medusa/the_information_nexus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add tech_docs/networking/SD-WAN.md

Browse Source
This commit is contained in:
medusa
2025-06-19 05:37:25 +00:00
parent 23c6b075ec
commit 692c82bc4d
1 changed files with 297 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

297
tech_docs/networking/SD-WAN.md Normal file
View File

@@ -0,0 +1,297 @@
Heres the **20% of SD-WAN that covers 80% of what you need to know**, with a focus on **practical knowledge for senior network roles** and seamless integration with your IPSec expertise:
---
### **SD-WAN Crash Course: The 20% That Matters**
**Goal:** Understand **core SD-WAN concepts**, how they differ from traditional WAN, and how they integrate with IPSec.
---
## **1. SD-WAN vs Traditional WAN**
| **Feature** | **Traditional WAN (MPLS/VPN)** | **SD-WAN** |
|----------------------|-------------------------------|------------|
| **Cost** | Expensive (MPLS circuits) | Cheaper (uses Internet + broadband) |
| **Agility** | Manual config changes | Centralized, automated policies |
| **Performance** | Predictable but rigid | Dynamic path selection (jitter/loss-aware) |
| **Security** | Relies on IPSec/MPLS | Built-in encryption (IPSec, TLS) |
| **Topology** | Hub-and-spoke | Any-to-any, mesh |
**Key Takeaway:**
- SD-WAN **decouples control plane from hardware**, allowing dynamic traffic routing over **any transport (MPLS, LTE, broadband)**.
---
## **2. SD-WAN Core Components**
### **(1) Edge Devices (CPE)**
- **e.g., Cisco vEdge, FortiGate, VeloCloud**
- Sit at branch offices, apply policies, and encrypt traffic.
### **(2) Orchestrator (Controller)**
- **e.g., Cisco vManage, VMware Orchestrator**
- **Centralized policy management** (no CLI needed!).
### **(3) Overlay Tunnels**
- **Encrypted tunnels** (IPSec, GRE, DTLS) between edges.
- Uses **TLOC (Transport Locator)** = Public IP + Color (e.g., `INET`, `MPLS`).
### **(4) Underlay Transport**
- **Any WAN link**: MPLS, Internet, LTE, 5G.
---
## **3. How SD-WAN Works (The 80% You Need)**
### **(1) Path Selection**
- **Dynamic multi-path steering**: Chooses best path based on:
- **Application SLA** (e.g., VoIP → low latency).
- **Real-time metrics** (jitter, packet loss, latency).
**Example Policy:**
```plaintext
IF (Application == VoIP) AND (Latency > 50ms) → SWITCH to backup link
```
### **(2) Zero-Touch Provisioning (ZTP)**
- Plug in a device → auto-configures via orchestrator.
### **(3) Application-Aware Routing**
- **DPI (Deep Packet Inspection)** identifies apps (e.g., Teams, SAP).
- **QoS prioritization** (VoIP > YouTube).
### **(4) Security Integration**
- **IPSec for all overlays** (mandatory for Internet links).
- **Cloud-based firewalls** (e.g., FortiGate, Zscaler).
---
## **4. SD-WAN + IPSec Integration**
- **SD-WAN uses IPSec for secure tunnels** but adds:
- **Automated key rotation** (no manual PSK updates).
- **Tunnel bonding** (combines multiple links for throughput).
**Key Difference:**
- Traditional IPSec VPN = **static tunnels**.
- SD-WAN IPSec = **dynamic, SLA-driven tunnels**.
---
## **5. SD-WAN Troubleshooting (Top 5 Issues)**
| **Issue** | **Debug Command** | **Fix** |
|-------------------------------|--------------------------------------|---------|
| **Tunnels not coming up** | `show sdwan tunnel` (Cisco) | Check underlay reachability |
| **Poor VoIP quality** | `show sdwan app-route stats` | Adjust SLA thresholds |
| **Orchestrator sync failure** | `show sdwan control connections` | Verify certs/connectivity |
| **Traffic taking wrong path** | `show sdwan policy-service-path` | Fix application-aware rules |
| **High latency on backup** | `show sdwan interface` | Enable FEC (Forward Error Correction) |
---
## **6. SD-WAN vs. DMVPN (Common Interview Qs)**
**Q: When would you use SD-WAN over DMVPN?**
- **SD-WAN**: When you need **application-aware routing + centralized management**.
- **DMVPN**: When you need **scalable IPSec tunnels but dont need SaaS optimization**.
**Q: Can SD-WAN replace IPSec?**
- **No!** SD-WAN **uses** IPSec for encryption but adds intelligence on top.
---
## **7. Lab Practice (Quick Wins)**
1. **Simulate link failure** in GNS3/EVE-NG → Watch SD-WAN switch paths.
2. **Prioritize VoIP traffic** over YouTube.
3. **Break the orchestrator** → Observe fallback to local policies.
**CLI Examples (Cisco Viptela):**
```bash
show sdwan control connections # Check orchestrator status
show sdwan app-route stats # Verify path selection
clear sdwan tunnel # Force tunnel re-establishment
```
---
## **8. Interview Cheat Sheet**
**SD-WAN = Automation + Application-Aware Routing + Multiple Underlays**.
**IPSec is still used, but dynamically managed**.
**Key metrics: Jitter (<30ms), Latency (<150ms), Packet Loss (<1%)**.
**Orchestrator is the brain; edges are the muscle**.
---
### **Where to Go Next?**
1. **Deep dive into your vendors SD-WAN** (Cisco, Fortinet, VMware).
2. **Learn cloud-integrated SD-WAN** (AWS Transit Gateway, Azure Virtual WAN).
3. **Study real-world designs** (e.g., "How SD-WAN replaces MPLS").
Need a **deep dive on a specific SD-WAN vendor** or **mock scenarios**? Let me know! 🚀
---
Heres a **detailed comparison** of how **Cisco (Viptela & Meraki), Fortinet, and VMware** approach SD-WAN, highlighting their key differentiators, architectures, and use cases:
---
### **SD-WAN Vendor Deep Dive: Cisco vs. Meraki vs. Fortinet vs. VMware**
**Goal:** Understand how each vendor solves the same problems (reliability, security, simplicity) in different ways.
---
## **1. Architecture & Key Components**
| **Vendor** | **Control Plane** | **Data Plane** | **Orchestration** | **Security Integration** |
|------------|------------------|----------------|-------------------|--------------------------|
| **Cisco Viptela** | Distributed (vSmart controllers) | vEdge routers | **vManage** (on-prem/cloud) | **CloudSec (IPSec)** + Optional Umbrella |
| **Cisco Meraki** | Centralized (Cloud) | MX appliances | **Meraki Dashboard** (cloud-only) | **Auto VPN (IPSec)** + MX Security |
| **Fortinet** | Centralized (FortiManager) | FortiGate appliances | **FortiManager** + **FortiAnalyzer** | **Native NGFW (FortiGate)** |
| **VMware** | Centralized (vSmart controllers) | Edges (partner hardware) | **vCloud Orchestrator** (cloud/on-prem) | **Partner-integrated (e.g., Palo Alto)** |
---
## **2. Key Differentiators**
### **Cisco Viptela**
- **Best for:** Large enterprises, hybrid WAN, MPLS replacement.
- **Strengths:**
- **Flexible deployment** (on-prem/cloud).
- **Application-aware routing** (Deep Packet Inspection).
- **Multi-cloud integration** (AWS/Azure).
- **Weaknesses:**
- Complex for small deployments.
- No built-in NGFW (relies on Umbrella or third-party).
### **Cisco Meraki**
- **Best for:** SMBs, retail, zero-touch deployments.
- **Strengths:**
- **Dead simple** (cloud-managed, no CLI).
- **Auto VPN** (self-healing mesh).
- **Built-in security** (MX firewall, IDS/IPS).
- **Weaknesses:**
- Limited granular control (no advanced BGP/OSPF).
- No on-prem orchestrator.
### **Fortinet**
- **Best for:** Security-first organizations (tight FW/SD-WAN integration).
- **Strengths:**
- **Single-pass architecture** (SD-WAN + NGFW in one box).
- **FortiGuard AI/ML threat detection**.
- **Low-cost hardware**.
- **Weaknesses:**
- Less flexible for non-Fortinet shops.
- Orchestrator (FortiManager) feels outdated.
### **VMware (formerly VeloCloud)**
- **Best for:** Cloud-first enterprises, SaaS optimization.
- **Strengths:**
- **Best-in-class cloud/SaaS performance** (e.g., Office 365).
- **Broad hardware compatibility** (partner ecosystem).
- **Dynamic Multi-Path Optimization (DMPO)**.
- **Weaknesses:**
- No native security (relies on partners like Palo Alto).
- Complex pricing.
