Add tech_docs/networking/sdwan_primer.md
This commit is contained in:
125
tech_docs/networking/sdwan_primer.md
Normal file
125
tech_docs/networking/sdwan_primer.md
Normal file
@@ -0,0 +1,125 @@
|
||||
Here’s the **20% of SD-WAN that covers 80% of what you need to know**, with a focus on **practical knowledge for senior network roles** and seamless integration with your IPSec expertise:
|
||||
|
||||
---
|
||||
|
||||
### **SD-WAN Crash Course: The 20% That Matters**
|
||||
**Goal:** Understand **core SD-WAN concepts**, how they differ from traditional WAN, and how they integrate with IPSec.
|
||||
|
||||
---
|
||||
|
||||
## **1. SD-WAN vs Traditional WAN**
|
||||
| **Feature** | **Traditional WAN (MPLS/VPN)** | **SD-WAN** |
|
||||
|----------------------|-------------------------------|------------|
|
||||
| **Cost** | Expensive (MPLS circuits) | Cheaper (uses Internet + broadband) |
|
||||
| **Agility** | Manual config changes | Centralized, automated policies |
|
||||
| **Performance** | Predictable but rigid | Dynamic path selection (jitter/loss-aware) |
|
||||
| **Security** | Relies on IPSec/MPLS | Built-in encryption (IPSec, TLS) |
|
||||
| **Topology** | Hub-and-spoke | Any-to-any, mesh |
|
||||
|
||||
**Key Takeaway:**
|
||||
- SD-WAN **decouples control plane from hardware**, allowing dynamic traffic routing over **any transport (MPLS, LTE, broadband)**.
|
||||
|
||||
---
|
||||
|
||||
## **2. SD-WAN Core Components**
|
||||
### **(1) Edge Devices (CPE)**
|
||||
- **e.g., Cisco vEdge, FortiGate, VeloCloud**
|
||||
- Sit at branch offices, apply policies, and encrypt traffic.
|
||||
|
||||
### **(2) Orchestrator (Controller)**
|
||||
- **e.g., Cisco vManage, VMware Orchestrator**
|
||||
- **Centralized policy management** (no CLI needed!).
|
||||
|
||||
### **(3) Overlay Tunnels**
|
||||
- **Encrypted tunnels** (IPSec, GRE, DTLS) between edges.
|
||||
- Uses **TLOC (Transport Locator)** = Public IP + Color (e.g., `INET`, `MPLS`).
|
||||
|
||||
### **(4) Underlay Transport**
|
||||
- **Any WAN link**: MPLS, Internet, LTE, 5G.
|
||||
|
||||
---
|
||||
|
||||
## **3. How SD-WAN Works (The 80% You Need)**
|
||||
### **(1) Path Selection**
|
||||
- **Dynamic multi-path steering**: Chooses best path based on:
|
||||
- **Application SLA** (e.g., VoIP → low latency).
|
||||
- **Real-time metrics** (jitter, packet loss, latency).
|
||||
|
||||
**Example Policy:**
|
||||
```plaintext
|
||||
IF (Application == VoIP) AND (Latency > 50ms) → SWITCH to backup link
|
||||
```
|
||||
|
||||
### **(2) Zero-Touch Provisioning (ZTP)**
|
||||
- Plug in a device → auto-configures via orchestrator.
|
||||
|
||||
### **(3) Application-Aware Routing**
|
||||
- **DPI (Deep Packet Inspection)** identifies apps (e.g., Teams, SAP).
|
||||
- **QoS prioritization** (VoIP > YouTube).
|
||||
|
||||
### **(4) Security Integration**
|
||||
- **IPSec for all overlays** (mandatory for Internet links).
|
||||
- **Cloud-based firewalls** (e.g., FortiGate, Zscaler).
|
||||
|
||||
---
|
||||
|
||||
## **4. SD-WAN + IPSec Integration**
|
||||
- **SD-WAN uses IPSec for secure tunnels** but adds:
|
||||
- **Automated key rotation** (no manual PSK updates).
|
||||
- **Tunnel bonding** (combines multiple links for throughput).
|
||||
|
||||
**Key Difference:**
|
||||
- Traditional IPSec VPN = **static tunnels**.
|
||||
- SD-WAN IPSec = **dynamic, SLA-driven tunnels**.
|
||||
|
||||
---
|
||||
|
||||
## **5. SD-WAN Troubleshooting (Top 5 Issues)**
|
||||
| **Issue** | **Debug Command** | **Fix** |
|
||||
|-------------------------------|--------------------------------------|---------|
|
||||
| **Tunnels not coming up** | `show sdwan tunnel` (Cisco) | Check underlay reachability |
|
||||
| **Poor VoIP quality** | `show sdwan app-route stats` | Adjust SLA thresholds |
|
||||
| **Orchestrator sync failure** | `show sdwan control connections` | Verify certs/connectivity |
|
||||
| **Traffic taking wrong path** | `show sdwan policy-service-path` | Fix application-aware rules |
|
||||
| **High latency on backup** | `show sdwan interface` | Enable FEC (Forward Error Correction) |
|
||||
|
||||
---
|
||||
|
||||
## **6. SD-WAN vs. DMVPN (Common Interview Qs)**
|
||||
**Q: When would you use SD-WAN over DMVPN?**
|
||||
- **SD-WAN**: When you need **application-aware routing + centralized management**.
|
||||
- **DMVPN**: When you need **scalable IPSec tunnels but don’t need SaaS optimization**.
|
||||
|
||||
**Q: Can SD-WAN replace IPSec?**
|
||||
- **No!** SD-WAN **uses** IPSec for encryption but adds intelligence on top.
|
||||
|
||||
---
|
||||
|
||||
## **7. Lab Practice (Quick Wins)**
|
||||
1. **Simulate link failure** in GNS3/EVE-NG → Watch SD-WAN switch paths.
|
||||
2. **Prioritize VoIP traffic** over YouTube.
|
||||
3. **Break the orchestrator** → Observe fallback to local policies.
|
||||
|
||||
**CLI Examples (Cisco Viptela):**
|
||||
```bash
|
||||
show sdwan control connections # Check orchestrator status
|
||||
show sdwan app-route stats # Verify path selection
|
||||
clear sdwan tunnel # Force tunnel re-establishment
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## **8. Interview Cheat Sheet**
|
||||
✅ **SD-WAN = Automation + Application-Aware Routing + Multiple Underlays**.
|
||||
✅ **IPSec is still used, but dynamically managed**.
|
||||
✅ **Key metrics: Jitter (<30ms), Latency (<150ms), Packet Loss (<1%)**.
|
||||
✅ **Orchestrator is the brain; edges are the muscle**.
|
||||
|
||||
---
|
||||
|
||||
### **Where to Go Next?**
|
||||
1. **Deep dive into your vendor’s SD-WAN** (Cisco, Fortinet, VMware).
|
||||
2. **Learn cloud-integrated SD-WAN** (AWS Transit Gateway, Azure Virtual WAN).
|
||||
3. **Study real-world designs** (e.g., "How SD-WAN replaces MPLS").
|
||||
|
||||
Need a **deep dive on a specific SD-WAN vendor** or **mock scenarios**? Let me know! 🚀
|
||||
Reference in New Issue
Block a user