medusa/the_information_nexus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
the_information_nexus/tech_docs/networking/SD-WAN.md

12 KiB
Raw Permalink Blame History

Heres the 20% of SD-WAN that covers 80% of what you need to know, with a focus on practical knowledge for senior network roles and seamless integration with your IPSec expertise:

SD-WAN Crash Course: The 20% That Matters

Goal: Understand core SD-WAN concepts, how they differ from traditional WAN, and how they integrate with IPSec.

1. SD-WAN vs Traditional WAN

Feature Traditional WAN (MPLS/VPN) SD-WAN
Cost Expensive (MPLS circuits) Cheaper (uses Internet + broadband)
Agility Manual config changes Centralized, automated policies
Performance Predictable but rigid Dynamic path selection (jitter/loss-aware)
Security Relies on IPSec/MPLS Built-in encryption (IPSec, TLS)
Topology Hub-and-spoke Any-to-any, mesh

Key Takeaway:

  • SD-WAN decouples control plane from hardware, allowing dynamic traffic routing over any transport (MPLS, LTE, broadband).

2. SD-WAN Core Components

(1) Edge Devices (CPE)

  • e.g., Cisco vEdge, FortiGate, VeloCloud
  • Sit at branch offices, apply policies, and encrypt traffic.

(2) Orchestrator (Controller)

  • e.g., Cisco vManage, VMware Orchestrator
  • Centralized policy management (no CLI needed!).

(3) Overlay Tunnels

  • Encrypted tunnels (IPSec, GRE, DTLS) between edges.
  • Uses TLOC (Transport Locator) = Public IP + Color (e.g., INET, MPLS).

(4) Underlay Transport

  • Any WAN link: MPLS, Internet, LTE, 5G.

3. How SD-WAN Works (The 80% You Need)

(1) Path Selection

  • Dynamic multi-path steering: Chooses best path based on:
    • Application SLA (e.g., VoIP → low latency).
    • Real-time metrics (jitter, packet loss, latency).

Example Policy:

IF (Application == VoIP) AND (Latency > 50ms) → SWITCH to backup link

(2) Zero-Touch Provisioning (ZTP)

  • Plug in a device → auto-configures via orchestrator.

(3) Application-Aware Routing

  • DPI (Deep Packet Inspection) identifies apps (e.g., Teams, SAP).
  • QoS prioritization (VoIP > YouTube).

(4) Security Integration

  • IPSec for all overlays (mandatory for Internet links).
  • Cloud-based firewalls (e.g., FortiGate, Zscaler).

4. SD-WAN + IPSec Integration

  • SD-WAN uses IPSec for secure tunnels but adds:
    • Automated key rotation (no manual PSK updates).
    • Tunnel bonding (combines multiple links for throughput).

Key Difference:

  • Traditional IPSec VPN = static tunnels.
  • SD-WAN IPSec = dynamic, SLA-driven tunnels.

5. SD-WAN Troubleshooting (Top 5 Issues)

Issue Debug Command Fix
Tunnels not coming up show sdwan tunnel (Cisco) Check underlay reachability
Poor VoIP quality show sdwan app-route stats Adjust SLA thresholds
Orchestrator sync failure show sdwan control connections Verify certs/connectivity
Traffic taking wrong path show sdwan policy-service-path Fix application-aware rules
High latency on backup show sdwan interface Enable FEC (Forward Error Correction)

6. SD-WAN vs. DMVPN (Common Interview Qs)

Q: When would you use SD-WAN over DMVPN?

  • SD-WAN: When you need application-aware routing + centralized management.
  • DMVPN: When you need scalable IPSec tunnels but dont need SaaS optimization.

Q: Can SD-WAN replace IPSec?

  • No! SD-WAN uses IPSec for encryption but adds intelligence on top.

7. Lab Practice (Quick Wins)

  1. Simulate link failure in GNS3/EVE-NG → Watch SD-WAN switch paths.
  2. Prioritize VoIP traffic over YouTube.
  3. Break the orchestrator → Observe fallback to local policies.

CLI Examples (Cisco Viptela):

show sdwan control connections  # Check orchestrator status  
show sdwan app-route stats      # Verify path selection  
clear sdwan tunnel              # Force tunnel re-establishment

8. Interview Cheat Sheet

SD-WAN = Automation + Application-Aware Routing + Multiple Underlays.
IPSec is still used, but dynamically managed.
Key metrics: Jitter (<30ms), Latency (<150ms), Packet Loss (<1%).
Orchestrator is the brain; edges are the muscle.

Where to Go Next?

  1. Deep dive into your vendors SD-WAN (Cisco, Fortinet, VMware).
  2. Learn cloud-integrated SD-WAN (AWS Transit Gateway, Azure Virtual WAN).
  3. Study real-world designs (e.g., "How SD-WAN replaces MPLS").

Need a deep dive on a specific SD-WAN vendor or mock scenarios? Let me know! 🚀

Heres a detailed comparison of how Cisco (Viptela & Meraki), Fortinet, and VMware approach SD-WAN, highlighting their key differentiators, architectures, and use cases:

SD-WAN Vendor Deep Dive: Cisco vs. Meraki vs. Fortinet vs. VMware

Goal: Understand how each vendor solves the same problems (reliability, security, simplicity) in different ways.