---
## **3. Feature Comparison**
| **Feature** | **Cisco Viptela** | **Cisco Meraki** | **Fortinet** | **VMware** |
|---------------------------|-------------------|------------------|--------------|------------|
| **Zero-Touch Provisioning** | ✅ Yes | ✅ Yes | ✅ Yes | ✅ Yes |
| **Application-Aware Routing** | ✅ (DPI) | ❌ (Limited) | ✅ (NGFW-integrated) | ✅ (DMPO) |
| **Built-in NGFW** | ❌ (Umbrella add-on) | ✅ (MX Security) | ✅ (FortiGate) | ❌ (Partner-based) |
| **Cloud Orchestration** | ✅ (vManage) | ✅ (Meraki Dashboard) | ✅ (FortiManager Cloud) | ✅ (vCloud) |
| **MPLS Hybrid Support** | ✅ Best-in-class | ❌ (Internet-only) | ✅ Yes | ✅ Yes |
| **SLA-Based Path Selection** | ✅ Yes | ❌ (Basic) | ✅ Yes | ✅ Yes |
---
## **4. How Each Vendor Handles Key SD-WAN Tasks**
### **1. Tunnel Establishment**
- **Cisco Viptela:** IPSec (manual or automated via vSmart).
- **Meraki:** Auto VPN (self-configured mesh).
- **Fortinet:** IPSec + SSL-VPN (FortiGate handles both).
- **VMware:** IPSec or DTLS (cloud-optimized).
### **2. Failover & Path Selection**
- **Cisco Viptela:** SLA-based (jitter/loss thresholds).
- **Meraki:** Basic link monitoring (latency/packet loss).
- **Fortinet:** AI-driven (FortiGuard updates).
- **VMware:** DMPO (real-time packet steering).
### **3. Security Integration**
- **Cisco Viptela:** Requires Umbrella or third-party.
- **Meraki:** MX Security Suite (IDS/IPS, content filtering).
- **Fortinet:** Native NGFW (no extra cost).
- **VMware:** Zscaler/Palo Alto integrations.
---
## **5. When to Choose Which Vendor?**
| **Use Case** | **Best Vendor** | **Why?** |
|--------------|----------------|----------|
| **Enterprise MPLS replacement** | Cisco Viptela | Flexible, hybrid WAN support |
| **Retail/Remote Branches** | Meraki | Zero-touch, cloud simplicity |
| **Security-first (e.g., Healthcare/Gov)** | Fortinet | Built-in NGFW, low TCO |
| **Cloud/SaaS-heavy (e.g., Tech)** | VMware | Best SaaS optimization |
---
## **6. CLI vs. GUI Showdown**
| **Vendor** | **CLI Access?** | **GUI Strengths** |
|------------|-----------------|-------------------|
| **Cisco Viptela** | ✅ Yes (vEdge) | vManage (granular policies) |
| **Meraki** | ❌ No | Drag-and-drop simplicity |
| **Fortinet** | ✅ Yes (FortiGate) | Single pane for SD-WAN + NGFW |
| **VMware** | ❌ (Partner-dependent) | vCloud Orchestrator (SaaS metrics) |
---
## **7. Real-World Deployment Scenarios**
### **Cisco Viptela**
- **Global enterprise** with 500+ branches needing MPLS + Internet hybrid.
- **Policy Example:**
```plaintext
IF (Application == VoIP) → Prefer MPLS
IF (Link Latency > 100ms) → Switch to LTE
```
### **Meraki**
- **Coffee chain** with 100 stores needing plug-and-play VPNs.
- **Policy Example:**
```plaintext
ALL Traffic → Use cheapest link (broadband/LTE)
```
### **Fortinet**
- **Hospital** needing HIPAA-compliant security + SD-WAN.
- **Policy Example:**
```plaintext
IF (Traffic == EHR) → Encrypt + Inspect (NGFW)
```
### **VMware**
- **Tech startup** using AWS + Office 365.
- **Policy Example:**
```plaintext
IF (SaaS == O365) → Direct-to-cloud (bypass HQ)
```
---
## **8. Interview Questions (Vendor-Specific)**
1. **Cisco Viptela:** How does vSmart simplify route distribution?
- **Answer:** Acts as a route reflector for full-mesh overlays.
2. **Meraki:** Can you use BGP with Auto VPN?
- **Answer:** No—Meraki uses simple static routes.
3. **Fortinet:** How does SD-WAN integrate with FortiGate?
- **Answer:** Single-pass processing (one engine handles FW + SD-WAN).
4. **VMware:** Whats DMPO?
- **Answer:** Dynamic Multi-Path Optimization (packet-level steering).
---
### **Final Takeaways**
- **Cisco Viptela:** Most flexible for complex enterprises.
- **Meraki:** Simplest for distributed SMBs.
- **Fortinet:** Best for "security-first" teams.
- **VMware:** Ideal for cloud-native apps.
Need a **deep dive on one vendors architecture** or **mock design scenarios**? Let me know! 🛠️