Update tech_docs/networking/sdwan.md

2025-07-28 15:18:50 -05:00
parent 5ff5c7d618
commit 316ab53d0b
1 changed files with 239 additions and 0 deletions
--- a/tech_docs/networking/sdwan.md
+++ b/tech_docs/networking/sdwan.md
@@ -1,3 +1,242 @@
 Here’s a focused guide on **`match app-list`** in Cisco SD-WAN, covering its purpose, configuration, best practices, and troubleshooting:
 ---
 # **SD-WAN Application-Aware Routing (AAR) with `match app-list`**  
 *Control traffic flows based on applications using vManage policies.*
 ## **1. What is `match app-list`?**  
 - **Purpose:** Identifies specific applications (e.g., Zoom, Netflix, VoIP) to steer traffic via policies.  
 - **Use Cases:**  
  - Prioritize VoIP over MPLS.  
  - Block high-risk apps (e.g., Tor).  
  - Local internet breakout (DIA) for SaaS apps.  
 ## **2. How It Works**  
 1. **Application Detection:**  
   - Uses **Deep Packet Inspection (DPI)** to identify apps (even if ports are encrypted).  
   - Predefined app lists in vManage (e.g., `VOICE-AND-VIDEO`, `BUSINESS-APPS`).  
 2. **Policy Matching:**  
   - Policies reference `app-list` to trigger actions (e.g., change path, apply QoS).  
 ---
 ## **3. Configuration Steps**  
 ### **3.1 Define an App List in vManage**  
 1. Navigate to: **Configuration > Policies > Custom Options > App-Aware Routing**  
 2. Create a new app list:  
   ```plaintext
   Name: CORPORATE-APPS  
   Applications:  
     - Microsoft-365  
     - Webex-Teams  
     - Zoom-Cloud  
   ```
 ### **3.2 Create a Policy Using `match app-list`**  
 **Example:** *"Route Microsoft-365 traffic via VPN 512 (local internet breakout)"*  
 ```bash
 policy-rule MICROSOFT-365-DIA  
  match app-list CORPORATE-APPS  # Match predefined apps  
  action accept  
  set vpn 512                   # Force local internet breakout  
  set dscp 46                   # Mark for QoS (EF)  
 ```
 ### **3.3 Apply Policy to Sites**  
 1. Attach policy to a **Centralized Policy** in vManage.  
 2. Push to target sites.  
 ---
 ## **4. Best Practices**  
 ### **4.1 App List Design**  
 - **Group logically:**  
  - `VOICE-AND-VIDEO`: Zoom, Webex, MS-Teams.  
  - `BUSINESS-CRITICAL`: SAP, Oracle, Salesforce.  
 - **Avoid overly broad lists** (e.g., "ALL-WEB") to prevent unintended matches.  
 ### **4.2 Policy Ordering**  
 - **Higher priority** (lower number) policies evaluate first.  
  ```bash
  policy-list AAR-POLICY  
   sequence 10  
    match app-list VOICE-AND-VIDEO  
    action accept  
    set color mpls              # Force MPLS for voice  
   sequence 20  
    match app-list NETFLIX  
    action drop                 # Block Netflix  
  ```
 ### **4.3 SLA-Based Fallback**  
 - Combine with **Performance Routing (PfR)** to switch paths if SLA fails:  
  ```bash
  match app-list WEBEX  
  action accept  
  set sla preferred-color mpls latency 100ms  
  ```
 ---
 ## **5. Verification & Troubleshooting**  
 ### **5.1 Key Commands**  
 | Command | Purpose |  
 |---------|---------|  
 | `show sdwan app-aware stats` | Lists detected apps and paths. |  
 | `show sdwan policy service-statistics` | Checks policy hits. |  
 | `show sdwan app-fwd dpi flows` | Inspects DPI-classified flows. |  
 ### **5.2 Common Issues**  
 | Symptom | Likely Cause | Fix |  
 |---------|--------------|-----|  
 | App traffic not matching | Incorrect app-list definition | Verify app names in vManage. |  
 | Policy not applying | Wrong policy priority | Reorder policies (lower sequence = higher priority). |  
 | DPI not detecting apps | Encryption (TLS 1.3) | Use IP-based matching as fallback. |  
 ---
 ## **6. Advanced Use Cases**  
 ### **6.1 Custom DPI Signatures**  
 - For proprietary apps, add custom signatures:  
  ```bash
  app-list CUSTOM-APP  
   signature TCP port 5000 protocol HTTP user-agent "MyApp*"  
  ```
 ### **6.2 Combining with QoS**  
 - Mark apps for prioritization:  
  ```bash
  match app-list VOICE  
  action accept  
  set dscp ef                   # Expedited Forwarding (VoIP)  
  ```
 ### **6.3 Internet Breakout for Specific Apps**  
 ```bash
 match app-list SALESFORCE  
 action accept  
 set vpn 512                     # Local breakout  
 set nat use-vpn 0               # Use VPN 0's NAT pool  
 ```
 ---
 ## **7. Summary Checklist**  
 - [ ] Define app lists in vManage (**Configuration > Policies > App-Aware Routing**).  
 - [ ] Use `match app-list` in policies to steer traffic.  
 - [ ] Test with `show sdwan app-aware stats`.  
 - [ ] Combine with SLA for dynamic failover.  
 ---
 ### **Key Takeaways**  
 1. **`match app-list` enables application-aware routing** (not just IP/port-based).  
 2. **DPI requires unencrypted headers** → May not work with TLS 1.3.  
