2.2.a ii Management plane (vManage)

vManage

The vManage server is the central manager for the SD-WAN deployment. This is where you’ll configure templates, onboard and provision devices, monitor everything with the fancy dashboards. It’s kind of like DNAC for the WAN, or it’s similar to the Admin Node in ISE. Just like everything else these days, it also supports REST and NETCONF. (I’m picturing a single pain of glass in the future that pulls in pieces of ISE, DNAC, vManage, ACI, Stealthwatch, FMC, and Tetration, and gives you this whole bird’s eye view of your entire network. Fun stuff!)

You can cluster vManage with three or more vManage NMSs (must be an odd number of servers), which can support up to 6000 WAN Edges (2000 per node).

Some of the cool things you can do is check the config and routing tables of any WAN Edge. You can also run simulations of traffic flow.

The WAN Edges communicate directly with vManage. Each WAN Edge will use only a single transport method to talk to vManage, even if there’s more than one way to get there.

There’s also vAnalytics (like DNAC’s Assurance) which does predictive analytics on the WAN (additional license required, not a default feature).

This is just a super brief overview. We’ll dig way more into vManage during the configuration parts in 2.2.b. One thing I’d like to talk about here that doesn’t really fit under any of the other blueprint headings is the communication flow between all these different SD-WAN components. Also, remember that all of these components use certs to authenticate themselves. It’s basically like this:

1. You set up vManage first.
2. Set up your vBond and add it to vManage. They’ll exchange certs to authenticate each other.
3. Then add your vSmart to vManage. Again, certs will be exchanged.
4. Then you have to tell your vBond about your vSmart. Then those two will exchange certs.
5. Now you can start adding routers to your device list (manually or CSV upload).
6. vManage will tell vBond about all these new routers.
7. vBond will tell vSmart about the routers he just learned about.
8. If you have a PNP server, it also needs to learn the device list (or you upload it.)
9. For PNP, WAN Edge routers will call home to the PNP server (DNS lookup of devicehelper.cisco.com)
10. The WAN Edge routers get informed on how to find their organization’s vBond server. (WAN Edge routers use the Cisco Manufacturer Cert to identify themselves, which vBond trusts).
11. vBond tells the WAN Edge how to find your organization’s vManage and vSmart.
12. WAN Edge talks to vManage, pulls down config and software (if needed).
13. WAN Edge then talks to vSmart, gets its OMP peering and routing information.
14. The DTLS communication between WAN Edge and vBond is torn down, no longer needed.
15. Now WAN Edges can talk directly to each other (data plane), but still talk to vManage (management plane, for config update) and vSmart (control plane, routing updates).