1. Architecture & Key Components

Vendor Control Plane Data Plane Orchestration Security Integration
Cisco Viptela Distributed (vSmart controllers) vEdge routers vManage (on-prem/cloud) CloudSec (IPSec) + Optional Umbrella
Cisco Meraki Centralized (Cloud) MX appliances Meraki Dashboard (cloud-only) Auto VPN (IPSec) + MX Security
Fortinet Centralized (FortiManager) FortiGate appliances FortiManager + FortiAnalyzer Native NGFW (FortiGate)
VMware Centralized (vSmart controllers) Edges (partner hardware) vCloud Orchestrator (cloud/on-prem) Partner-integrated (e.g., Palo Alto)

2. Key Differentiators

Cisco Viptela

  • Best for: Large enterprises, hybrid WAN, MPLS replacement.
  • Strengths:
    • Flexible deployment (on-prem/cloud).
    • Application-aware routing (Deep Packet Inspection).
    • Multi-cloud integration (AWS/Azure).
  • Weaknesses:
    • Complex for small deployments.
    • No built-in NGFW (relies on Umbrella or third-party).

Cisco Meraki

  • Best for: SMBs, retail, zero-touch deployments.
  • Strengths:
    • Dead simple (cloud-managed, no CLI).
    • Auto VPN (self-healing mesh).
    • Built-in security (MX firewall, IDS/IPS).
  • Weaknesses:
    • Limited granular control (no advanced BGP/OSPF).
    • No on-prem orchestrator.

Fortinet

  • Best for: Security-first organizations (tight FW/SD-WAN integration).
  • Strengths:
    • Single-pass architecture (SD-WAN + NGFW in one box).
    • FortiGuard AI/ML threat detection.
    • Low-cost hardware.
  • Weaknesses:
    • Less flexible for non-Fortinet shops.
    • Orchestrator (FortiManager) feels outdated.

VMware (formerly VeloCloud)

  • Best for: Cloud-first enterprises, SaaS optimization.
  • Strengths:
    • Best-in-class cloud/SaaS performance (e.g., Office 365).
    • Broad hardware compatibility (partner ecosystem).
    • Dynamic Multi-Path Optimization (DMPO).
  • Weaknesses:
    • No native security (relies on partners like Palo Alto).
    • Complex pricing.

3. Feature Comparison

Feature Cisco Viptela Cisco Meraki Fortinet VMware
Zero-Touch Provisioning Yes Yes Yes Yes
Application-Aware Routing (DPI) (Limited) (NGFW-integrated) (DMPO)
Built-in NGFW (Umbrella add-on) (MX Security) (FortiGate) (Partner-based)
Cloud Orchestration (vManage) (Meraki Dashboard) (FortiManager Cloud) (vCloud)
MPLS Hybrid Support Best-in-class (Internet-only) Yes Yes
SLA-Based Path Selection Yes (Basic) Yes Yes

4. How Each Vendor Handles Key SD-WAN Tasks

1. Tunnel Establishment

  • Cisco Viptela: IPSec (manual or automated via vSmart).
  • Meraki: Auto VPN (self-configured mesh).
  • Fortinet: IPSec + SSL-VPN (FortiGate handles both).
  • VMware: IPSec or DTLS (cloud-optimized).

2. Failover & Path Selection

  • Cisco Viptela: SLA-based (jitter/loss thresholds).
  • Meraki: Basic link monitoring (latency/packet loss).
  • Fortinet: AI-driven (FortiGuard updates).
  • VMware: DMPO (real-time packet steering).

3. Security Integration

  • Cisco Viptela: Requires Umbrella or third-party.
  • Meraki: MX Security Suite (IDS/IPS, content filtering).
  • Fortinet: Native NGFW (no extra cost).
  • VMware: Zscaler/Palo Alto integrations.

5. When to Choose Which Vendor?

Use Case Best Vendor Why?
Enterprise MPLS replacement Cisco Viptela Flexible, hybrid WAN support
Retail/Remote Branches Meraki Zero-touch, cloud simplicity
Security-first (e.g., Healthcare/Gov) Fortinet Built-in NGFW, low TCO
Cloud/SaaS-heavy (e.g., Tech) VMware Best SaaS optimization

6. CLI vs. GUI Showdown

Vendor CLI Access? GUI Strengths
Cisco Viptela Yes (vEdge) vManage (granular policies)
Meraki No Drag-and-drop simplicity
Fortinet Yes (FortiGate) Single pane for SD-WAN + NGFW
VMware (Partner-dependent) vCloud Orchestrator (SaaS metrics)

7. Real-World Deployment Scenarios

Cisco Viptela

  • Global enterprise with 500+ branches needing MPLS + Internet hybrid.
  • Policy Example: 
    IF (Application == VoIP) → Prefer MPLS  
IF (Link Latency > 100ms) → Switch to LTE

Meraki

  • Coffee chain with 100 stores needing plug-and-play VPNs.
  • Policy Example: 
    ALL Traffic → Use cheapest link (broadband/LTE)

Fortinet

  • Hospital needing HIPAA-compliant security + SD-WAN.
  • Policy Example: 
    IF (Traffic == EHR) → Encrypt + Inspect (NGFW)

VMware

  • Tech startup using AWS + Office 365.
  • Policy Example: 
    IF (SaaS == O365) → Direct-to-cloud (bypass HQ)

8. Interview Questions (Vendor-Specific)

  1. Cisco Viptela: How does vSmart simplify route distribution?

    • Answer: Acts as a route reflector for full-mesh overlays.

  2. Meraki: Can you use BGP with Auto VPN?

    • Answer: No—Meraki uses simple static routes.

  3. Fortinet: How does SD-WAN integrate with FortiGate?

    • Answer: Single-pass processing (one engine handles FW + SD-WAN).

  4. VMware: Whats DMPO?

    • Answer: Dynamic Multi-Path Optimization (packet-level steering).

Final Takeaways

  • Cisco Viptela: Most flexible for complex enterprises.
  • Meraki: Simplest for distributed SMBs.
  • Fortinet: Best for "security-first" teams.
  • VMware: Ideal for cloud-native apps.

Need a deep dive on one vendors architecture or mock design scenarios? Let me know! 🛠️