- Underlay & Overlay in SDWAN
- OMP Terminologies
Underlay & Overlay in SD-WAN
In this section, we will see and understand how the underlay & overlay reachability get established between vEdge/cEdge devices and the controllers (vBond/vSmart).
In Underlay, we will make sure the reachability of vEdge/cEdge devices to vBond. In the below topology, we can see that the controllers are connected to the data-center router through a switch. The Data-Centre Router is further connected to Site-1 & Site-2 via Internet and MPLS transport.
The following IP-Schema have been used in the above topology:
1) Between Controllers & Data-Centre Router: 188.8.131.52/24
2) Between Data-Centre Router & Internet Router: 184.108.40.206/30
3) Between Internet Router & Site-1 and Site-2: 220.127.116.11/30 & 18.104.22.168/30
4) Between Internet Router & MPLS Router: 10.1.1.0/30
5) Between MPLS Router & Site-1 and Site-2: 10.1.2.0/30 & 10.1.3.0/30
6) Site-1 LAN Subnet: 192.168.1.0/24
7) Site-2 LAN Subnet: 172.16.20.0/24
The following configurations will be done for Underlay reachability between vEdge/cEdge devices and Controllers (vSmart/vBond):
- We will tell the vBond controller’s IP on the vEdge/cEdge router either manually or using ZTP.
- We will configure a default route on the vEdge & cEdge router pointing towards the Internet router.
- We will configure a default route on the Data-Centre router pointing towards the Internet router.
- We will run BGP/IGP routing protocol between Data-Centre Router & MPLS Router. We will advertise the 22.214.171.124/24 prefix in BGP on the Data-Centre router.
- The BGP/IGP will also be run between the MPLS router & vEdge and cEdge router.
After completing the above configurations on the respective devices, both vEdge & cEdge will be reachable to vBond via Public IP as well as private IP using Internet & MPLS transport. Once the underlay reachability is established, there will be getting created a secure DTLS tunnel between the vBond and vEdge/cEdge device.
In overlay reachability, we will see the DTLS tunnel thatwill be created between vBond & vEdge/cEdge devices. The TLS/ DTLS tunnel will get established between vSmart & vEdge/cEdge device. Also, the IPsec tunnel will be created between Site-1 and Site-2 through vEdge & cEdge devices.
Once the reachability between vBond & vEdge/cEdge is done, the following procedure will be followed:
1) The mutual authentication based on certification will be done between vBond & vEdge/cEdge devices.
2) Once the authentication is done, a secure DTLS tunnel will automatically be created between vBond and vEdge/cEdge. The vBond will share the IP detail of vSmart & vManage to vEdge/cEdge devices through the DTLS tunnel. The DTLS tunnel between vBond & vEdge/cEdge will be created on a temporary basis and will be getting vanished once the IP detail of vSmart & vBond is shared to vEdge/cEdge devices.
3) Once receiving the vSmart IP detail, the cEdge/vEdge device will establish a secure TLS/DTLS tunnel with vSmart.
4) The vEdge/cEdge device will share their respective IP details to vSmart through TLS/DTLS tunnel using OMP protocol. This TLS/DTLS tunnel between vSmart and vEdge/cEdge will carry the control plane traffic.
5) The vSmart will reflect the IP information of one another to vEdge/cEdge devices through TLS/DTLS tunnel using OMP protocol.
6) Once both vEdge & cEdge are aware of one-another IPs, the IPsec tunnel will be created between Site-1 & Site-2 as shown in the above diagram. Within this IPsec tunnel. BFD protocol will be responsible for the liveliness of the tunnel between the sites. This article explains how SD-WAN does work. We hope that while going through this article, you will be able to understand the basic workflow behind SD-WAN fabric and how underlay & Overlay work in SD-WAN solutions. In continuation of this blog, we will discuss how SD-WAN works in the next blog for SD-WAN where we will discuss OMP protocol and its terminologies. You can also refer to another SD-WAN blog. You should visit Zindagi website or contact us on 9773973971 in case of any queries.
Consultant – Enterprise Networking