Home Blog Cisco Catalyst SD-WAN Components

Cisco Catalyst SD-WAN Components

 2023/09/10   IT & Cyber-Security Solutions   584 visit(s)  8 min to read

Ctelecoms_Character    
 By:Ctelecoms

 Ctelecoms

Ctelecoms-Cisco-Catalyst-SDWAN-Components-KSA

In our previous blog, we discussed the Cisco Catalyst SD-WAN solution. In this blog, we will be focusing on the Cisco Catalyst SD-WAN component. Let’s read it together to learn more about it!

Primary Cisco Catalyst SD-WAN Components

The Cisco Catalyst SD-WAN system's secure, virtual IP fabric comprises four essential elements:

  1. Cisco SD-WAN Manager: This centralized network management system allows users to configure and oversee the entire overlay network using an intuitive graphical dashboard.
  2. Cisco SD-WAN Controller: Serving as the central control hub of the Cisco Catalyst SD-WAN solution, the Cisco SD-WAN Controller manages the flow of data traffic across the network. It collaborates with the Cisco SD-WAN Validator for authenticating Cisco vEdge devices during network entry and for coordinating connectivity among edge routers.
  3. Cisco SD-WAN Validator: The Cisco SD-WAN Validator automates the establishment of connectivity between edge routers and Cisco SD-WAN Controllers. It also serves as the initial orchestrator for NAT traversal if any edge router or Cisco SD-WAN Controller is located behind a NAT.
  4. Cisco IOS XE Catalyst SD-WAN and Cisco vEdge Devices: These edge routers are positioned at the perimeters of various sites, such as remote offices, branches, campuses, and data centers. They facilitate connectivity between these sites and can be either physical hardware devices or software (Cloud router) running as virtual machines. The edge routers are responsible for transmitting data traffic.

Among these components, the edge router can take the form of a physical Cisco Catalyst SD-WAN hardware device or software functioning as a virtual machine. The remaining three components are software-only, with the Cloud router, Cisco SD-WAN Manager, and Cisco SD-WAN Controller software running on servers, and the Cisco SD-WAN Validator software operating as a process (daemon) on an edge router.

The accompanying figure illustrates the components of Cisco Catalyst SD-WAN, and the following sections provide detailed descriptions of each component.

  • Cisco Catalyst SD-WAN Manager
  • Cisco Catalyst SD-WAN Controller
  • Cisco Catalyst SD-WAN Validator
  • Cisco vEdge Devices and Cisco IOS XE Catalyst SD-WAN Devices

Cisco Catalyst SD-WAN Manager

Cisco SD-WAN Manager serves as a centralized network management system, offering a user-friendly dashboard that provides a visual representation of the network. It allows users to configure and manage Cisco edge network devices efficiently. The software for Cisco SD-WAN Manager typically operates on a server within the network and is often located in a centralized position, such as a data center. It's worth noting that Cisco SD-WAN Manager software can run on the same physical server as the Cisco SD-WAN Controller software if needed.

One of the key functionalities of Cisco SD-WAN Manager is its ability to store certificate credentials and create and store configurations for all Cisco edge network components. When these components are added to the network, they request their certificates and configurations from Cisco SD-WAN Manager. Upon receiving these requests, Cisco SD-WAN Manager pushes the necessary certificates and configurations to the Cisco edge network devices, ensuring they are properly configured and authenticated.

Additionally, for Cloud routers, Cisco SD-WAN Manager has the capability to sign certificates and generate bootstrap configurations. It can also perform device decommissioning when needed, ensuring the efficient management of these network components.

 

Cisco Catalyst SD-WAN Controller

Cisco SD-WAN Manager serves as a centralized network management system, offering a user-friendly dashboard that provides a visual representation of the network. It allows users to configure and manage Cisco edge network devices efficiently. The software for Cisco SD-WAN Manager typically operates on a server within the network and is often located in a centralized position, such as a data center. It's worth noting that Cisco SD-WAN Manager software can run on the same physical server as the Cisco SD-WAN Controller software if needed.

One of the key functionalities of Cisco SD-WAN Manager is its ability to store certificate credentials and create and store configurations for all Cisco edge network components. When these components are added to the network, they request their certificates and configurations from Cisco SD-WAN Manager. Upon receiving these requests, Cisco SD-WAN Manager pushes the necessary certificates and configurations to the Cisco edge network devices, ensuring they are properly configured and authenticated.

Additionally, for Cloud routers, Cisco SD-WAN Manager has the capability to sign certificates and generate bootstrap configurations. It can also perform device decommissioning when needed, ensuring the efficient management of these network components.

 

Cisco Catalyst SD-WAN Validator

The Cisco SD-WAN Validator plays a crucial role in the Cisco Catalyst SD-WAN ecosystem, automating and simplifying the initial setup of Cisco SD-WAN Controllers and edge routers, while also ensuring connectivity between them. During the setup process, the Cisco SD-WAN Validator authenticates and validates devices seeking to join the overlay network, eliminating the need for manual configuration and reducing the risk of errors.

Here are the key components and functions of the Cisco SD-WAN Validator:

  1. Control Plane Connection: Each Cisco SD-WAN Validator establishes a persistent control plane connection, using a DTLS tunnel, with every Cisco Catalyst SD-WAN Controller within its domain. It also employs DTLS connections to communicate with edge routers as they come online. Basic authentication of edge routers is accomplished using certificates and RSA cryptography.
  2. NAT Traversal: The Cisco SD-WAN Validator facilitates the initial orchestration between edge routers and Cisco SD-WAN Controllers, particularly when one or both of these devices are located behind NAT (Network Address Translation) devices. Standard peer-to-peer techniques are employed to facilitate this orchestration, ensuring that devices can communicate even when NAT is in use.
  3. Load Balancing: In a domain with multiple Cisco SD-WAN Controllers, the Cisco SD-WAN Validator automatically distributes the load of incoming edge routers across these controllers as routers join the network. This load balancing helps ensure efficient resource utilization.

The Cisco SD-WAN Validator is a software module responsible for authenticating Cisco SD-WAN Controllers and edge routers in the overlay network and coordinating their connectivity. It requires a public IP address, making it the only Cisco vEdge device in the network that must have a public address.

The key responsibilities of the Cisco SD-WAN Validator include establishing the initial control connections between Cisco SD-WAN Controllers and edge routers, creating DTLS tunnels for authentication purposes, and instructing the relevant edge routers and Cisco SD-WAN Controllers to establish secure connectivity with each other. Importantly, it does not maintain any state information, ensuring efficiency and simplicity in its operation.

For redundancy and fault tolerance, you can deploy multiple Cisco SD-WAN Validators in the network, and edge routers can be directed to connect to any of them. Each Cisco SD-WAN Validator maintains permanent DTLS connections with all Cisco Catalyst SD-WAN Controllers, and in case one becomes unavailable, the others seamlessly take over, ensuring the continuity of network operations. In scenarios with multiple Cisco SD-WAN Controllers, the Cisco SD-WAN Validator pairs edge routers with specific controllers to achieve load balancing.

Finally, edge routers, whether hardware or software devices, are responsible for handling data traffic across the network. When integrated into an existing network, these edge routers function like standard routers.

 

 

The components of an edge router in the Cisco SD-WAN ecosystem are integral to its functionality and play essential roles in managing and forwarding network traffic. Here's a breakdown of these components:

  1. DTLS Control Plane Connection: Each edge router establishes a permanent DTLS (Datagram Transport Layer Security) connection with every Cisco SD-WAN Controller it communicates with. This connection is created after successful device authentication and is responsible for securely transmitting encrypted payload data between the edge router and the Cisco SD-WAN Controller. This payload contains vital route information necessary for the Cisco SD-WAN Controller to understand the network's topology, calculate optimal routes to network destinations, and distribute this route data to the edge routers.
  2. OMP (Overlay Management Protocol): OMP operates within the DTLS connection, serving as the protocol responsible for carrying routes, next-hop information, encryption keys, and policy data needed to establish and maintain the overlay network. OMP facilitates communication between the edge router and the Cisco SD-WAN Controller, transmitting control information exclusively.
  3. Protocols: The edge router supports various standard protocols, including OSPF (Open Shortest Path First), BGP (Border Gateway Protocol), VRRP (Virtual Router Redundancy Protocol), and BFD (Bidirectional Forwarding Detection). These protocols enable the router to interact with other devices in the network and exchange routing and control information.
  4. Routing Information Base (RIB): Each edge router maintains multiple route tables populated with different types of routes, including direct interface routes, static routes, and dynamic routes acquired through BGP and OSPF. The content of these tables can be influenced by route policies, determining which routes are stored in the RIB.
  5. Forwarding Information Base (FIB): The FIB is a condensed version of the RIB that the edge router's CPU uses to make forwarding decisions for packet routing. It contains the most relevant and efficient route information for packet forwarding.
  6. Netconf and CLI (Command-Line Interface): Netconf is a standardized protocol utilized by Cisco SD-WAN Manager for provisioning the edge router. Additionally, each edge router offers a local CLI for administrative access and AAA (Authentication, Authorization, and Accounting) for security and access control.
  7. Key Management: Edge routers generate symmetric keys used for secure communication with other edge routers, employing the standard IPsec (Internet Protocol Security) protocol to ensure data confidentiality and integrity in transit.
  8. Data Plane: The edge router encompasses an extensive set of data plane functions, including IP forwarding (routing), IPsec for encryption and authentication of IP traffic, BFD for fast link failure detection, QoS (Quality of Service) for traffic prioritization and management, ACLs (Access Control Lists) for traffic filtering and security, mirroring for network monitoring purposes, and policy-based forwarding for directing traffic based on predefined policies.

These components collectively enable the edge router to handle a wide range of tasks, from securely communicating with the Cisco SD-WAN Controller and other edge routers to efficiently routing and forwarding network traffic while adhering to specified policies and quality requirements.

 

 

The edge router possesses localized intelligence, enabling it to make site-specific decisions related to routing, high availability (HA), interface management, ARP (Address Resolution Protocol) management, ACLs (Access Control Lists), and other functions. This local intelligence allows the edge router to handle tasks specific to its site without relying solely on central management.

The OMP (Overlay Management Protocol) session established with the Cisco SD-WAN Controller plays a critical role in influencing the Routing Information Base (RIB) within the edge router. It provides non-site-local routes and reachability information necessary for constructing and maintaining the overlay network. This means that the edge router can incorporate information from the central controller to make routing decisions that affect the entire network.

In terms of security and device authentication, hardware-based edge routers come equipped with a Trusted Board ID chip, which serves as a secure cryptoprocessor. This chip stores the private key, public key, and a signed certificate for the router. During the initial startup of the edge router, you typically provide minimal configuration information, such as the IP addresses of the router and the Cisco SD-WAN Validator. With this information and the data stored on the Trusted Board ID chip, the edge router can authenticate itself on the network. It then establishes a DTLS (Datagram Transport Layer Security) connection with the Cisco SD-WAN Controller within its domain.

Once connected, the edge router can receive its complete configuration from Cisco SD-WAN Manager, assuming it is available within the domain. This allows for automated and consistent configuration management across the network. In cases where Cisco SD-WAN Manager is not present, you have the option to manually download a configuration file or create a configuration directly on the edge router via a console connection.

Overall, the edge router's combination of local intelligence and secure hardware elements ensures it can operate autonomously and securely, while also benefiting from central control and configuration management when available.

 

Cisco Catalyst SD-WAN Solution

Cisco Catalyst SD-WAN offers a range of next-generation software services to enhance and optimize cloud networking, providing improved performance, visibility, and ease of management. Here's an overview of these services:

  1. Cloud onRamp for SaaS: This service is designed to optimize the performance of Software as a Service (SaaS) cloud applications. It ensures that SaaS applications perform at their best by offering clear visibility into the performance of individual applications. Cloud onRamp automatically selects the most efficient and reliable path for each application, taking into account factors like loss and latency. Customized formulas are used to calculate metrics specific to each application, ensuring optimal performance.
  2. Cisco SD-WAN Analytics: Cisco SD-WAN Analytics is a Software as a Service (SaaS) offering hosted within the Cisco Catalyst SD-WAN solution. It provides graphical representations of your entire overlay network's performance over time. With this tool, you can gain insights into network performance and drill down to specific details related to carriers, tunnels, or individual applications at a particular moment in time. This visibility allows for better monitoring and troubleshooting of network issues.
  3. Cisco Catalyst SD-WAN Portal: The Cisco Catalyst SD-WAN Portal is a cloud-based infrastructure automation tool tailored for Cisco Catalyst SD-WAN. It simplifies the provisioning, monitoring, and maintenance of Cisco SD-WAN Controllers deployed on public cloud providers. This portal streamlines the management process, making it quicker and more efficient, especially in cloud environments.

