2.2.a iv Data plane (vEdge/cEdge)

Posted byGregory LeesonPosted in2.2 SD-WAN, CCIE Enterprise InfrastructureTags:, , ,

The data plane is simple. It’s just an IPSec overlay. The big difference is that there’s a central key manager, the vSmart, which cuts down on overhead. There are two options, symmetric keys and pairwise.

Using symmetric keys, each WAN Edge sends its key to the vSmart, then the vSmart sends that key to all of the other WAN Edges. So when WAN Edge 2 wants to send data to WAN Edge 1, he encrypts it with WAN Edge 1’s key that he received from vSmart.

Pairwise keys are more secure than symmetric keys. It uses public/private key pairs, and unique keys are used between each WAN Edge and for each transport.

OMP Restrict Attribute

The color, e.g. transport method, doesn’t affect whether a tunnel will come up or not, they don’t have to be the same color. If there’s IP reachability, then the routers will try to bring up a tunnel. This means if there are two routers, each with two interfaces, and the two interfaces from WAN Edge 1 can reach the two interfaces of WAN Edge 2, you’ll end up with 4 tunnels.

You can set the OMP attribute restrict to 1, and then WAN Edge 1 interface gold will only try to form tunnels with TLOCs advertising the gold color. WAN Edge 1 interface lte will only try to form tunnels with other lte TLOCs. Restrict is a per-site setting, not a per-interface, or per-device setting.

Tunnel Groups

You can define tunnel groups, which is also advertised as in attribute in the TLOC route. Only tunnels with a matching tunnel group (or no tunnel group) will talk to each other. This means that if you define tunnel groups at Site 1, but not at site 2, they will still come up. You would need to define tunnel group 1 at site 1 and tunnel group 2 at site 2 to prevent them from forming data plane connectivity.

You can also use a combination of tunnel groups and the restrict attribute.

Segmentation

Don’t get too excited, it’s just VRFs. There are no TrustSec tags being natively carried in SD-WAN (but tags can be passed in GRE/IPSec tunnels). Once again, the VRFs here are called VPNs, but it’s the same thing. There are three types of VPNs.

Service VPN

VPNs 1 through 511. These are the regular user traffic VPNs. Each data packet carries a VPN ID across the overlay.

Transport VPN

VPN 0 is the underlay VPN, where the physical WAN transport terminates.

Management VPN

VPN 512, reserved for out-of-band management.

Published by Gregory Leeson

(CCIE Security, #60398). A Cisco networking nut.

Leave a comment