Author: Yup2k

• Available as hardware, software and cloud functions.
• Sit at geographically disparate locations.
• Push data across WAN.
• Function as normal routers and SD-WAN Overlay routers.
  • ie. OMP, Localized and Centralized policies.
• Each router sets up DTLS tunnel to each vEdge in the SDWAN Fabric.
• Forms OMP adjacencies over DTLS tunnels to vSmarts for routing information.
• Sets up standard IPSEC tunnels to other SD-WAN routers.

• vEdge
  • Viptela platform running Viptela Software.
• cEdge
  • Viptela software running alongside Cisco IOS-XE.
  • Operates on ISR, ASR1k, CSR, CSRV, and ISRv.

• vSmart Controller
  • Control plane/brains of the solution.
  • Managed via the CLI or (most likely and recommended) by vManage.
  • Post router authentication, there is permanent DTLS tunnel between each vManage and each vEdge/cEdge.
    • DTLS tunnels are used to create OMP neighborship between each router.
  • vSmart controller uses OMP to determine topology and calculate best routes to different destinations across SD-WAN fabric.
  • Services vSmart offers (configured on vManage)
    • VPN segmentation
    • Traffic engineering
    • Service chaining.
    • QoS

• vBond
  • Authenticates vSmart controllers and routers to the SD-WAN domain.
  • Orchestrates connectivity between Routers and Controllers (vSmart).
  • All SD-WAN devices MUST connect directly to vBond.
    • This requires publicly accessible IP address.
      • ie. cannot be behind a NAT unless a 1:1.

• DTLS
  • vBonds keep continuous DTLS tunnel established from vBond to each vSmart controller.
  • When SD-WAN vEdge or cEdge comes online, they are configured to reach out to vBond via DTLS Tunnel. This facilitates authentication and joining the network with the vSmarts.
    • Authentication performed via certificates.
• NAT Traversal
  • vBond is middle man for SD-WAN devices authenticating and joining network.
    • vBond allows all other SD-WAN devices to be behind NAT without issue.
• Load Balancing
  • vBond automatically load balances between vSmart controllers as SD-WAN edges come online.

Internal Border Node:

• Border of SD-Access fabric to all other internal networks
  • In and out of Fabric.
  • When a PC in the SD-Access fabric tries reaching shared services, it will query the control plane node (LISP MS/MR) and find out it needs to go to the internal border node. The internal border node has an eBGP peering setup with the fusion router which allows the reachability to the Shared Services block.
  • The internal border node is redistributing BGP into LISP and vice versa.

Default Border Node:

• Border of SD-access fabric to all other networks that are not internal networks.
  • ie. vendors, internet, etc. Similar to default Route.
  • Also known as PXTR

Anywhere Border Node:

• Can serve as both Internal and Default border node.

• Fabric site
  • Consists of:
    • Edge Nodes
    • Border Nodes
    • Control Plane Nodes
  • Independent of physical location.
  • A single DNA Center instance can manage multiple sites.
  • Fabric in a Box
    • CP, Border and edge all in one box.
    • Specifically for a small site that has single DNA Fabric device.
      • ie. switch.
• Fabric Site connectivity
  • Transit Network
    • Connects to each fabric site via their border nodes.
    • SDA Transit Network
      • Maintains VXLAN across sites.
      • Carries VNIDs and SGTs.
      • Typically dark fiber.
      • Contains Transit Control Plane nodes.
    • IP Based Transit Network
      • Typical private leased lines from carriers.
      • Cannot control things like MTU.
      • VXLAN not carried across transit.
      • Re-identifying traffic is necessary when crossing IP based transit.

Note – According to Cisco Webinars, the underlay is already built in the CCIE Lab.

Manual:

• Overlay can run over any type of underlay.
  • Can be Layer 2 or Layer 3
    • Highly recommended layer 3.
      • ‘Lean and Mean’ underlay.
    • Spanning Tree is still needed if layer 2 is used as underlay.
• Routing Protocol
  • Cisco recommends IS-IS.
  • Can be different routing protocol, commonly using different routing protocol if brown field.
  • SD-Access supports EIGRP, OSPF, and IS-IS.
  • Each edge device must advertise loopback interfaces into underlay.
    • Loopbacks are used to form VXLAN tunnels.
  • Shared Services
    • DHCP, DNS, Domain Services, DNA Center, WLC.
    • These services sit outside of fabric domain.
      • Underlay needs to be routable to shared services.
        • ie. to internal border node.
        • 0.0.0.0/0 will not work unless internal and external border node are same device.
• MTU
  • VXLAN requires an extra 50B for header.
    • 54B if there’s a VLAN tag.
  • Cisco Recommends MTU of 9100B for the entire underlay.
    • Can be devices not running as edge or border node
      • Middle ‘routing’ devices such as older switches just passing traffic.
• Underlay link connectivity
  • P2P links between each switch in underlay.
  • Recommends 10Gbps of throughput between each switch.
• TIMERS
  • DO NOT CHANGE IGP TIMERS.
  • Use BFD to improve failure detection.

None of this is necessary if Greenfield – use LAN automation with factory default IOS-XE switches. LAN Automation will build out IS-IS underlay.LAN Automation

LAN Automation:

• Initial task is running discovery to import a Border node into inventory.
  • Once a border node is added to inventory, DNA can hop from the border node into neighboring devices to auto configure underlay.
  • Note – ‘ip routing’ needs to be configured on seed/border node before starting LAN automation.
    • Border is actually behind the scenes configuring itself as a DHCP server, handing out leases to other fabric devices, and then configuring them.
    • In addition the configurations are done with a PnP agent on the un-configured devices.
      • The additional fabric devices need to be completely factory reset.
      • Last button is ‘Stop Automation’.
        • Counter intuitive.