Cisco vManage

Cisco vManage is a centralized network management system. Cisco vManage dashboard provides a visual window into the network, and it allows you to configure and manage Cisco vEdge network devices. Cisco vManage software runs on a server in the network. This server is typically situated in a centralized location, such as a data center. It is possible for Cisco vManage software to run on the same physical server as Cisco vSmart Controller software.

You can use Cisco vManage to store certificate credentials, and to create and store configurations for all Cisco vEdge network components. As these components come online in the network, they request their certificates and configurations from Cisco vManage. When Cisco vManage receives these requests, it pushes the certificates and configurations to the Cisco vEdge network devices.

For vEdge Cloud routers, Cisco vManage can also sign certificates and generate bootstrap configurations, and it can decommission the devices.

Cisco vSmart Controller

The Cisco vSmart Controller oversees the control plane of the Cisco SD-WAN overlay network, establishing, adjusting, and maintaining the connections that form the Cisco SD-WAN fabric.

The major components of the Cisco vSmart Controller are:

• Control plane connections—Each Cisco vSmart Controller establishes and maintains a control plane connection with each vEdge router in the overlay network. (In a network with multiple Cisco vSmart Controllers, a single Cisco vSmart Controller may have connections only to a subset of the vEdge routers, for load-balancing purposes.) Each connection, which runs as a DTLS tunnel, is established after device authentication succeeds, and it carries the encrypted payload between the Cisco vSmart Controller and the vEdge router. This payload consists of route information necessary for the Cisco vSmart Controller to determine the network topology, and then to calculate the best routes to network destinations and distribute this route information to the vEdge routers. The DTLS connection between a Cisco vSmart Controller and a vEdge router is a permanent connection. The Cisco vSmart Controller has no direct peering relationships with any devices that a vEdge router is connected to on the service side.
• OMP (Overlay Management Protocol)—The OMP protocol is a routing protocol similar to BGP that manages the Cisco SD-WAN overlay network. OMP runs inside DTLS control plane connections and carries the routes, next hops, keys, and policy information needed to establish and maintain the overlay network. OMP runs between the Cisco vSmart Controller and the vEdge routers and carries only control plane information. The Cisco vSmart Controller processes the routes and advertises reachability information learned from these routes to other vEdge routers in the overlay network.
• Authentication—The Cisco vSmart Controller has pre-installed credentials that allow it to authenticate every new vEdge router that comes online. These credentials ensure that only authenticated devices are allowed access to the network.
• Key reflection and rekeying—The Cisco vSmart Controller receives data plane keys from a vEdge router and reflects them to other relevant vEdge routers that need to send data plane traffic.
• Policy engine—The Cisco vSmart Controller provides rich inbound and outbound policy constructs to manipulate routing information, access control, segmentation, extranets, and other network needs.
• Netconf and CLI—Netconf is a standards-based protocol used by Cisco vManage to provision a Cisco vSmart Controller. In addition, each Cisco vSmart Controller provides local CLI access and AAA.

The Cisco vSmart Controller maintains a centralized route table that stores the route information, called OMP routes, that it learns from the vEdge routers and from any other Cisco vSmart Controllers in the Cisco SD-WAN overlay network. Based on the configured policy, the Cisco vSmart Controller shares this route information with the Cisco vEdge network devices in the network so that they can communicate with each other.

The Cisco vSmart Controller is software that runs as a virtual machine on a server configured with ESXi or VMware hypervisor software. The vSmart software image is a signed image that is downloadable from the Cisco SD-WAN website. A single Cisco SD-WAN root-of-trust public certificate is embedded into all vSmart software images.

During the initial startup of a Cisco vSmart Controller, you enter minimal configuration information, such as the IP addresses of the controller and the Cisco vBond Orchestrator. With this information and the root-of-trust public certificate, the Cisco vSmart Controller authenticates itself on the network, establishes a DTLS control connection with the Cisco vBond Orchestrator, and receives and activates its full configuration from Cisco vManage if one is present in the domain. (Otherwise, you can manually download a configuration file or create a configuration directly on the Cisco vSmart Controller through a console connection.) The Cisco vSmart Controller is now also ready to accept connections from the vEdge routers in its domain.

To provide redundancy and high availability, a typical overlay network includes multiple Cisco vSmart Controllers in each domain. A domain can have up to 20 vSmart controllers. To ensure that the OMP network routes remain synchronized, all the Cisco vSmart Controllers must have the same configuration for policy and OMP. However, the configuration for device-specific information, such as interface locations and addresses, system IDs, and host names, can be different. In a network with redundant Cisco vSmart Controllers, the Cisco vBond Orchestrator tells the Cisco vSmart Controllers about each other and tells each Cisco vSmart Controller which vEdge routers in the domain it should accept control connections from. (Different vEdge routers in the same domain connect to different Cisco vSmart Controllers, to provide load balancing.) If one Cisco vSmart Controller becomes unavailable, the other controllers automatically and immediately sustain the functioning of the overlay network.

Cisco vBond Orchestrator

The Cisco vBond Orchestrator automatically coordinates the initial bringup of Cisco vSmart Controllers and vEdge routers, and it facilities connectivity between Cisco vSmart Controllers and vEdge routers. During the bringup processes, the Cisco vBond Orchestrator authenticates and validates the devices wishing to join the overlay network. This automatic orchestration process prevents tedious and error-prone manual bringup.

The Cisco vBond Orchestrator is the only Cisco vEdge device that is located in a public address space. This design allows the Cisco vBond Orchestrator to communicate with Cisco vSmart Controllers and vEdge routers that are located behind NAT devices, and it allows the Cisco vBond Orchestrator to solve any NAT-traversal issues of these Cisco vEdge devices.

