Creates a secure control plane with vSmart controllers (OMP) Implements Data Plane policies Supports Zero Touch. RFC 4023 enables the encapsulation of MPLS packets in IP/GRE. The protocol field of the IP header has the value 137. Enabled by default and allows all WAN Edge routers to connect together (full-mesh).
Origin: This is the source protocol of the route (BGP, OSPF, EIGRP, Static or Connected) along with protocol metrics. These are routes that represent services that are connected to the WAN Edge local site network and are available for other sites to use. Service routes include VPN labels that are sent to the vSmart controllers to update which VPNs are being served at the remote site.
It is used to select the route when two identical routes come from different protocols.
Check whether OMP route is valid/active using BFD
Locally sourced OMP route
Select route with lowest AD
If equal AD, select highest preference value
On Edge routers; if equal preference, select highest TLOC preference
If equal TLOC preference, compare and select origin type in the order
If origin type is equal, select lowest origin metric
On edge routers only; if origin is equal, select highest System IP
If equal System IP, edge router selects route with highest private IP address while vSmart controller will choose both routes
If all attributes are equal, vSmart will prefer route from Edge router to route from another vSmart
CASE EXAMPLES
Private TLOC: IP address on interface within NAT. Public TLOC: IP address on interface outside NAT. Private/Public can be the same if the connection is not subject to NAT. Does not have to be unique, but then assumes the same location. Required configuration for OMP and TLOC to appear. OU carried in both directions for authentication b/t control and vEdge nodes Can be set to anything as long as it is consistent within the Viptela SEN domain.
Full Cone NAT: Also called Static NAT
Symmetric NAT: also called dynamic PAT. Allows a large number of hosts
Address Restricted Cone NAT: Similar to full Cone NAT with exception that the external
Port Restricted Cone NAT: Same as Address Restricted but the external host must use
The Customer sends a binding request to the STUN server, which will respond with a Success Response containing the customer's source address from the server's perspective. Upon receiving the response, the client will see the IP information and determine if it is behind a NAT.
MPLS
- WAN Edge 1 generates an encryption key
- WAN Edge 1 advertises the key via an OMP route update. This key is received and
- Now that the WAN Edges have their respective peer keys, IPsec tunnels can be built
- WAN Edge 1 and WAN Edge 2 generate
- Both routers advertise these via OMP
- Each WAN Edge will generate a key for each transport and each peer. This key will be
- If Edge A sends data to Edge C, Key AC will be used. Edge C will use the key of CA when
If WAN Edge 1 sends traffic to WAN Edge 2, it will use its own WAN Edge 2 switch.
SD-WAN Platforms
It is as a virtual machine (VM) on the KVM hypervisor or as a VM on the VMware ESXi hypervisor, as well as in public cloud environments. It can be deployed in an Enterprise Network Compute System (ENCS), Unified Computing System (UCS) or Cloud Services Platform (CSP). Verification: root trust, verification: root trust, verification: root trust, serial certificate serial certificate serial.
Note: If you are using Enterprise CA on controllers, load the Enterprise CA root chain on vEdges (ZTP).
HW Authenticity Check
Secure PnP
Integrity VerificationIntegrity Applications
DIY Complexity / Scale
Complex: Per-hop Segmentation (VRFs) Non-Scalable: Per-Segment routing
High Cost: Per-Segment MPLS VPN Restricted: MPLS only, not Hybrid WAN
Service Provider Delivered Cost / Restrictive
- Remote-access VPNs
- Site-to-site VPNs: Used to connect two or more
- Log in with the default username and password
- Open a CLI session to the Viptela device via SSH
- Enter configuration mode
- Configure the hostname
- Configure the system IP address & vBond IP
- Configure an interface in VPN 0, to connect to the Internet or other WAN transport network
- Commit the configuration
To connect to the vManage instance using a web browser, configure an IP address on the vManage instance:. If needed, add a default route:. config)# ip route prefix/length next-hop ip-address (config-vpn-512)# interface eth0. config-interface-eth0)# ip-address ip-address (config-interface-eth0)# no shutdown. config-interface-eth0)# commit and hold. Configure an interface in VPN 0 to connect to the Internet or other WAN transport network.
Add a vBond orchestrator to the network, automatically generate the CSR, and install the signed certificate. Configure the vBond orchestrator IP address or a DNS name that points to the vBond orchestrator. By default, the control plane uses DTLS as the protocol that provides privacy throughout.
Ipsec is enabled by default on all vEdge routers that use AH-SHA1 HMAC/ESP HMAC-SHA1 for authentication. Use the Network screen to display a list of Viptel devices in the overlay network and to display detailed information about individual devices. Use the Alarms screen to display detailed information about alarms generated by controllers and routers in the overlay network.
Use the ACL log screen to view logs for access lists (ACLs) configured on a vEdge router.
SD-WAN
Enter a template name and description on template form
In the Device or Feature tab, select a template
Click the More Actions icon to the right of the row and click Edit
View a Template
In the Device or Feature tab, select a template
Click the More Actions icon to the right of the row and click View
Delete a Template
- In the Device or Feature tab, select a template
- Click the More Actions icon to the right of the row and click Delete
- Click OK to confirm deletion of the template
- Configure BGP to run in the VPN
- Configure the BGP peer
- Configure a system IP address for the vEdge router
- Redistribute BGP Routes and AS Path Information
Click the More actions icon to the right of the row and click Pair devices. 10.Click the More Actions icon to the right of the row and click Export CSV. Apply the policy only to a specific neighbor (BGP Transport) – vEdge(config)# vpn 0 router bgp local-as-number neighbor.
Centralized Policy
Localized Policy
Corresponds to routing policy and operates on routes and routing information in the control plane. Centralized control policy is provided on the vSmart controller and determines what routing information is placed in vSmart and what is sent to vEdges. Affects the flow of traffic in the overlay based on IP header or router interface.
Centralized data policy controls data flow based on 5-tuple (source and destination IP and port number and DSCP fields) in the overlay. Localized data policy controls the flow of data in/out of interfaces on edge routers. Data-prefix-list: Used in the data policy to define the prefix or ports for matching traffic.
Policy Application
As soon as a match occurs, the matched entity is subject to the configured action of the sequence and is then no longer subject to continued processing. Any entity not matched in a sequence is subject to the default action of the policy. The control policy is unidirectional and is applied either inbound to the vSmart controller or outbound.
Data policy is directional and can be applied to traffic received from the service side of the vEdge router, traffic received from the tunnel side, or both.
SD-WAN Internet
Sing Pane of Glass
Embedded
Ent. Firewall App Aware
AMP and Threat Grid *
Cloud
DNS/web-layer Security
Platforms
ISR 1K ISR 4K
Manage in
Cloud or On-Prem
Full Edge
Branch Edge Router
Configure vBond IP
Configure Certificate Authorization settings
Install Signed certificate on vManage
Launch the VMware vSphere Client application and enter the IP address or name of the EXSi server, your username, and your password.
