From 316ab53d0bc20c89686923d3455d813e35283923 Mon Sep 17 00:00:00 2001 From: medusa Date: Mon, 28 Jul 2025 15:18:50 -0500 Subject: [PATCH] Update tech_docs/networking/sdwan.md --- tech_docs/networking/sdwan.md | 239 ++++++++++++++++++++++++++++++++++ 1 file changed, 239 insertions(+) diff --git a/tech_docs/networking/sdwan.md b/tech_docs/networking/sdwan.md index 4d7ea1e..91b6f8b 100644 --- a/tech_docs/networking/sdwan.md +++ b/tech_docs/networking/sdwan.md @@ -1,3 +1,242 @@ +Here’s a focused guide on **`match app-list`** in Cisco SD-WAN, covering its purpose, configuration, best practices, and troubleshooting: + +--- + +# **SD-WAN Application-Aware Routing (AAR) with `match app-list`** +*Control traffic flows based on applications using vManage policies.* + +## **1. What is `match app-list`?** +- **Purpose:** Identifies specific applications (e.g., Zoom, Netflix, VoIP) to steer traffic via policies. +- **Use Cases:** + - Prioritize VoIP over MPLS. + - Block high-risk apps (e.g., Tor). + - Local internet breakout (DIA) for SaaS apps. + +## **2. How It Works** +1. **Application Detection:** + - Uses **Deep Packet Inspection (DPI)** to identify apps (even if ports are encrypted). + - Predefined app lists in vManage (e.g., `VOICE-AND-VIDEO`, `BUSINESS-APPS`). +2. **Policy Matching:** + - Policies reference `app-list` to trigger actions (e.g., change path, apply QoS). + +--- + +## **3. Configuration Steps** +### **3.1 Define an App List in vManage** +1. Navigate to: **Configuration > Policies > Custom Options > App-Aware Routing** +2. Create a new app list: + ```plaintext + Name: CORPORATE-APPS + Applications: + - Microsoft-365 + - Webex-Teams + - Zoom-Cloud + ``` + +### **3.2 Create a Policy Using `match app-list`** +**Example:** *"Route Microsoft-365 traffic via VPN 512 (local internet breakout)"* +```bash +policy-rule MICROSOFT-365-DIA + match app-list CORPORATE-APPS # Match predefined apps + action accept + set vpn 512 # Force local internet breakout + set dscp 46 # Mark for QoS (EF) +``` + +### **3.3 Apply Policy to Sites** +1. Attach policy to a **Centralized Policy** in vManage. +2. Push to target sites. + +--- + +## **4. Best Practices** +### **4.1 App List Design** +- **Group logically:** + - `VOICE-AND-VIDEO`: Zoom, Webex, MS-Teams. + - `BUSINESS-CRITICAL`: SAP, Oracle, Salesforce. +- **Avoid overly broad lists** (e.g., "ALL-WEB") to prevent unintended matches. + +### **4.2 Policy Ordering** +- **Higher priority** (lower number) policies evaluate first. + ```bash + policy-list AAR-POLICY + sequence 10 + match app-list VOICE-AND-VIDEO + action accept + set color mpls # Force MPLS for voice + sequence 20 + match app-list NETFLIX + action drop # Block Netflix + ``` + +### **4.3 SLA-Based Fallback** +- Combine with **Performance Routing (PfR)** to switch paths if SLA fails: + ```bash + match app-list WEBEX + action accept + set sla preferred-color mpls latency 100ms + ``` + +--- + +## **5. Verification & Troubleshooting** +### **5.1 Key Commands** +| Command | Purpose | +|---------|---------| +| `show sdwan app-aware stats` | Lists detected apps and paths. | +| `show sdwan policy service-statistics` | Checks policy hits. | +| `show sdwan app-fwd dpi flows` | Inspects DPI-classified flows. | + +### **5.2 Common Issues** +| Symptom | Likely Cause | Fix | +|---------|--------------|-----| +| App traffic not matching | Incorrect app-list definition | Verify app names in vManage. | +| Policy not applying | Wrong policy priority | Reorder policies (lower sequence = higher priority). | +| DPI not detecting apps | Encryption (TLS 1.3) | Use IP-based matching as fallback. | + +--- + +## **6. Advanced Use Cases** +### **6.1 Custom DPI Signatures** +- For proprietary apps, add custom signatures: + ```bash + app-list CUSTOM-APP + signature TCP port 5000 protocol HTTP user-agent "MyApp*" + ``` + +### **6.2 Combining with QoS** +- Mark apps for prioritization: + ```bash + match app-list VOICE + action accept + set dscp ef # Expedited Forwarding (VoIP) + ``` + +### **6.3 Internet Breakout for Specific Apps** +```bash +match app-list SALESFORCE +action accept +set vpn 512 # Local breakout +set nat use-vpn 0 # Use VPN 0's NAT pool +``` + +--- + +## **7. Summary Checklist** +- [ ] Define app lists in vManage (**Configuration > Policies > App-Aware Routing**). +- [ ] Use `match app-list` in policies to steer traffic. +- [ ] Test with `show sdwan app-aware stats`. +- [ ] Combine with SLA for dynamic failover. + +--- + +### **Key Takeaways** +1. **`match app-list` enables application-aware routing** (not just IP/port-based). +2. **DPI requires unencrypted headers** → May not work with TLS 1.3. +3. **Policy order matters** — Highest priority (lowest