The major components of the Cisco vBond Orchestrator are:

• Control plane connection—Each vBond ​orchestrator has a persistent control plane connection in the form of a DTLS tunnel with each Cisco vSmart Controller in its domain. In addition, the Cisco vBond Orchestrator uses DTLS connections to communicate with vEdge routers when they come online, to authenticate the router, and to facilitate the router's ability to join the network. Basic authentication of a vEdge router is done using certificates and RSA cryptography.
• NAT traversal—The Cisco vBond Orchestrator facilitates the initial orchestration between vEdge routers and Cisco vSmart Controllers when one or both of them are behind NAT devices. Standard peer-to-peer techniques are used to facilitate this orchestration.
• Load balancing—In a domain with multiple Cisco vSmart Controllers, the Cisco vBond Orchestrator automatically performs load balancing of vEdge routers across the Cisco vSmart Controllers when routers come online.

The Cisco vBond Orchestrator is a software module that authenticates the Cisco vSmart Controllers and the vEdge routers in the overlay network and coordinates connectivity between them. It must have a public IP address so that all Cisco vEdge devices in the network can connect to it. (It is the only Cisco vEdge device that must have a public address.)

The Cisco vBond Orchestrator orchestrates the initial control connection between Cisco vSmart Controllers and vEdge routers. It creates DTLS tunnels to the Cisco vSmart Controllers and vEdge routers to authenticate each node that is requesting control plane connectivity. This authentication behavior assures that only valid customer nodes can participate in the Cisco SD-WAN overlay network. The DTLS connections with Cisco vSmart Controllers are permanent so that the vBond controller can inform the Cisco vSmart Controllers as vEdge routers join the network. The DTLS connections with vEdge routers are temporary; once the Cisco vBond Orchestrator has matched a vEdge router with a Cisco vSmart Controller, there is no need for the Cisco vBond Orchestrator and the vEdge router to communicate with each other. The Cisco vBond Orchestrator shares only the information that is required for control plane connectivity, and it instructs the proper vEdge routers and Cisco vSmart Controllers to initiate secure connectivity with each other. The Cisco vBond Orchestrator maintains no state.

To provide redundancy for the Cisco vBond Orchestrator, you can create multiple vBond entities in the network and point all vEdge routers to those Cisco vBond Orchestrators. Each Cisco vBond Orchestrator maintains a permanent DTLS connection with each Cisco vSmart Controller in the network. If one Cisco vBond Orchestrator becomes unavailable, the others are automatically and immediately able to sustain the functioning of the overlay network. In a domain with multiple Cisco vSmart Controllers, the vBond orchestrator pairs a vEdge router with one of the Cisco vSmart Controllers to provide load balancing.

vEdge Routers

The vEdge router, whether a hardware or software device, is responsible for the data traffic sent across the network. When you place a vEdge router into an existing network, it appears as a standard router.

To illustrate this, the figure here shows a vEdge router and an existing router that are connected by a standard Ethernet interface. These two routers appear to each other to be Layer 3 end points, and if routing is needed between the two devices, OSPF or BGP can be enabled over the interface. Standard router functions, such as VLAN tagging, QoS, ACLs, and route policies, are also available on this interface.

The vEdge router's components are:

• DTLS control plane connection—Each vEdge router has one permanent DTLS connection to each Cisco vSmart Controller it talks to. This permanent connection is established after device authentication succeeds, and it carries encrypted payload between the vEdge router and the Cisco vSmart Controller. This payload consists of route information necessary for the Cisco vSmart Controller to determine the network topology, and then to calculate the best routes to network destinations and distribute this route information to the vEdge routers.
• OMP (Overlay Management Protocol)—As described for the Cisco vSmart Controller, OMP runs inside the DTLS connection and carries the routes, next hops, keys, and policy information needed to establish and maintain the overlay network. OMP runs between the vEdge router and the Cisco vSmart Controller and carries only control information.
• Protocols—The vEdge router supports standard protocols, including OSPF, BGP, VRRP, and BFD.
• RIB (Routing Information Base)—Each vEdge router has multiple route tables that are populated automatically with direct interface routes, static routes, and dynamic routes learned via BGP and OSPF. Route policies can affect which routes are stored in the RIB.
• FIB (Forwarding Information Base)—This is a distilled version of the RIB that the CPU on the vEdge router uses to forward packets.
• Netconf and CLI—Netconf is a standards-based protocol used by Cisco vManage to provision a vEdge router. In addition, each vEdge router provides local CLI access and AAA.
• Key management—vEdge routers generate symmetric keys that are used for secure communication with other vEdge routers, using the standard IPsec protocol.
• Data plane—The vEdge router provides a rich set of data plane functions, including IP forwarding, IPsec, BFD, QoS, ACLs, mirroring, and policy-based forwarding.

The vEdge router has local intelligence to make site-local decisions regarding routing, high availability (HA), interfaces, ARP management, ACLs, and so forth. The OMP session with the Cisco vSmart Controller influences the RIB in the vEdge router, providing non-site-local routes and the reachability information necessary to build the overlay network.

The hardware vEdge router includes a Trusted Board ID chip, which is a secure cryptoprocessor that contains the private key and public key for the router, along with a signed certificate. All this information is used for device authentication. When you initially start up a vEdge router, you enter minimal configuration information, such as the IP addresses of the vEdge router and the Cisco vBond Orchestrator. With this information and the information on the Trusted Board ID chip, the vEdge router authenticates itself on the network, establishes a DTLS connection with the Cisco vSmart Controller in its domain, and receives and activates its full configuration from Cisco vManage if one is present in the domain. Otherwise, you can manually download a configuration file or create a configuration directly on the vEdge router through a console connection.