diff --git a/tech_docs/networking/SD-WAN.md b/tech_docs/networking/SD-WAN.md new file mode 100644 index 0000000..de9365a --- /dev/null +++ b/tech_docs/networking/SD-WAN.md @@ -0,0 +1,297 @@ +Here’s the **20% of SD-WAN that covers 80% of what you need to know**, with a focus on **practical knowledge for senior network roles** and seamless integration with your IPSec expertise: + +--- + +### **SD-WAN Crash Course: The 20% That Matters** +**Goal:** Understand **core SD-WAN concepts**, how they differ from traditional WAN, and how they integrate with IPSec. + +--- + +## **1. SD-WAN vs Traditional WAN** +| **Feature** | **Traditional WAN (MPLS/VPN)** | **SD-WAN** | +|----------------------|-------------------------------|------------| +| **Cost** | Expensive (MPLS circuits) | Cheaper (uses Internet + broadband) | +| **Agility** | Manual config changes | Centralized, automated policies | +| **Performance** | Predictable but rigid | Dynamic path selection (jitter/loss-aware) | +| **Security** | Relies on IPSec/MPLS | Built-in encryption (IPSec, TLS) | +| **Topology** | Hub-and-spoke | Any-to-any, mesh | + +**Key Takeaway:** +- SD-WAN **decouples control plane from hardware**, allowing dynamic traffic routing over **any transport (MPLS, LTE, broadband)**. + +--- + +## **2. SD-WAN Core Components** +### **(1) Edge Devices (CPE)** +- **e.g., Cisco vEdge, FortiGate, VeloCloud** +- Sit at branch offices, apply policies, and encrypt traffic. + +### **(2) Orchestrator (Controller)** +- **e.g., Cisco vManage, VMware Orchestrator** +- **Centralized policy management** (no CLI needed!). + +### **(3) Overlay Tunnels** +- **Encrypted tunnels** (IPSec, GRE, DTLS) between edges. +- Uses **TLOC (Transport Locator)** = Public IP + Color (e.g., `INET`, `MPLS`). + +### **(4) Underlay Transport** +- **Any WAN link**: MPLS, Internet, LTE, 5G. + +--- + +## **3. How SD-WAN Works (The 80% You Need)** +### **(1) Path Selection** +- **Dynamic multi-path steering**: Chooses best path based on: + - **Application SLA** (e.g., VoIP → low latency). + - **Real-time metrics** (jitter, packet loss, latency). + +**Example Policy:** +```plaintext +IF (Application == VoIP) AND (Latency > 50ms) → SWITCH to backup link +``` + +### **(2) Zero-Touch Provisioning (ZTP)** +- Plug in a device → auto-configures via orchestrator. + +### **(3) Application-Aware Routing** +- **DPI (Deep Packet Inspection)** identifies apps (e.g., Teams, SAP). +- **QoS prioritization** (VoIP > YouTube). + +### **(4) Security Integration** +- **IPSec for all overlays** (mandatory for Internet links). +- **Cloud-based firewalls** (e.g., FortiGate, Zscaler). + +--- + +## **4. SD-WAN + IPSec Integration** +- **SD-WAN uses IPSec for secure tunnels** but adds: + - **Automated key rotation** (no manual PSK updates). + - **Tunnel bonding** (combines multiple links for throughput). + +**Key Difference:** +- Traditional IPSec VPN = **static tunnels**. +- SD-WAN IPSec = **dynamic, SLA-driven tunnels**. + +--- + +## **5. SD-WAN Troubleshooting (Top 5 Issues)** +| **Issue** | **Debug Command** | **Fix** | +|-------------------------------|--------------------------------------|---------| +| **Tunnels not coming up** | `show sdwan tunnel` (Cisco) | Check underlay reachability | +| **Poor VoIP quality** | `show sdwan app-route stats` | Adjust SLA thresholds | +| **Orchestrator sync failure** | `show sdwan control connections` | Verify certs/connectivity | +| **Traffic taking wrong path** | `show sdwan policy-service-path` | Fix application-aware rules | +| **High latency on backup** | `show sdwan interface` | Enable FEC (Forward Error Correction) | + +--- + +## **6. SD-WAN vs. DMVPN (Common Interview Qs)** +**Q: When would you use SD-WAN over DMVPN?** +- **SD-WAN**: When you need **application-aware routing + centralized management**. +- **DMVPN**: When you need **scalable IPSec tunnels but don’t need SaaS optimization**. + +**Q: Can SD-WAN replace IPSec?** +- **No!** SD-WAN **uses** IPSec for encryption but adds intelligence on top. + +--- + +## **7. Lab Practice (Quick Wins)** +1. **Simulate link failure** in GNS3/EVE-NG → Watch SD-WAN switch paths. +2. **Prioritize VoIP traffic** over YouTube. +3. **Break the orchestrator** → Observe fallback to local policies. + +**CLI Examples (Cisco Viptela):** +```bash +show sdwan control connections # Check orchestrator status +show sdwan app-route stats # Verify path selection +clear sdwan tunnel # Force tunnel re-establishment +``` + +--- + +## **8. Interview Cheat Sheet** +✅ **SD-WAN = Automation + Application-Aware Routing + Multiple Underlays**. +✅ **IPSec is still used, but dynamically managed**. +✅ **Key metrics: Jitter (<30ms), Latency (<150ms), Packet Loss (<1%)**. +✅ **Orchestrator is the brain; edges are the muscle**. + +--- + +### **Where to Go Next?** +1. **Deep dive into your vendor’s SD-WAN** (Cisco, Fortinet, VMware). +2. **Learn cloud-integrated SD-WAN** (AWS Transit Gateway, Azure Virtual WAN). +3. **Study real-world designs** (e.g., "How SD-WAN replaces MPLS"). + +Need a **deep dive on a specific SD-WAN vendor** or **mock scenarios**? Let me know! 🚀 + +--- + +Here’s a **detailed comparison** of how **Cisco (Viptela & Meraki), Fortinet, and VMware** approach SD-WAN, highlighting their key differentiators, architectures, and use cases: + +--- + +### **SD-WAN Vendor Deep Dive: Cisco vs. Meraki vs. Fortinet vs. VMware** +**Goal:** Understand how each vendor solves the same problems (reliability, security, simplicity) in different ways. + +--- + +## **1. Architecture & Key Components** +| **Vendor** | **Control Plane** | **Data Plane** | **Orchestration** | **Security Integration** | +|------------|------------------|----------------|-------------------|--------------------------| +| **Cisco Viptela** | Distributed (vSmart controllers) | vEdge routers | **vManage** (on-prem/cloud) | **CloudSec (IPSec)** + Optional Umbrella | +| **Cisco Meraki** | Centralized (Cloud) | MX appliances | **Meraki Dashboard** (cloud-only) | **Auto VPN (IPSec)** + MX Security | +| **Fortinet** | Centralized (FortiManager) | FortiGate appliances | **FortiManager** + **FortiAnalyzer** | **Native NGFW (FortiGate)** | +| **VMware** | Centralized (vSmart controllers) | Edges (partner hardware) | **vCloud Orchestrator** (cloud/on-prem) | **Partner-integrated (e.g., Palo Alto)** | + +--- + +## **2. Key Differentiators** +### **Cisco Viptela** +- **Best for:** Large enterprises, hybrid WAN, MPLS replacement. +- **Strengths:** + - **Flexible deployment** (on-prem/cloud). + - **Application-aware routing** (Deep Packet Inspection). + - **Multi-cloud integration** (AWS/Azure). +- **Weaknesses:** + - Complex for small deployments. + - No built-in NGFW (relies on Umbrella or third-party). + +### **Cisco Meraki** +- **Best for:** SMBs, retail, zero-touch deployments. +- **Strengths:** + - **Dead simple** (cloud-managed, no CLI). + - **Auto VPN** (self-healing mesh). + - **Built-in security** (MX firewall, IDS/IPS). +- **Weaknesses:** + - Limited granular control (no advanced BGP/OSPF). + - No on-prem orchestrator. + +### **Fortinet** +- **Best for:** Security-first organizations (tight FW/SD-WAN integration). +- **Strengths:** + - **Single-pass architecture** (SD-WAN + NGFW in one box). + - **FortiGuard AI/ML threat detection**. + - **Low-cost hardware**. +- **Weaknesses:** + - Less flexible for non-Fortinet shops. + - Orchestrator (FortiManager) feels outdated. + +### **VMware (formerly VeloCloud)** +- **Best for:** Cloud-first enterprises, SaaS optimization. +- **Strengths:** + - **Best-in-class cloud/SaaS performance** (e.g., Office 365). + - **Broad hardware compatibility** (partner ecosystem). + - **Dynamic Multi-Path Optimization (DMPO)**. +- **Weaknesses:** + - No native security (relies on partners like Palo Alto). + - Complex pricing. + +--- + +## **3. Feature Comparison** +| **Feature** | **Cisco Viptela** | **Cisco Meraki** | **Fortinet** | **VMware** | +|---------------------------|-------------------|------------------|--------------|------------| +| **Zero-Touch Provisioning** | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Yes | +| **Application-Aware Routing** | ✅ (DPI) | ❌ (Limited) | ✅ (NGFW-integrated) | ✅ (DMPO) | +| **Built-in NGFW** | ❌ (Umbrella add-on) | ✅ (MX Security) | ✅ (FortiGate) | ❌ (Partner-based) | +| **Cloud Orchestration** | ✅ (vManage) | ✅ (Meraki Dashboard) | ✅ (FortiManager Cloud) | ✅ (vCloud) | +| **MPLS Hybrid Support** | ✅ Best-in-class | ❌ (Internet-only) | ✅ Yes | ✅ Yes | +| **SLA-Based Path Selection** | ✅ Yes | ❌ (Basic) | ✅ Yes | ✅ Yes | + +--- + +## **4. How Each Vendor Handles Key SD-WAN Tasks** +### **1. Tunnel Establishment** +- **Cisco Viptela:** IPSec (manual or automated via vSmart). +- **Meraki:** Auto VPN (self-configured mesh). +- **Fortinet:** IPSec + SSL-VPN (FortiGate handles both). +- **VMware:** IPSec or DTLS (cloud-optimized). + +### **2. Failover & Path Selection** +- **Cisco Viptela:** SLA-based (jitter/loss thresholds). +- **Meraki:** Basic link monitoring (latency/packet loss). +- **Fortinet:** AI-driven (FortiGuard updates). +- **VMware:** DMPO (real-time packet steering). + +### **3. Security Integration** +- **Cisco Viptela:** Requires Umbrella or third-party. +- **Meraki:** MX Security Suite (IDS/IPS, content filtering). +- **Fortinet:** Native NGFW (no extra cost). +- **VMware:** Zscaler/Palo Alto integrations. + +--- + +## **5. When to Choose Which Vendor?** +| **Use Case** | **Best Vendor** | **Why?** | +|--------------|----------------|----------| +| **Enterprise MPLS replacement** | Cisco Viptela | Flexible, hybrid WAN support | +| **Retail/Remote Branches** | Meraki | Zero-touch, cloud simplicity | +| **Security-first (e.g., Healthcare/Gov)** | Fortinet | Built-in NGFW, low TCO | +| **Cloud/SaaS-heavy (e.g., Tech)** | VMware | Best SaaS optimization | + +--- + +## **6. CLI vs. GUI Showdown** +| **Vendor** | **CLI Access?** | **GUI Strengths** | +|------------|-----------------|-------------------| +| **Cisco Viptela** | ✅ Yes (vEdge) | vManage (granular policies) | +| **Meraki** | ❌ No | Drag-and-drop simplicity | +| **Fortinet** | ✅ Yes (FortiGate) | Single pane for SD-WAN + NGFW | +| **VMware** | ❌ (Partner-dependent) | vCloud Orchestrator (SaaS metrics) | + +--- + +## **7. Real-World Deployment Scenarios** +### **Cisco Viptela** +- **Global enterprise** with 500+ branches needing MPLS + Internet hybrid. +- **Policy Example:** + ```plaintext + IF (Application == VoIP) → Prefer MPLS + IF (Link Latency > 100ms) → Switch to LTE + ``` + +### **Meraki** +- **Coffee chain** with 100 stores needing plug-and-play VPNs. +- **Policy Example:** + ```plaintext + ALL Traffic → Use cheapest link (broadband/LTE) + ``` + +### **Fortinet** +- **Hospital** needing HIPAA-compliant security + SD-WAN. +- **Policy Example:** + ```plaintext + IF (Traffic == EHR) → Encrypt + Inspect (NGFW) + ``` + +### **VMware** +- **Tech startup** using AWS + Office 365. +- **Policy Example:** + ```plaintext + IF (SaaS == O365) → Direct-to-cloud (bypass HQ) + ``` + +--- + +## **8. Interview Questions (Vendor-Specific)** +1. **Cisco Viptela:** How does vSmart simplify route distribution? + - **Answer:** Acts as a route reflector for full-mesh overlays. + +2. **Meraki:** Can you use BGP with Auto VPN? + - **Answer:** No—Meraki uses simple static routes. + +3. **Fortinet:** How does SD-WAN integrate with FortiGate? + - **Answer:** Single-pass processing (one engine handles FW + SD-WAN). + +4. **VMware:** What’s DMPO? + - **Answer:** Dynamic Multi-Path Optimization (packet-level steering). + +--- + +### **Final Takeaways** +- **Cisco Viptela:** Most flexible for complex enterprises. +- **Meraki:** Simplest for distributed SMBs. +- **Fortinet:** Best for "security-first" teams. +- **VMware:** Ideal for cloud-native apps. + +Need a **deep dive on one vendor’s architecture** or **mock design scenarios**? Let me know! 🛠️ \ No newline at end of file