medusa/the_information_nexus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4eacddaa411b389e815d5f307635d93cf81ef51c
the_information_nexus/tech_docs/networking/sdwan_primer.md

5.0 KiB
Raw Blame History

Heres the 20% of SD-WAN that covers 80% of what you need to know, with a focus on practical knowledge for senior network roles and seamless integration with your IPSec expertise:

SD-WAN Crash Course: The 20% That Matters

Goal: Understand core SD-WAN concepts, how they differ from traditional WAN, and how they integrate with IPSec.

1. SD-WAN vs Traditional WAN

Feature Traditional WAN (MPLS/VPN) SD-WAN
Cost Expensive (MPLS circuits) Cheaper (uses Internet + broadband)
Agility Manual config changes Centralized, automated policies
Performance Predictable but rigid Dynamic path selection (jitter/loss-aware)
Security Relies on IPSec/MPLS Built-in encryption (IPSec, TLS)
Topology Hub-and-spoke Any-to-any, mesh

Key Takeaway:

  • SD-WAN decouples control plane from hardware, allowing dynamic traffic routing over any transport (MPLS, LTE, broadband).

2. SD-WAN Core Components

(1) Edge Devices (CPE)

  • e.g., Cisco vEdge, FortiGate, VeloCloud
  • Sit at branch offices, apply policies, and encrypt traffic.

(2) Orchestrator (Controller)

  • e.g., Cisco vManage, VMware Orchestrator
  • Centralized policy management (no CLI needed!).

(3) Overlay Tunnels

  • Encrypted tunnels (IPSec, GRE, DTLS) between edges.
  • Uses TLOC (Transport Locator) = Public IP + Color (e.g., INET, MPLS).

(4) Underlay Transport

  • Any WAN link: MPLS, Internet, LTE, 5G.

3. How SD-WAN Works (The 80% You Need)

(1) Path Selection

  • Dynamic multi-path steering: Chooses best path based on:
    • Application SLA (e.g., VoIP → low latency).
    • Real-time metrics (jitter, packet loss, latency).

Example Policy:

IF (Application == VoIP) AND (Latency > 50ms) → SWITCH to backup link

(2) Zero-Touch Provisioning (ZTP)

  • Plug in a device → auto-configures via orchestrator.

(3) Application-Aware Routing

  • DPI (Deep Packet Inspection) identifies apps (e.g., Teams, SAP).
  • QoS prioritization (VoIP > YouTube).

(4) Security Integration

  • IPSec for all overlays (mandatory for Internet links).
  • Cloud-based firewalls (e.g., FortiGate, Zscaler).

4. SD-WAN + IPSec Integration

  • SD-WAN uses IPSec for secure tunnels but adds:
    • Automated key rotation (no manual PSK updates).
    • Tunnel bonding (combines multiple links for throughput).

Key Difference:

  • Traditional IPSec VPN = static tunnels.
  • SD-WAN IPSec = dynamic, SLA-driven tunnels.

5. SD-WAN Troubleshooting (Top 5 Issues)

Issue Debug Command Fix
Tunnels not coming up show sdwan tunnel (Cisco) Check underlay reachability
Poor VoIP quality show sdwan app-route stats Adjust SLA thresholds
Orchestrator sync failure show sdwan control connections Verify certs/connectivity
Traffic taking wrong path show sdwan policy-service-path Fix application-aware rules
High latency on backup show sdwan interface Enable FEC (Forward Error Correction)

6. SD-WAN vs. DMVPN (Common Interview Qs)

Q: When would you use SD-WAN over DMVPN?

  • SD-WAN: When you need application-aware routing + centralized management.
  • DMVPN: When you need scalable IPSec tunnels but dont need SaaS optimization.

Q: Can SD-WAN replace IPSec?

  • No! SD-WAN uses IPSec for encryption but adds intelligence on top.

7. Lab Practice (Quick Wins)

  1. Simulate link failure in GNS3/EVE-NG → Watch SD-WAN switch paths.
  2. Prioritize VoIP traffic over YouTube.
  3. Break the orchestrator → Observe fallback to local policies.

CLI Examples (Cisco Viptela):

show sdwan control connections  # Check orchestrator status  
show sdwan app-route stats      # Verify path selection  
clear sdwan tunnel              # Force tunnel re-establishment

8. Interview Cheat Sheet

SD-WAN = Automation + Application-Aware Routing + Multiple Underlays.
IPSec is still used, but dynamically managed.
Key metrics: Jitter (<30ms), Latency (<150ms), Packet Loss (<1%).
Orchestrator is the brain; edges are the muscle.

Where to Go Next?

  1. Deep dive into your vendors SD-WAN (Cisco, Fortinet, VMware).
  2. Learn cloud-integrated SD-WAN (AWS Transit Gateway, Azure Virtual WAN).
  3. Study real-world designs (e.g., "How SD-WAN replaces MPLS").

Need a deep dive on a specific SD-WAN vendor or mock scenarios? Let me know! 🚀