dokucama

User Tools

Site Tools

Trace: openwrt containerlab dell-force10 sd-wan
network_stuff:sd-wan

Table of Contents

SD-WAN

TL;DR: SD-WAN maps applications to links based on performance and security requirements.
IPSec tunnels secure traffic over public internet links but are a supporting feature, not the primary focus of SD-WAN.

viptela

  • Fortigate
  • Palo Alto-prisma
  • Juniper-Mist-A
  • HP-Aruba-SilverPeak
  • NSX/VMware (Broadcom)

SD-WAN Overview

At its core, SD-WAN manages traffic across different WAN connections (like multiple ISPs or MPLS circuits) to optimize performance, security, and cost. The key idea is application-aware routing—you can define which applications use which connections based on policies you set.

For example:

  • ISP-1 for critical apps like video conferencing,
  • ISP-2 for regular web browsing,
  • ISP-3 for backup or non-critical traffic.

Normally, SD-WAN requires two 'edge' devices. The SD-WAN device (either physical or virtual) at each site monitors the quality of each link (latency, jitter, packet loss, etc.) and dynamically switches traffic between them based on real-time performance or failover scenarios. So, yes, you can map applications to paths based on your example.

How IPSec Tunnels Help in SD-WAN

IPSec tunnels in SD-WAN secure traffic over public internet links through encryption and authentication. While IPSec was used in older technologies like DMVPN, SD-WAN offers dynamic path selection, rerouting traffic based on real-time link conditions.

SD-WAN also supports:

  • Application-aware routing using DPI,
  • Centralized management via a controller for simplified configuration,
  • Flexible overlay management over multiple transport links,
  • Real-time performance monitoring to adjust traffic dynamically based on link quality.

Other SD-WAN Modes

  • Active/Active Mode: All WAN links are used simultaneously to balance traffic and improve redundancy. Example Active-Active fortigate https://www.youtube.com/watch?v=7OoFk0KvLzY
  • Active/Standby Mode: One link is primary, another is backup. The backup link only takes over if the primary fails.
  • Failover Mode: Traffic switches to a backup link if the primary fails, without load balancing.

SD-WAN also supports:

  • Traffic Shaping and QoS: Ensures important applications (e.g., VoIP) get necessary bandwidth and low latency.
  • Zero Touch Provisioning (ZTP): New SD-WAN devices can be deployed and configured remotely, without manual setup.

How SD-WAN Relates to SASE and ZTNA

  • SASE (Secure Access Service Edge):
    1. SASE integrates SD-WAN with cloud-based security services like firewalls, secure web gateways, CASB (Cloud Access Security Broker), etc. SD-WAN handles intelligent traffic routing, while SASE adds security in the cloud.
    2. SD-WAN is the network foundation of SASE, which embeds security directly into the network at all edges (on-prem or in the cloud).
  • ZTNA (Zero Trust Network Access):
    1. ZTNA verifies users every time they access a resource, enforcing strict identity checks, even inside the network. It treats all requests as untrusted, ensuring each interaction is authenticated and authorized.
    2. In a SASE framework, ZTNA works alongside SD-WAN to ensure appropriate access controls, so no implicit trust is given based on network location.
    3. Real-Life Example of ZTNA in SD-WAN:
      1. A company uses SD-WAN for branch offices to access cloud applications. With ZTNA, when an employee tries to access a sensitive application, the system verifies the user’s identity and device, regardless of their location (office or home). Only after passing strict checks can the employee access the resource, ensuring secure and controlled access.

Key Takeaways

  • SD-WAN uses IPSec tunnels like DMVPN but manages them dynamically, making smarter routing decisions based on real-time performance and application needs. It also integrates centralized control and application awareness.
  • IPSec tunnels in SD-WAN offer security, but they’re part of a broader system where dynamic path selection, application-based routing, and centralized policy management take precedence.
  • DMVPN provided static or semi-dynamic IPSec VPNs, while SD-WAN turns those tunnels into an intelligent, software-defined overlay that adapts to network conditions and application requirements.
  • SASE adds cloud-based security services on top of SD-WAN, while ZTNA enforces strict user access controls within that framework.

CISCO SD-WAN - LAB NOTES

Three elements. Only one of them needs high resources for the lab:

  • sd-wan manager (vmanage, centralized dashboard): ~20GB RAN
  • controllers (vsmart, policy engines): router with 'policy' role (~control plane)
  • edge nodes (vedge): these are just the dumb switches
  • vbond (CA)

No need for smart account. Just a button with pay as you go license. **this is in the vmanage itself, we need to have last version. (20.6.3 (Jul 2022)) All air gapped, you need to do your your Wan edge certificates yourself and your controller certificates.So you need to know how to generate open SSL root CA and then sign certs from that CA.
basically the first step in onboarding a router like ACSR 1000V or a Catalyst 8000V virtual router is to take the CA certificate and install it. put it on the boot flash of the router and then you import it into the router's trust store.So what that does is when it does that initial connection to the controllers, it now uses your certificate to validate them and form that mutual trust instead of using the one that Cisco would use if you were in the cloud.

network_stuff/sd-wan.txt · Last modified: by jotasandoku

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki