What exactly is Cisco SD-WAN all about?

An overview

This article gives a real-world review of Cisco Catalyst SD-WAN (Viptela) after we rolled it out across 10 sites in Australia and New Zealand for a decent size company.

As an engineer, I’m keeping this article focused on what really matters to us—no fancy buzzwords, just the stuff we actually care about.

Lets start with…

What does SD-WAN do?

After going through the SD-WAN promo material, I can honestly say I don’t feel ripped off. Having one place to manage all my devices with great visibility is awesome. Configurations that adjust for different routers are super easy to generate. I was worried that after 14 years of command line work, I’d lose control and feel less hands-on, but I’m still in control—just now with better tools. I’m still managing traffic flow, but no longer stressing about IPSec tunnels since they’re set up automatically. The browser-based Manager (formerly vManage) gives me solid insights into things like app usage and packet loss. Plus, the Controller (formerly vSmart) acts as a BGP route reflector, making complex routing topologies easy to handle with simple policies.

Control components

The solution includes 4 devices: a site router and 3 control components located centrally. Here’s a quick rundown of what each one does.

Manager (formerly vManage) is the control component that gives you a browser-based GUI to manage your routers and controllers, create configurations and policies, and monitor site devices.

Controller (formerly vSmart) acts as a BGP route reflector, enforcing routing policies configured on the Manager. It takes care of IPSec tunnel setups between sites by handling all the crypto info, so no fat fingering PSKs anymore! Devices connect via the Overlay Management Protocol (OMP) but only to the Controller(vSmart) and not to each other.

Validator (formerly vBond) makes sure only authorized routers can join the SD-WAN fabric. It checks new devices by verifying their serial numbers and certificates against a valid list before letting them in. It’s the first point of contact between brand new router and SD-WAN.

Hosting

You can either host the above controllers yourself in a fully self managed manner (as VMs in cloud or DC) or you can opt in to have Cisco host them instead. The latter is by far the most common as you don’t have to worry about patching and availability. For Cisco hosted there is also an option for having your own control components or sharing with other tenants. Which one you choose depends on your requirements. If you’re working in a government environment you may want to host your own. If your security policy allows to host them with Cisco I’d choose that option. The only downside is you are reliant on Cisco TAC to do things like version upgrades.

Device configuration

Device configuration can be achieved in 3 different ways.

  1. Feature templates are small, specific configurations for things like an interface config. For example, a basic interface needs a description, IP address, and “no shut.” This can be done with a reusable interface feature template across multiple sites. The IP address can be a ‘device-specific’ variable for unique values per device. These small pieces are then combined into a Device Template, which forms the running configuration.
  2. CLI templates are for command-line diehards who want to replicate their 300 notepad files and configure devices line by line. You can reuse these templates across sites with device-specific variables, just like feature templates. I wouldn’t recommend using this for anything that has a feature template available (which isn’t many).
  3. Configuration groups are a new feature designed to simplify things for admins dealing with tons of feature templates. They work similarly but let you group more configurations in one place. For example, instead of having separate feature templates for 4 LAN interfaces, you can now manage all 4 interfaces in a single LAN profile. This is the approach Cisco is focusing on going forward.

Visibility and monitoring

SD-WAN excels in monitoring link throughput, packet loss, jitter and such via an easy-to-read dashboard. All devices in the SD-WAN fabric mesh by default and utilize BFD (Bidirectional Forwarding Detection) to assess connectivity. Routers leverage their metrics and BFD peer data to provide enough information to the admin in order to be make accurate assumptions.

One gripe I have with visibility is traffic logs. With firewalls like Palo Alto, I appreciate seeing who accessed what, on which port, at what time, and which rule they hit. The current release only allows exporting logs to a syslog/netflow collector in an ugly text format. There’s a basic version of traffic logs on the Manager, but it’s not as detailed as what I’m used to on the Palos.

User segmentation

Keeping your users separate is trivial with SD-WAN and the awesome part is that its end to end. It’s all done via ‘Service VPNs’ which are simply VRFs. IPSec traffic between sites is marked with an MPLS label of which service VPN it came from allowing the remote end to route it via the same VRF. Even SGTs can be preserved!

Resiliency

SD-WAN is great at keeping your network resilient. Just set up 2 links for routers to talk to each other or internet, and the system handles everything. You can easily traffic engineer to force guest and corporate traffic to use different paths but always be available during a potential failure.

QoS

With traffic policies from the Controller, it’s a breeze to set up QoS. You can match on pretty much anything—apps, source IPs/ports, protocols, or even classic DSCP markings.

A feature called Application Aware Routing (AAR) allows to set up application probes on a link. If that probe drops below a certain threshold, traffic can be shifted to another link which hasn’t. The probes can even have DSCP markings to imitate voice traffic for accurate results.

Cloud connectivity

Its extremely easy to spin up a virtual router in the cloud. In my case it’s AWS where we have 2 devices at the public edge connected to the transit gateway which has access to all of our resources.

Security

The routers have IPS/IDS, URL filtering, and app-layer firewalling built in. This is all powered by the UTD (Unified Threat Defense) container running on the router, which inspects traffic as it moves back and forth.

In all honesty I think this has been the weakest part of SD-WAN. URL filtering and IDS work but feel like an afterthought with little customisability. I’ll publish an article on that soon enough.

Summary

Cisco Catalyst SD-WAN is a reliable platform that lives up to its promises. The way OMP and BFD enable seamless router interaction is truly impressive, and I can confidently say it’s been a game changer for us.