Differences

This shows you the differences between two versions of the page.

--- network_stuff:sd-wan [2024/10/06 18:11] – jotasandoku
+++ network_stuff:sd-wan [2025/01/22 17:38] (current) – jotasandoku
@@ Line 33: / Line 33: @@
 ===== Other SD-WAN Modes =====
-  * **Active/Active Mode**: All WAN links are used simultaneously to balance traffic and improve redundancy.
+  * **Active/Active Mode**: All WAN links are used simultaneously to balance traffic and improve redundancy. Example Active-Active fortigate [[https://www.youtube.com/watch?v=7OoFk0KvLzY]]
   * **Active/Standby Mode**: One link is primary, another is backup. The backup link only takes over if the primary fails.
   * **Failover Mode**: Traffic switches to a backup link if the primary fails, without load balancing.
@@ Line 49: / Line 49: @@
     - ZTNA verifies users every time they access a resource, enforcing strict identity checks, even inside the network. It treats all requests as untrusted, ensuring each interaction is authenticated and authorized.
     - In a SASE framework, ZTNA works alongside SD-WAN to ensure appropriate access controls, so no implicit trust is given based on network location.
+    - Real-Life Example of ZTNA in SD-WAN:
+      - A company uses SD-WAN for branch offices to access cloud applications. With **ZTNA**, when an employee tries to access a sensitive application, the system verifies the user’s identity and device, regardless of their location (office or home). Only after passing strict checks can the employee access the resource, ensuring secure and controlled access.
 ===== Key Takeaways =====
@@ Line 55: / Line 58: @@
   * DMVPN provided static or semi-dynamic IPSec VPNs, while SD-WAN turns those tunnels into an intelligent, software-defined overlay that adapts to network conditions and application requirements.
   * SASE adds cloud-based security services on top of SD-WAN, while ZTNA enforces strict user access controls within that framework.
+----
+=== CISCO SD-WAN - LAB NOTES ===
+Three elements. Only one of them needs high resources for the lab:
+  * sd-wan manager (vmanage, centralized dashboard): ~20GB RAN
+  * controllers (vsmart, policy engines): router with 'policy' role (~control plane)
+  * edge nodes (vedge): these are just the dumb switches
+  * vbond (CA)
+No need for smart account. Just a button with **pay as you go** license. **this is in the vmanage itself, we need to have last version. (20.6.3 (Jul 2022))
+All air gapped, you need to do your your Wan edge certificates yourself and your controller certificates.So you need to know how to generate open SSL root CA and then sign certs from that CA.\\
+basically the first step in onboarding a router like ACSR 1000V or a Catalyst 8000V virtual router is to take the CA certificate and install it.  put it on the boot flash of the router and then you import it into the router's trust store.So what that does is when it does that initial connection to the controllers, it now uses your certificate to validate them and form that mutual trust instead of using the one that Cisco would use if you were in the cloud.\\

dokucama

User Tools

Site Tools

Differences

Page Tools