accessing
remote cloud based applications. [4]

Security

One of the critical requirement in cloud based or on premise network is security. Without it, any
network whether it is traditional or SD-WAN just become an attack vector. SD-WAN provides
stack of security solutions, for cloud based services and application traffic, like NGFW, IP/IDS, URL
Filtering, Malware protection and cloud security.
With SD-WAN, applications can be deployed on cloud, On-Premise or Multi-tenant and can easily
be managed centrally and any services can be used and deployed like Branch security, cloud
security, voice and collaboration by using any transport like MPLS, Internet, Satellite, 5G/LTE and
from any location with lower cost. This is illustrated in Figure 4.

Figure 4: Cisco SD-WAN cloud scale architecture [5]

Control and data planes separation

SD-WAN separates functionality into a control plane and a data plane.

 The control plane is the part of the network that is responsible for forwarding of traffic
based on routing decisions and policies. Control plane is the brain of the network. All
intelligent decision making is done at control plane.
 The data plane (forwarding plane) is part of the network that carries application and user
data. It forwards the data from one port of the network device to the other.

In traditional network, each instance of the data plane contains its own control, making
programming of the network impossible. The packet flow, in traditional networks and devices,
between control plane module and forwarding plane (IO module) is done via switch fabric (it
connects the IO module and supervisor engine i.e. control plane).
 Figure 5: Traditional Network device fabric

Overview of SD-WAN Architecture

In traditional network, IO module (data or forwarding plane) and supervisor engine (CPU or
control plane) resides within a device and the communication and connectivity between IO
module (Data plane) and CPU (Control plane) is done by using switch fabric. In SDN technology,
these two planes (data and control) are now being separated. Edges devices (routers, switches
and etc) now only have IO modules in it and its control plane module is now shifted to separate
centralized location and transport (MPLS, data and Internet, 5G/LTE) plays the role of switch
fabric. This is illustrated in the figure 6: SDWAN fabric.

Figure 6: SDWAN fabric

 Underlay Vs. Overlay Network
An underlay network is the physical network or infrastructure over which overlay network is
built. The underlay network is responsible for delivery of packets across networks. Examples are:
MPLS, Internet, routing protocols like RIP, OSPF, BGP and etc.

An overlay network is the virtual network that runs on the top of underlying network or
infrastructure. The underlay provides service to the overlay. Examples are: GRE, IPSEC, SVTI, DVTI,
VLAN, DMVPN, OMP and etc.
Components and architecture
The Cisco SD-WAN solution is a cloud-delivered Wide Area Network (WAN) overlay architecture
that extends the principles of software-defined networking (SDN) into the WAN. The solution is
broken up into four planes:

 Data Plane
 Control Plane
 Management Plane
 Orchestration Plane

The Cisco SD-WAN solution contains four key components responsible for each plane:

Figure 7: Applying SDN principles to WAN [6]

Cisco vManage

In the management plane, Cisco vManage represents the GUI. It is a single point of management
for day-0, day-1 and day-2 operations. Network administrators and operators perform
configuration, centralized provisioning, troubleshooting, software upgrades, templates,
programming interfaces (REST, NETCONF) and monitoring activity here. vManage offers both a
single-tenant dashboard and a multitenant dashboard depend on the services.

Cisco vBond

Cisco vBond resides in the orchestration plane. The vBond controller is first line of authentication
for the devices before becoming a part of SD-WAN fabric. vBond will authenticate and validate
the newly added devices by using certificates and some device related credentials like UUID,
serial or token number and it is largely responsible for the Zero-Touch Provisioning process,
facilitating NAT traversal. When an edge device boots up for the first time it is in an un configured
state, vBond is responsible for onboarding the device into the SD-WAN fabric. vBond distributes
the list of vSmart and vManage to the edge devices. It is the job of vBond to understand how the
network is constructed and then distribute that information amongst other components. In a live
environment, vBond requires publicly IP address so that it can be accessed from any location.