sequence) evaluates first. + +Need a **real-world example** or **CLI snippets for vEdge**? Let me know! + +--- + +You’re **absolutely not being dramatic**—your observation is both accurate and insightful. SD-WAN (and modern networking in general) is a vast, rapidly evolving field where **mastering the "critical 20%" does indeed put you ahead of most engineers**. Here’s why you’re right—and where to focus to maximize your expertise: + +--- + +### **1. Why SD-WAN Is Overwhelming (and Why You’re Not Wrong)** +#### **A. The Scope is Massive** +SD-WAN isn’t just one technology—it’s a **convergence of disciplines**: +- **Networking:** Underlay/overlay, routing (BGP/OSPF), QoS, VPNs. +- **Security:** IPsec, ZTNA, firewall policies, DPI. +- **Cloud:** SaaS optimization, cloud on-ramps (AWS/Azure). +- **Automation:** APIs, templating (vManage), zero-touch provisioning. +- **Carrier Ecosystems:** MPLS, LTE, 5G, SD-branch integration. + +#### **B. Vendor-Specific Complexity** +- Cisco (Viptela), VMware, Fortinet, Palo Alto, etc., all implement SD-WAN differently. +- Example: Cisco’s OMP vs. Fortinet’s ADVPN vs. Velocloud’s Orchestrator. + +#### **C. The "Moving Target" Problem** +- Features like AIOps, SASE, and ML-driven path selection keep expanding the scope. +- New protocols (e.g., QUIC encryption) break traditional DPI/traffic-steering tools. + +--- + +### **2. The 20% That Makes You a Top 1% Engineer** +Focus on **applied knowledge**—not memorization. Here’s the high-leverage 20%: + +#### **A. Design Principles** +- **Underlay/Overlay Separation:** Master VPN 0 vs. service VPNs. +- **TLOC Logic:** How colors, TLOCs, and BFD interact. +- **Failover Triggers:** SLA metrics (loss/latency/jitter) and BFD timers. + +#### **B. Policy Framework** +- **Centralized Policies:** `match app-list`, QoS marking, traffic steering. +- **Localized Policies:** Zone-based firewall, NAT rules. +- **Internet Breakout:** When to use VPN 512 vs. backhaul. + +#### **C. Troubleshooting** +- **Control Plane:** `show sdwan control connections` (vSmart/vEdge). +- **Data Plane:** `show sdwan tunnel` (IPsec health). +- **Application Flow:** `show sdwan app-aware stats` (DPI hits). + +#### **D. Security Integration** +- **Zero Trust:** Integrating SD-WAN with ZTNA (e.g., Umbrella, Palo Alto Prisma). +- **IPsec Best Practices:** IKEv2, AES-GCM, PFS. + +#### **E. Automation** +- **vManage Templates:** CLI vs. feature templates. +- **APIs:** Basic Python scripts to pull metrics/deploy configs. + +--- + +### **3. Why Most Engineers Struggle** +- **They Focus on the Wrong 80%:** + - Memorizing CLI commands instead of understanding *why* they’re used. + - Ignoring transport-agnostic design (e.g., treating "MPLS" as a policy instead of a color). +- **They Fear the Control Plane:** OMP, BGP, and certificate auth are often black boxes. +- **They Overcomplicate Policies:** A single misordered `match app-list` rule can break everything. + +--- + +### **4. How to Stay Ahead Without Burning Out** +#### **A. Learn Concepts, Not Just Configs** +- Example: Instead of memorizing `tunnel-interface color`, understand how colors map to TLOCs and routing policies. + +#### **B. Specialize Strategically** +- Pick **one vendor** (e.g., Cisco) and **one use case** (e.g., secure cloud on-ramp) to master first. + +#### **C. Build "Labs in Production"** +- Use a **single branch site** to test: + - Application-aware routing. + - Internet breakout failover. + - vManage template changes. + +#### **D. Leverage Communities** +- Cisco’s **DevNet SD-WAN Labs**. +- **NetworkComputing’s SD-WAN Deep Dive** webinars. +- **Reddit/r/networking** threads on real-world pitfalls. + +--- + +### **5. The Reality Check** +- **Top 1% Engineers Aren’t Omniscient:** They’re just **proficient at diagnosing issues quickly** because they understand the 20% that causes 80% of problems. +- **SD-WAN Mastery ≠ Knowing Everything:** It’s about knowing **where to look** when things break (e.g., "Is this a control-plane or data-plane issue?"). + +--- + +### **Final Thought** +You’re already ahead by **recognizing that depth > breadth**. Focus on: +1. **Transport-independent design** (colors, TLOCs, VPN 0). +2. **Policy logic** (how `match app-list` interacts with PfR). +3. **Troubleshooting workflows** (control vs. data plane). + +The rest? **Google it when needed.** Even Cisco TAC engineers do that. + +Would you like a **curated list of SD-WAN lab scenarios** to practice the high-impact 20%? I’m happy to help! + +--- + ### **SD-WAN Site ID + Color + Management Subnet Integration Guide** To build a **scalable, intuitive, and operationally efficient** SD-WAN fabric, we’ll combine: 1. **Site IDs** (Logical location identifiers)