SD-WAN

What is SDN?

SDN is Software Defined Networking, which is an approach to network management,

managing our devices centrally. This will give us easy monitoring and easy
troubleshooting of distributed network devices. By removing the control plane of
network devices, SDN will attempt to centralise the network intelligence in our
network component. Having one or more controllers in the SDN control panel, we
take it as the brain of the SDN network.

Disadvantages of SDN

1. It requires a change in the entire network infrastructure to implement the SDN

protocol and SDN controller. It requires a complete reconfiguration of the
network. This increased the cost due to reconfiguration.
2. Staff Needs to be trained.
 3. A new management tool needs to be procured, and everyone should be
trained to use it.
4. Security is a big challenge in SDN.

ETSI MANO framework

The European Telecommunications Standards Institute (ETSI) is an independent,

not-for-profit, standardisation organisation in the telecommunications industry. Over
the years ETSI have developed a number of standards/frameworks around NFV, that
has led to NFV ETSI MANO (Management and Orchestration).
Network Functions Virtualization (NFV)
● NFV decouples network functions from the hardware
● Those network functions are called virtual network functions (VNFs)
● VNFs run in virtual machines
● NFV allows for scaling of VMs to handle changes in data centre traffic

NFV Infrastructure (NFVI)

● The Network Functions Virtualization Infrastructure (NFVI)
● It provides the physical compute, storage, and networking hardware that
hosts the VNFs.

Virtualized Infrastructure Manager (VIM)

● responsible for controlling, managing, and monitoring the NFVI compute,
storage, and network hardware.
● The VIM manages the allocation and release of virtual resources, and the
association of virtual to physical resources, including the optimization of
resources.
================================================================

Virtualized Network Functions (VNFs)

VNFs include virtualized routers, firewalls, WAN optimization stc . Most VNFs are run
in virtual machines (VMs) on common virtualization infrastructure software such as
VMWare or KVM. In the Colt implementation, this is represented by the Versa Flex
VNF running network functions on the Controller, Gateway, and CPE.

Virtual Network Functions Manager (VNFM)

VNFMs are necessary for scaling, changing operations, adding new resources, and
communicating the states of VNFs to the NFVO. The NFVO coordinates with the
VNFM to instantiate VNFs and manages the deployment of network services, which
are made up of VNFs.
======================================================

EMS (Element Management System) in the solution is the Versa Analytics

Network Functions Virtualization Orchestrator (NFVO)

The NFVO provides key access to resources and instances in order to create an
overall NFV solution that includes VNF catalogues, network services catalogues,
NFV instances, and NFVI resources.
 Operations Support Systems and Business Support Systems
(OSS/BSS)

● An operations support system (OSS) is software that is used for network

monitoring, control, analysis, and management.OSS and business support
systems (BSS) both are part of customer-facing activities, such as, ordering,
billing, and customer support.
● Colt OSS infrastructure with the Logging Platform (TACACS), Monitoring
Platform(SENSU), DNS, LDAP Service

Why do we need SD-WAN?

Companies want to reduce costs and manage their infrastructure more effectively.
However, the traditional wide-area network (WAN) was designed to connect users at
remote sites to applications hosted in the company's data centre. Dedicated leased
lines and MPLS circuits were used to provide secure and reliable connectivity to the
DC. Although some applications are now in public clouds and the Internet, the traffic
from the remote sites must come to the DC first and then be routed to the Public
Cloud and back. This concept is visualised in figure 1.

The traditional WAN connectivity between the branches and the DC is not the most
effective way to connect to all applications and creates the following inefficiencies:

● Security Issue
● Complex policies
● Complex configuration
 What is SD-WAN?

SD-WAN is a Wide Area Network (WAN) overlay architecture that applies the principles of
Software-Defined Networking (SDN) into the traditional WAN. SDN centralises
management by abstracting the control plane from the data forwarding function in the
discrete networking devices.

SD-WAN solution provides the following improvements over the traditional WAN design:

● Connecting any location in a fast, secure, and highly available manner using
Zero-Touch Provisioning (ZTP).
● Reducing operational and management costs .
● Providing end-to-end security from remote sites to the Internet, Cloud, SaaS apps.
● Providing a single pane of glass (SPOG) for management, analytics, and
configuration policy across the enterprise WAN.
● Delivering faster cloud access by enabling direct internet access at the branch
● Lowering WAN costs through the use of cheaper internet or LTE connectivity as an
alternative to MPLS

Benefits of SD-WAN
● Automation and Improved uptime - Centralised management and automation
could eliminate most human errors such as misconfigurations, wrong designs,
and deployments. This would significantly improve the overall uptime of the
network.
● More secure - Centrally managed networks can easily apply end-to-end
security policy across the enterprise network which is very hard to do using
the box-to-box approach.
● Better analytics -Treating a network as one system enables a single
management console that presents data from multiple sources in a unified
display.

SD-WAN solutions

● Meraki is designed for small and mid-sized companies that want simplicity
and ease of use above everything else.
● Viptela has more advanced features available and requires a sophisticated
network design and architecture. The product is designed for large-scale
enterprise-level networks and has a high degree of customization.
SD-WAN Components

The solution is broken up into four planes: data, control, management and Orchestration
.

vManage- Management Plane

It is responsible for collecting network telemetry data, run analytics, and alert on events
in the SD-WAN fabric. It is also the tool that admins use to create device templates, push
configurations, and perform overlay traffic engineering.

vBond - Orchestration Plane

Its job is to orchestrate the process of onboarding new unconfigured devices to the
SD-WAN fabric. It is responsible for the authentication and whitelisting of vEdge routers
and control/management information distribution.

vSmart -Control Plane

vSmart controllers are the brain of the overlay fabric. They advertise routing, policies,
and security. vSmart controllers are like BGP Route-reflectors . However, it is important
to understand these appliances are not part of the Data Plane and do not participate in
packet forwarding.

vEdge -Data Plane

vEdge devices represent the Data Plane of the SD-WAN system. They sit at the WAN edge
and establish the network fabric and join the SD-WAN overlay. vEdge routers exchange
routing information with the vSmart controllers over the Overlay Management Protocol
(OMP).

Overlay Management Protocol (OMP)

Upon joining the SD-WAN fabric, each vEdge router establishes one permanent secure
connection to the vSmart controller via DTLS, which is then used by the vEdges to
exchange control plane information to the controller such as prefixes, crypto keys, and
policy information.

Three types of routes are advertised with OMP:

1. OMP routes: OMP Routes, also referred to as vRoutes, are prefixes learned at the
local site via connected interfaces, static routes, and dynamic routing protocols
(such as OSPF, EIGRP, and BGP) running on the service side of the vEdge. These
prefixes are redistributed into OMP and advertised to the vSmart controller
2. TLOC routes: advertise Transport Locators of the connected WAN transports,
along with additional attributes such as public and private IP addresses, color,
TLOC preference, site ID, weight, tags, and encryption keys.
3. Service routes are used to exchange services such as firewall, IPS,
application-specific optimizations, and load-balancers.
What is a TLOC?

A TLOC is a Transport Locator that represents an attachment point where a WAN

Edge device connects to a WAN transport. A TLOC is uniquely identified by a tuple of
three values - (System-IP address, Color, Encapsulation).

● System-IP: The System-IP is the unique identifier of the WAN edge device
across the SD-WAN fabric. It is similar to the Router-ID in traditional routing
protocols such as BGP. It does not need to be routable or reachable across
the fabric.
● Transport Color: The color is an abstraction used to identify different WAN
transports such as MPLS, Internet, LTE, 5G, etc.
● Encapsulation Type: This value specifies the type of encapsulation this TLOC
uses - IPsec or GRE. To successfully form a data plane tunnel to another
TLOC, both sides must use the same encryption type.

SD-WAN Pre-defined VPNs

By default, the SD-WAN solution has two pre-defined VPNs that cannot be deleted
or modified: Transport VPN 0 and Management VPN 512.

Transport VPN 0

VPN 0 is the pre-defined Transport VPN of the SD-WAN solution. It cannot be

deleted nor modified. The purpose of this VPN is to enforce a separation between
the WAN transport networks (the underlay) and network services (the overlay).
Therefore, all WAN links such as Internet and MPLS circuits are kept in VPN 0
Management VPN 512

By default in SD-WAN, VPN 512 is configured for out-of-band management. It is

enabled and ready-to-go out of the box.

Service VPNs - between 1 and 65530 (excluding 512)

When we want to create an isolated network domain and isolate the data traffic in
this domain from the other user networks onsite, we create a new service VPN on
the vEdge routers. This VPN is specified by a number different from 0 (Transport)
and 512 (Management). Once the network segment is created, you associate
interfaces, enable routing protocols, and other network services such as VRRP and
QoS within this VPN. One important thing to point out is that interfaces associated
with user segments must not be connected to WAN transports.

Manual Deployment

The manual onboarding option is something that Network Engineers are pretty
familiar with. The WAN edge device is basically configured via the console port or
using the KVM/ESXi virtual console connection if the device is a virtual one.
Тhe minimum configuration that is required to successfully onboard a WAN edge
router is as follow:

● System-IP, Site-id, Organization-name, vBond IP address.

● VPN 0 interface with IP address/mask, default route, and tunnel interface.

What is a Centralized Control Policy?

A centralized control policy is a policy that manipulates the route and tloc
information that is exchanged between the vSmart controllers and the vEdge devices
in the SD-WAN overlay fabric. It can influence the overlay topology of IPsec tunnels
and the routing paths through the fabric.

When a Centralized Policy is defined and activated in vManage, vManage pushes

that policy as a NETCONF transaction to the vSmart controllers. The policy itself is
never pushed to the WAN edge devices, only the results of the policy are advertised
by the vSmart controllers via OMP to the overlay. It is also important to mention that
the vSmart controller only keeps the last configured policy in its configuration
database.
What is a Localized Policy?

The main difference between centralized and localized policies is the area of effect.
A centralized policy is applied on vSmart and has a network-wide impact (hence
centralized). In contrast, a localized policy is configured directly on a vEdge router
via CLI or through a vManage device template and has a single-device scope (hence
localized). As the control and data plane of the SD-WAN solution is separated,
localized policies are also divided into control and data ones, as illustrated in the
diagram below.

Application-Aware Routing Policy

An Application-Aware Routing (App-route) policy allows the SD-WAN fabric to

monitor the quality of network paths in real-time and do SLA-driven routing across
the best available transports. App-route policies rely on BFD to detect performance
issues such as packet loss, latency, and jitter on the overlay tunnels. Suppose BFD
reports that IPsec tunnel characteristics have become worse than the defined SLA
class for a given application. In that case, the App-route policy automatically moves
the matched application traffic off the network path, experiencing performance
degradation. The app-route policy automatically returns the application traffic as the
network eventually recovers from the brownout condition.
COLT - CASE

Account Name: CECOEL, AIE - Grup Assistència

Service ID : 2112H0485

CCT ID: BCN/PAR/IA-260492

CASE : 1-55436766023
>>Now Open Putty and login Versa director

ssh nv-bh01-pgt.nv.colt.net
athaper@nv-bh01-pgt:~$ cat /tmp/sdwan_devices.csv | grep <CPE - NAME >

>>Now try to SSH the IP address CPE IP to login the device

Note:- Ping is not allowed so do not try to ping IP address 100.110.3.52 to check device is
reachable or not

If you are not able to login the device its mean some issue with device so need to check
power/primary checks and check circuit connectivity through XNG, engage transmission and
OLO. Same as we do for normal circuits.

1. To check interface are UP or not

2. Check interface statistics for traffic status on each interfaces.

3. Check ARP status.

4.Try to ping LAN remote IP , Internet ,MPLS remote IP address

5.Check BGP status

6.Check device UP time

athaper@BCN009120-cli> show alarms last-n 10

Customer SD WAN portal >>> http://prod.sdwan-admin-ui.sdwan.novitas.internal.colt.net/

>>If device up then we have to validate the same error by login customer SD WAN portal.
>>Take snap of error and send email to Novitas team (Novitas DevOps).
 END
By -

Ankur Thaper

Technical Lead, Data

Colt Technology Services

www.colt.net