These next-generation software services are integral to Cisco Catalyst SD-WAN's goal of providing a more efficient, reliable, and user-friendly experience for businesses using cloud-based applications and services. They enable organizations to optimize their network performance, gain deep insights into network behavior, and simplify the management of SD-WAN controllers in cloud environments.

  • Cloud onRamp for SaaS
  • Cisco Catalyst SD-WAN Analytics
  • Cisco Catalyst SD-WAN Portal

Cloud onRamp for SaaS

Enterprises are increasingly reliant on critical SaaS applications like Microsoft Office365, Salesforce, Dropbox, and others. To provide connectivity for their users accessing these applications, enterprises typically employ three primary methods:

  1. Direct Internet Access (DIA) from a Branch Office: In this approach, branch offices have direct access to the internet, allowing users to connect to SaaS applications without routing traffic through a central location.
  2. Internet Access through Regional Facilities: Some enterprises route internet traffic through regional data centers or facilities. These facilities act as gateways for internet access, providing centralized control and security for outgoing traffic.
  3. Cloud Exchange or Direct Connection through Carrier Neutral Facilities (CNF): Enterprises can establish direct connections to cloud service providers through Carrier Neutral Facilities. These connections offer high-speed, low-latency access to SaaS applications hosted in the cloud.

However, network performance can significantly impact the user experience when accessing SaaS applications. Latency and packet loss, in particular, can degrade application performance. Unfortunately, many network administrators lack visibility into the performance characteristics between end-users and SaaS applications. When network path issues arise and impact application performance, shifting traffic from a primary to an alternate path can be a complex, manual, time-consuming, and error-prone process.

Cisco Catalyst SD-WAN Cloud onRamp for SaaS addresses these challenges by providing:

  1. Visibility and Continuous Monitoring: Cloud onRamp for SaaS offers real-time visibility into network performance characteristics. It continuously monitors the network and application performance.
  2. Real-time Decision-Making: The solution makes real-time decisions by intelligently selecting the best-performing path between end-users and SaaS applications. This ensures an optimal user experience.
  3. Automatic Reaction to Network Changes: Cloud onRamp for SaaS reacts automatically to changes in network performance. When it detects degraded network paths, it intelligently reroutes application traffic to avoid these issues.
  4. Support for All Access Methods: The solution supports various access methods for cloud-based SaaS applications, including DIA, regional facility gateways, and access through Carrier Neutral Facilities.
  5. Viptela Quality of Experience (vQoE): Cloud onRamp for SaaS calculates an application performance value called vQoE for enterprise cloud applications. This value considers loss and latency, applying a customized formula for each application. For instance, it recognizes that email applications may tolerate latency better than video applications. The vQoE value ranges from zero (poor quality) to ten (excellent quality).

Enabling Cloud onRamp for SaaS in Cisco SD-WAN Manager is straightforward, typically requiring just a few clicks. Once enabled, network administrators can access the Cloud onRamp dashboard within Cisco SD-WAN Manager. This dashboard provides continuous visibility into the performance of individual applications, empowering administrators to make data-driven decisions to ensure an optimal user experience when accessing SaaS applications.

 

Cisco Catalyst SD-WAN Analytics

Cisco SD-WAN Analytics is a valuable tool within the Cisco Catalyst SD-WAN solution, offering in-depth visibility and insights into both application performance and network conditions over time. This Software as a Service (SaaS) offering, hosted by Cisco, provides a comprehensive view of your network and allows for detailed analysis, with the following key features:

  1. Graphical Network Representation: Cisco SD-WAN Analytics provides graphical representations of your entire overlay network. The dashboard serves as an interactive overview, giving you insights into the health and performance of your network. By default, it displays aggregated information for the last 24 hours. However, you can select different time periods to analyze data for specific metrics.
  2. Application Performance Metrics: The platform calculates application performance using the Quality of Experience (QoE) value, which is customized for each individual application. The QoE value is on a scale from zero (poor performance) to ten (excellent performance). It factors in metrics such as latency, loss, and jitter, with each application's calculation tailored to its specific characteristics.
  3. Historical Data Storage: Cisco SD-WAN Analytics retains data over an extended period, enabling you to access historical trend information. This historical data can be instrumental in planning for future network enhancements and optimizations.
  4. Application Visibility: The platform offers detailed insights into application performance, including:
    • Best and Worst Performing Applications: Identify which applications are performing exceptionally well and those that may require attention. Drill down to see performance details at the site level.
    • Most Bandwidth-Consuming Applications: Identify applications that are consuming the most bandwidth on your network. You can drill down further to view information about the sites and users responsible for this consumption.
  5. Network Visibility: Cisco SD-WAN Analytics provides visibility into network conditions, including:
    • Network Availability and Circuit Availability: Monitor network availability and correlate it with circuit availability, helping you identify any potential issues.
    • Tunnel Performance: Evaluate key performance indicators such as loss, latency, and jitter for various Cisco Catalyst SD-WAN tunnels.
    • Carrier Usage Views: Gain insights into your network providers and their network characteristics, aiding in informed decision-making regarding carrier selection.

Overall, Cisco SD-WAN Analytics offers a comprehensive view of your network's performance and application behavior over time. It empowers network administrators and IT teams to make data-driven decisions, troubleshoot issues efficiently, and plan for future network enhancements based on historical data and insights.

 

Cisco Catalyst SD-WAN Portal

The Cisco Catalyst SD-WAN Portal is a specialized cloud-based infrastructure automation tool designed specifically for Cisco Catalyst SD-WAN. Its primary purpose is to simplify and streamline the provisioning, monitoring, and maintenance of various Cisco SD-WAN Controllers within public cloud environments.

Using the Cisco Catalyst SD-WAN Portal, you can efficiently provision and manage the following types of controllers:

  1. Cisco SD-WAN Manager: This centralized network management system allows you to configure and manage the entire overlay network from a single graphical dashboard. The portal facilitates the provisioning and ongoing management of Cisco SD-WAN Manager instances in public cloud environments.
  2. Cisco Catalyst SD-WAN Validator: The Cisco Catalyst SD-WAN Validator plays a critical role in authenticating and coordinating the initial setup of Cisco SD-WAN Controllers and edge routers. With the portal, you can provision and manage Cisco Catalyst SD-WAN Validator instances in public cloud deployments.
  3. Cisco Catalyst SD-WAN Controller: The Cisco Catalyst SD-WAN Controller serves as the central control hub for the Cisco Catalyst SD-WAN solution, managing data traffic flow throughout the network. The portal enables the efficient provisioning and maintenance of Cisco Catalyst SD-WAN Controller instances in public cloud environments.

By using the Cisco Catalyst SD-WAN Portal, organizations can expedite the deployment of Cisco SD-WAN components in public cloud providers, ensure proper configuration, and monitor the health and performance of these controllers from a centralized and user-friendly interface. This tool contributes to a more efficient and agile network management process in cloud-based Cisco SD-WAN deployments.

 

Ctelecoms, as a Premier Cisco Partner, underscores our profound expertise in planning and implementing Cisco solutions in the kingdom. We are always ready to assist with your organization's security and solution requirements.

Don’t miss these amazing features. For more information, book an appointment with our consultant.






Search the Blog

Subscribe Blog

Solutions

security-icon

IT & Cyber-Security Solutions

Best-in-class cyber security solutions to ...

microsoft-icon

Microsoft Cloud Solutions

Explore Ctelecoms extensive selection of ...

capling-icon

Datacenter Solutions

Solve issues, streamline operations, promote ...

backup-icon

Cloud Backup & Disaster Recovery Solutions

Keep your data, apps, emails and operations ...

capling-icon

Computing & Hyper-converged Infrastructure Solutions

Take your IT infrastructure to the next level ...

networking-icon

Unified Communications & Networking Solutions

Ensure you are securely connected with all ...

meraki-icon

Meraki Networking Solutions

Quickly deploy a reliable, secure, cloud-managed ...