In this blog, we will know how the Viptela SD-WAN solution works. You can also refer to the blog for a basic understanding of SD-WAN. The following topic will be covered in this article:

  1. Underlay & Overlay in SDWAN
  2. OMP
  3. OMP Terminologies

Underlay & Overlay in SD-WAN

In this section, we will see and understand how the underlay & overlay reachability get established between vEdge/cEdge devices and the controllers (vBond/vSmart).

Underlay Reachability

In Underlay, we will make sure the reachability of vEdge/cEdge devices to vBond. In the below topology, we can see that the controllers are connected to the data-center router through a switch. The Data-Centre Router is further connected to Site-1 & Site-2 via Internet and MPLS transport.

The following IP-Schema have been used in the above topology:

 1) Between Controllers & Data-Centre Router:

2) Between Data-Centre Router & Internet Router:

3) Between Internet Router & Site-1 and Site-2: &

4) Between Internet Router & MPLS Router:

5) Between MPLS Router & Site-1 and Site-2: &

6) Site-1 LAN Subnet:

7) Site-2 LAN Subnet:

The following configurations will be done for Underlay reachability between vEdge/cEdge devices and Controllers (vSmart/vBond):

  1. We will tell the vBond controller’s IP on the vEdge/cEdge router either manually or using ZTP.
  2. We will configure a default route on the vEdge & cEdge router pointing towards the Internet router.
  3. We will configure a default route on the Data-Centre router pointing towards the Internet router.
  4. We will run BGP/IGP routing protocol between Data-Centre Router & MPLS Router. We will advertise the prefix in BGP on the Data-Centre router.
  5. The BGP/IGP will also be run between the MPLS router & vEdge and cEdge router.

After completing the above configurations on the respective devices, both vEdge & cEdge will be reachable to vBond via Public IP as well as private IP using Internet & MPLS transport. Once the underlay reachability is established, there will be getting created a secure DTLS tunnel between the vBond and vEdge/cEdge device.

Overlay Reachability

In overlay reachability, we will see the DTLS tunnel thatwill be created between vBond & vEdge/cEdge devices. The TLS/ DTLS tunnel will get established between vSmart & vEdge/cEdge device. Also, the IPsec tunnel will be created between Site-1 and Site-2 through vEdge & cEdge devices.

Once the reachability between vBond & vEdge/cEdge is done, the following procedure will be followed:

 1) The mutual authentication based on certification will be done between vBond & vEdge/cEdge devices.

 2) Once the authentication is done, a secure DTLS tunnel will automatically be created between vBond and vEdge/cEdge. The vBond will share the IP detail of vSmart & vManage to vEdge/cEdge devices through the DTLS tunnel.  The DTLS tunnel between vBond & vEdge/cEdge will be created on a temporary basis and will be getting vanished once the IP detail of vSmart & vBond is shared to vEdge/cEdge devices.

 3) Once receiving the vSmart IP detail, the cEdge/vEdge device will establish a secure TLS/DTLS tunnel with vSmart.

4) The vEdge/cEdge device will share their respective IP details to vSmart through TLS/DTLS tunnel using OMP protocol. This TLS/DTLS tunnel between vSmart and vEdge/cEdge will carry the control plane traffic.

5) The vSmart will reflect the IP information of one another to vEdge/cEdge devices through TLS/DTLS tunnel using OMP protocol.

6) Once both vEdge & cEdge are aware of one-another IPs, the IPsec tunnel will be created between Site-1 & Site-2 as shown in the above diagram. Within this IPsec tunnel. BFD protocol will be responsible for the liveliness of the tunnel between the sites. This article explains how SD-WAN does work. We hope that while going through this article, you will be able to understand the basic workflow behind SD-WAN fabric and how underlay & Overlay work in SD-WAN solutions. In continuation of this blog, we will discuss how SD-WAN works in the next blog for SD-WAN where we will discuss OMP protocol and its terminologies. You can also refer to another SD-WAN blog. You should visit Zindagi website or contact us on 9773973971 in case of any queries.

Sani Singh

Consultant – Enterprise Networking

Leave a comment

Your email address will not be published.