dokucama

User Tools

Site Tools

Trace: zscaler vagrant junos netsim
network_stuff:sd-wan

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
network_stuff:sd-wan [2024/10/06 18:07] jotasandokunetwork_stuff:sd-wan [2025/01/22 17:38] (current) jotasandoku
Line 23: Line 23:
  
 ===== How IPSec Tunnels Help in SD-WAN ===== ===== How IPSec Tunnels Help in SD-WAN =====
-IPSec tunnels securely connect different sites over the public internet or other untrusted networks. IPSec provides encryption, integrity, and authentication to secure traffic because SD-WAN often uses public internet links from different ISPs.+IPSec tunnels in SD-WAN secure traffic over public internet links through encryption and authentication. While IPSec was used in older technologies like DMVPN, SD-WAN offers dynamic path selection, rerouting traffic based on real-time link conditions.
  
-==== Key Differences from Legacy Tech Like DMVPN ==== +SD-WAN also supports: 
-Yes, IPSec tunneling was available in older technologies like **DMVPN (Dynamic Multipoint VPN)** and **MPLS VPNs**, but SD-WAN manages traffic and integrates IPSec with broader network intelligence in ways that differ from traditional methods. +  * **Application-aware routing** using DPI
- +  * **Centralized management** via a controller for simplified configuration
-  * **Dynamic Path Selection**+  * **Flexible overlay management** over multiple transport links, 
-    - In DMVPN, tunnels were static or dynamic but lacked flexibility in choosing traffic paths. +  * **Real-time performance monitoring** to adjust traffic dynamically based on link quality.
-    - SD-WAN uses dynamic overlay network. The SD-WAN controller monitors WAN link performance and reroutes traffic based on link conditions. For instanceif ISP-1 experiences packet loss, SD-WAN quickly shifts traffic to ISP-2 without manual intervention. +
- +
-  * **Application-Aware Routing**: +
-    - DMVPN couldn’t inspect traffic based on applications. Routing was based on IP or protocol. +
-    - SD-WAN uses **deep packet inspection (DPI)** to classify applications, allowing policies to direct traffic over the best-performing link. It adjusts routes dynamically if performance degrades.+
  
-  * **Centralized Management and Automation**: 
-    - DMVPN required manual configuration at each site. Managing policies and changes across many sites was time-consuming. 
-    - SD-WAN offers centralized policy management via a controller. Global or per-site policies are applied automatically to all edge devices, reducing the admin burden. 
- 
-  * **Simplified Overlay Management**: 
-    - DMVPN used static or dynamic IPSec VPNs, but the overlay networks were rigid. 
-    - SD-WAN builds a flexible overlay network on top of any combination of transport links (MPLS, Internet, LTE) with automated encryption and dynamic routing. The SD-WAN controller abstracts these tunnels for seamless failover and link optimization. 
- 
-  * **Better Analytics and Performance Monitoring**: 
-    - DMVPN offered limited monitoring (e.g., up/down status, latency). Proactive tuning wasn’t possible. 
-    - SD-WAN provides real-time analytics and performance monitoring, tracking jitter, latency, packet loss, and bandwidth. It uses these insights to dynamically adjust traffic paths and can trigger alerts or automated responses to network issues. 
  
 ===== Other SD-WAN Modes ===== ===== Other SD-WAN Modes =====
-  * **Active/Active Mode**: All WAN links are used simultaneously to balance traffic and improve redundancy.+  * **Active/Active Mode**: All WAN links are used simultaneously to balance traffic and improve redundancy. Example Active-Active fortigate [[https://www.youtube.com/watch?v=7OoFk0KvLzY]]
   * **Active/Standby Mode**: One link is primary, another is backup. The backup link only takes over if the primary fails.   * **Active/Standby Mode**: One link is primary, another is backup. The backup link only takes over if the primary fails.
   * **Failover Mode**: Traffic switches to a backup link if the primary fails, without load balancing.   * **Failover Mode**: Traffic switches to a backup link if the primary fails, without load balancing.
Line 65: Line 49:
     - ZTNA verifies users every time they access a resource, enforcing strict identity checks, even inside the network. It treats all requests as untrusted, ensuring each interaction is authenticated and authorized.     - ZTNA verifies users every time they access a resource, enforcing strict identity checks, even inside the network. It treats all requests as untrusted, ensuring each interaction is authenticated and authorized.
     - In a SASE framework, ZTNA works alongside SD-WAN to ensure appropriate access controls, so no implicit trust is given based on network location.     - In a SASE framework, ZTNA works alongside SD-WAN to ensure appropriate access controls, so no implicit trust is given based on network location.
 +    - Real-Life Example of ZTNA in SD-WAN:
 +      - A company uses SD-WAN for branch offices to access cloud applications. With **ZTNA**, when an employee tries to access a sensitive application, the system verifies the user’s identity and device, regardless of their location (office or home). Only after passing strict checks can the employee access the resource, ensuring secure and controlled access.
 +
  
 ===== Key Takeaways ===== ===== Key Takeaways =====
Line 71: Line 58:
   * DMVPN provided static or semi-dynamic IPSec VPNs, while SD-WAN turns those tunnels into an intelligent, software-defined overlay that adapts to network conditions and application requirements.   * DMVPN provided static or semi-dynamic IPSec VPNs, while SD-WAN turns those tunnels into an intelligent, software-defined overlay that adapts to network conditions and application requirements.
   * SASE adds cloud-based security services on top of SD-WAN, while ZTNA enforces strict user access controls within that framework.   * SASE adds cloud-based security services on top of SD-WAN, while ZTNA enforces strict user access controls within that framework.
 +
 +
 +----
 +=== CISCO SD-WAN - LAB NOTES ===
 +Three elements. Only one of them needs high resources for the lab:
 +  * sd-wan manager (vmanage, centralized dashboard): ~20GB RAN
 +  * controllers (vsmart, policy engines): router with 'policy' role (~control plane)
 +  * edge nodes (vedge): these are just the dumb switches
 +  * vbond (CA)
 +
 +No need for smart account. Just a button with **pay as you go** license. **this is in the vmanage itself, we need to have last version. (20.6.3 (Jul 2022))
 +All air gapped, you need to do your your Wan edge certificates yourself and your controller certificates.So you need to know how to generate open SSL root CA and then sign certs from that CA.\\
 +basically the first step in onboarding a router like ACSR 1000V or a Catalyst 8000V virtual router is to take the CA certificate and install it.  put it on the boot flash of the router and then you import it into the router's trust store.So what that does is when it does that initial connection to the controllers, it now uses your certificate to validate them and form that mutual trust instead of using the one that Cisco would use if you were in the cloud.\\
  
network_stuff/sd-wan.1728238036.txt.gz · Last modified: by jotasandoku

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki