Cisco SD-WAN Control Plane

Introduction

My name is Nam who loves to talk and share knowledge related to Networking, Automation, and so on. More about me:?nam-nguyen.me

Hope you enjoy the blog and don't forget to join the?Tech-Learner-Hub ?to get more and more valuable content.

Overview

As discussed in the previous part "Cisco SDWAN Planes ",?The control plane in Cisco SD-WAN is responsible for establishing and maintaining logical connectivity and intelligence across the network. It encompasses the control plane protocols and functions that enable the exchange of routing information and the orchestration of data traffic flow.

In this article, we will be on the SD-WAN control plane and how OMP facilitates building the control plane.

Control Plane Operations

In the Cisco SD-WAN solution, the Overlay Management Protocol (OMP) is used to manage control plane operations. OMP enables a secure and scalable framework that works across various types of transport, including private options like MPLS, Layer 2 VPNs, and point-to-point networks, as well as public connectivity methods like the Internet and LTE.

The vSmart controller is responsible for handling the control plane. It ensures a scalable control plane infrastructure and distributes policy information to the WAN Edges.

To better understand its role, the vSmart controller can be compared to a BGP route reflector. It receives routing and topology information from the clients, performs calculations based on configured policies to determine the best paths, and then advertises these results to the WAN Edges, which act as route reflector clients.

In traditional networks, the control plane's primary focus was on managing how data flows within the network. This involved receiving routing updates, performing operations to determine the best paths, and using this information to populate forwarding tables.

However, configuring security using these protocols was often complex and time-consuming. It typically required manual effort and often resulted in network downtime during the transition to security mechanisms.

Security is a fundamental aspect of the Cisco SD-WAN solution. To ensure secure communication, the control plane tunnels in the SD-WAN overlay are encrypted and authenticated using Datagram Transport Layer Security (DTLS) or Transport Layer Security (TLS). In the SD-WAN overlay, all personas including vBond, vSmart, WAN Edges, and vManage maintain?DTLS/TLS?connections.

This ensures that all routing updates are validated and trusted to prevent the processing of any malicious routing information.

These connections are established using SSL certificates. Each component in the network authenticates the other end and creates a one-way tunnel. During the negotiation process, devices validate that the received certificate is signed by a?trusted root Certificate Authority (CA)?and has a valid serial number with a matching?organization name. This ensures the authenticity and integrity of the communication. You can refer to the above illustration of a tunnel between a WAN Edge and vSmart controller.

The default protocol for communication is DTLS (Datagram Transport Layer Security).

DTLS communication takes place over UDP port 12346.?It is recommended to keep this port open for communication between vBond and all WAN Edges.

Additionally,?TLS (Transport Layer Security)?is also supported if specific requirements demand it. It's important to note that TLS operates using the TCP protocol and is therefore stateful.

The vSmart and vManage components are deployed as virtual machines capable of supporting multiple cores,?up to a maximum of eight cores.?Each core is associated with a base port. When inbound DTLS/TLS connections are established, they initially target port 12346.

You can refer to the below figure of a DTLS Tunnel Authentication between vSmart and vBond.

Once the control plane tunnels are established, various protocols can utilize these secure sessions. In addition to OMP (Overlay Management Protocol), protocols like Simple Network Management Protocol (SNMP) and Netconf can also leverage these secure channels. By utilizing the established DTLS/TLS tunnels, we no longer need to worry about the individual security implementations of these protocols or any vulnerabilities they may have.

Overlay Management Protocol (OMP)

In the Cisco SD-WAN solution, the Overlay Management Protocol (OMP) serves as the routing protocol. However, OMP goes beyond just routing and provides several essential services within the control plane:

• Facilitation of network communication: OMP enables data plane connectivity between sites in the SD-WAN fabric, including service chaining and multi-VPN topology information.
• Distribution of data plane security information: OMP handles the distribution of encryption keys, ensuring secure communication within the fabric.
• Best-path selection and routing policy advertisement: OMP determines the optimal paths for data traffic and communicates routing policies across the network.

Read more:?Cisco SDWAN vSmart Controllers

OMP is enabled by default in the SD-WAN solution and does not require explicit activation. As components in the fabric become aware of their control elements, they automatically establish control connections. This allows for reachability and orchestration of the network topology.

OMP is designed to interact with legacy routing protocols, including static routes and traditional interior gateway protocols such as OSPF, BGP, and EIGRP. However, unlike traditional IGPs,?OMP peering occurs only between the WAN Edges and the vSmart controller(s). This peering model resembles the operation of a BGP route reflector within an Internal Border Gateway Protocol (IBGP) domain. This approach is beneficial for scalability, as it reduces CPU load on data plane devices by minimizing excessive routing updates and best-path recalculations.

OMP Graceful Restart

OMP in the Cisco SD-WAN solution also supports graceful restart functionality. Graceful restart allows WAN Edges to?cache forwarding information?in case they?lose connectivity?to the vSmart controllers. In such situations, the WAN Edge will continue using the last received routing information to maintain proper forwarding.

By default, graceful restart is enabled on both vSmart controllers and WAN Edge routers, with a default timer set to?12 hours. This timer can be adjusted within a range of?1 second to 7 days.

It's important to ensure that a valid IPsec encryption key is available during the entire graceful restart period. Otherwise, there is a risk of data plane tunnels being terminated when the graceful timer expires. To prevent IPsec rekey while OMP is down, it is recommended to set the IPsec rekey timer to twice the value of the graceful restart timer as a best practice.

Note:

The configuration of the graceful restart timer can be done through vManage using a CLI template or an OMP feature template. Further details on feature templates will be discussed in the next parts.

When a peering session with the vSmart controller becomes unavailable, the WAN Edge continuously tries to re-establish the connection. However, if the WAN Edge is reloaded, the cached information is lost.

In such cases, the WAN Edge will need to establish a new OMP session with the vSmart controller and receive updated forwarding information before it can resume forwarding traffic on the SD-WAN fabric.

Read more: Cisco SDWAN Overlay Management Protocol (OMP)

Get the Cisco SD-WAN Zero-to-One ebook