Cisco vSmart

Cisco vSmart is the controller of the SDWAN Fabric and exists within the control plane. It
facilitates in fabric discovery. Policies are created on vManage and vSmart is the component that
pushes these policies to the relevant WAN edge devices. When edge devices or branches come
online or become a part of SD-WAN fabric, their routing information is exchanged with
centralized vSmart in the control plane and vSmart distributes routing and policies information
to other edge devices or branches instead of directly exchange of routing information between
edges. Communication between edge devices and controller is done via TLS/DTLS tunnels. On
the top of it, edges and vSmart communicate and exchange routes with each other via Overlay
Management Protocol (OMP). If there is more than one vSmart then all the vSmarts will also
communicate with each via OMP. Policies can be invoked by vSmart against a certain route
created on vManage. It reduces control plane complexity and is highly resilient.

Cisco WAN Edge router

Cisco WAN Edge routers are responsible for forwarding traffic and establishing a secure network
fabric. It provides secure data plane communication with control plane (via OMP) and other edge
routers (via IPSEC). It supports zero-touch deployment. Cisco WAN Edge routers can be virtual
and physical based on requirements of the site.
Communication between control plane and data plane is being done via secure channel. A
Control channel is established via TLS/DTLS between edges and each component of control plane
(vManage, vSmart and vBond) and and IPSEC is established for forwarding of data between edge
devices. Edges device do not share routing information directly with each other instead vSmart
share this information to other edge devices via OMP irrespective of transport and location. This
connectivity is shown in figure7.

Figure 7: Cisco SD-WAN fabric components [7]

Overlay Management Protocol (OMP)

Cisco SD-WAN uses OMP (Overlay Management protocol) to manage overlay network. OMP run
between edge routers and vSmart controllers and exchange control information such as route
prefixes, next hop addresses, policies, keys and etc. over a secure channel like TLS/DTLS. The
default behavior of OMP is to allow full mesh network where each edge router can directly
communicate with each other edge router, if no policies are configured [11]. OMP advertise three
types of routes:

1. OMP Routes are the prefixes learned locally (static, connected and dynamic). These prefixes
are redistributed into OMP so that they can go across overlay network. OMP routes contain
attribute TLOC (a collection of entities making up a transport side connection), origin
(protocol and metric), originator id (originator of route), preference (degree of preference
 of a route), tag (optional transitive path attribute), site-id (site identifier of a route), VPN-id
(VPN identifier of a route). Route is only installed in the table if the relevant TLOC is active.

2. TLOC Routes are the tunnel termination points on transport side interface of the WAN Edge
routers. It is a collection of entities making up a transport side connection. It acts as a next
hop for OMP routes. A TLOC is identified by three-tuple which includes System-IP, link color
(type of WAN interface on local WAN edge router) and encapsulation (GRE/IPsec).

3. Service Routes are the prefixes for advertised network like firewall, IPS, IDS, etc. that are
connected to the local side of WAN edge network and is advertised to vSmart controllers.
Most prominent attributes are VPN-ID, Service-ID (FW, IDS, IPS and etc.), label, originator
system IP, TLOC. VPN labels are sent to tell the vSmart controller about VPN which is serviced
at remote site.

Controllers Deployment Methodology

SD-WAN controller can be installed on-premises on ESXi hypervisor, container or KVM. vBond
can deployed as physical appliance. Controllers can be hosted on any public cloud like AWS or
Azure.

On-Premise Hosted

ESXi or KVM AWS or Azure

Reference:
[1] What is SDWAN? (n.d.). Retrieved from https://www.silver-peak.com/sd-wan/sd-wan-explained

[2] What is SD-WAN (n.d). Retrieved from https://www.cisco.com/c/en/us/solutions/ enterprise-

networks/sd-wan/what-is-sd-wan

[3] SD-WAN simplified solution. (n.d). https://www.vmware.com/content/dam/digitalmark

eting/vmware/en/pdf/product/vmware-sd-wan-simplified-solution-overview.pdf

[4] SD-WAN simplified (n.d). Retrieved from https://www.velocloud.com/content/dam/

digitalmarketing/velocloud/en/documents/208805aq-so-vcloud-sd-wan-simplfd-uslet.pdf

[5] Aaron Rohyans, Ali Shaikh. Cisco SD-WAN based cloud scale architecture, What is SDWAN? pp.
19-23

Digitally signed by
Muhammad Muhammad Haris
Maqsood
Haris Maqsood Date: 2021.05.22 16:58:53
+05'00'