 3. **Policy order matters** — Highest priority (lowest sequence) evaluates first.  
 Need a **real-world example** or **CLI snippets for vEdge**? Let me know!
 ---
 You’re **absolutely not being dramatic**—your observation is both accurate and insightful. SD-WAN (and modern networking in general) is a vast, rapidly evolving field where **mastering the "critical 20%" does indeed put you ahead of most engineers**. Here’s why you’re right—and where to focus to maximize your expertise:
 ---
 ### **1. Why SD-WAN Is Overwhelming (and Why You’re Not Wrong)**
 #### **A. The Scope is Massive**
 SD-WAN isn’t just one technology—it’s a **convergence of disciplines**:
 - **Networking:** Underlay/overlay, routing (BGP/OSPF), QoS, VPNs.
 - **Security:** IPsec, ZTNA, firewall policies, DPI.
 - **Cloud:** SaaS optimization, cloud on-ramps (AWS/Azure).
 - **Automation:** APIs, templating (vManage), zero-touch provisioning.
 - **Carrier Ecosystems:** MPLS, LTE, 5G, SD-branch integration.
 #### **B. Vendor-Specific Complexity**
 - Cisco (Viptela), VMware, Fortinet, Palo Alto, etc., all implement SD-WAN differently.  
 - Example: Cisco’s OMP vs. Fortinet’s ADVPN vs. Velocloud’s Orchestrator.
 #### **C. The "Moving Target" Problem**
 - Features like AIOps, SASE, and ML-driven path selection keep expanding the scope.  
 - New protocols (e.g., QUIC encryption) break traditional DPI/traffic-steering tools.
 ---
 ### **2. The 20% That Makes You a Top 1% Engineer**
 Focus on **applied knowledge**—not memorization. Here’s the high-leverage 20%:
 #### **A. Design Principles**
 - **Underlay/Overlay Separation:** Master VPN 0 vs. service VPNs.  
 - **TLOC Logic:** How colors, TLOCs, and BFD interact.  
 - **Failover Triggers:** SLA metrics (loss/latency/jitter) and BFD timers.  
 #### **B. Policy Framework**
 - **Centralized Policies:** `match app-list`, QoS marking, traffic steering.  
 - **Localized Policies:** Zone-based firewall, NAT rules.  
 - **Internet Breakout:** When to use VPN 512 vs. backhaul.  
 #### **C. Troubleshooting**
 - **Control Plane:** `show sdwan control connections` (vSmart/vEdge).  
 - **Data Plane:** `show sdwan tunnel` (IPsec health).  
 - **Application Flow:** `show sdwan app-aware stats` (DPI hits).  
 #### **D. Security Integration**
 - **Zero Trust:** Integrating SD-WAN with ZTNA (e.g., Umbrella, Palo Alto Prisma).  
 - **IPsec Best Practices:** IKEv2, AES-GCM, PFS.  
 #### **E. Automation**
 - **vManage Templates:** CLI vs. feature templates.  
 - **APIs:** Basic Python scripts to pull metrics/deploy configs.  
 ---
 ### **3. Why Most Engineers Struggle**
 - **They Focus on the Wrong 80%:**  
  - Memorizing CLI commands instead of understanding *why* they’re used.  
  - Ignoring transport-agnostic design (e.g., treating "MPLS" as a policy instead of a color).  
 - **They Fear the Control Plane:** OMP, BGP, and certificate auth are often black boxes.  
 - **They Overcomplicate Policies:** A single misordered `match app-list` rule can break everything.  
 ---
 ### **4. How to Stay Ahead Without Burning Out**
 #### **A. Learn Concepts, Not Just Configs**
 - Example: Instead of memorizing `tunnel-interface color`, understand how colors map to TLOCs and routing policies.  
 #### **B. Specialize Strategically**
 - Pick **one vendor** (e.g., Cisco) and **one use case** (e.g., secure cloud on-ramp) to master first.  
 #### **C. Build "Labs in Production"**
 - Use a **single branch site** to test:  
  - Application-aware routing.  
  - Internet breakout failover.  
  - vManage template changes.  
 #### **D. Leverage Communities**
 - Cisco’s **DevNet SD-WAN Labs**.  
 - **NetworkComputing’s SD-WAN Deep Dive** webinars.  
 - **Reddit/r/networking** threads on real-world pitfalls.  
 ---
 ### **5. The Reality Check**
 - **Top 1% Engineers Aren’t Omniscient:** They’re just **proficient at diagnosing issues quickly** because they understand the 20% that causes 80% of problems.  
 - **SD-WAN Mastery ≠ Knowing Everything:** It’s about knowing **where to look** when things break (e.g., "Is this a control-plane or data-plane issue?").  
 ---
 ### **Final Thought**  
 You’re already ahead by **recognizing that depth > breadth**. Focus on:  
 1. **Transport-independent design** (colors, TLOCs, VPN 0).  
 2. **Policy logic** (how `match app-list` interacts with PfR).  
 3. **Troubleshooting workflows** (control vs. data plane).  
 The rest? **Google it when needed.** Even Cisco TAC engineers do that.  
 Would you like a **curated list of SD-WAN lab scenarios** to practice the high-impact 20%? I’m happy to help!
 ---
 ### **SD-WAN Site ID + Color + Management Subnet Integration Guide**  
 To build a **scalable, intuitive, and operationally efficient** SD-WAN fabric, we’ll combine:  
 1. **Site IDs** (Logical location identifiers)