The Cisco SD-WAN SEN (Secure Extensible Network) is the story of applying software defined networking concepts to the wide area networking space while Legacy networking technology has become increasingly expensive and complex, and it cannot scale to meet the needs of today’s multisite enterprises. Legacy networking technology has become increasingly expensive and complex, and it cannot scale to meet the needs of today’s multisite enterprises. What separates the Cisco SD-WAN SEN from other SD-WANs is that it reimagines the WAN for a new generation of enterprise networks, separating the data plane from the control plane and virtualizing much of the routing that used to require dedicated hardware.


Basically, SD-WAN is supposed to resolve the following WAN challenges:

  • Efficiency: The network landscape is changing in so far as multiple transports available and multiple enterprises want to be able to leverage the fact that these transports exist and they are willing to manage them in the simplifies fashion as well.
  • Experience: All the enterprises and service providers care about the quality of the experience that they get for their applications. So the network needs to be more intelligent and smarter about providing that quality of experience as well as being able to provide visibility into what is happening with the applications in this environment.
  • Security: Every enterprise, customer and entity needs to have straight controls for audit compliance as well as be able to mitigate existing and on-going evolving threats in the networking landscape.

With traditional networking we saw the multiple transports being utilized but as the course of the years, transports are not just limited to the one or two. Enterprises are now seeing that there is any number of transports available in different geographic regions. That means, we may have MPLS, Metro Ethernet, LTE, Broadband, VSAT and etc. So, there is huge range of combination that customers can use to leverage the transport for their enterprises.

Cisco SD-WAN


SD-WAN Capabilities


As we want to deploy branches in a simple fashion across any transport to leverage anything and everything to bring up all of our sites as quickly as possible. Moreover, the way that applications are consumed are changing. So we want to be able to leverage the fact that our network should now also be able to extend into any types of endpoint such as: Private Cloud, Colocation and Public Cloud. So the transport that is used to connect our network allow us to connect to any type of infrastructure to deliver required quality of experience. Finally, no matter what transport we used, everything has to be encrypted and secured.



Cisco Intent-Based Networking for WAN

cisco SD-WAN acquisition


In the Cisco SD-WAN framework, essentially, there are four main things to remember. The first thing is, Secure Transport Fabric. Plus, it provides Application visibility and QoE including what are application patterns look like and what are the quality of the experience for those applications and it allows you to tune what path needs to be taken and what QoE to have for your applications. The third thing is the means to consume these services. The ability to consume this in any shape of form such as, physical or virtual appliance, rich services or cloud-ready applications, is critical to your long-term planning. Finally, everything will be delivered through the cloud giving you rich analytics to see what is happening in your environment, what to do about it and how to change so your network experience gets better.

Intent-Based Networking boils down to three main aspects, Translation, which allows you to capture business objects, Activation, which enables the translate business goals into policy directives, and assurance which provides visibility into what is happening into your infrastructure. All these capabilities would be delivered by Cisco vManage.



Cisco SD-WAN Architecture


Let us explore the components that makes SD-WAN solution. This division of labor allows each networking layer to focus on what it does best. The control plane manages the rules for the routing traffic through the overlay network, and the data plane passes the actual data packets among the network devices. For this solution the following roles should be provided.

  • Orchestrator: a mechanism which can orchestrate connectivity.
  • Management: an appliance that provides the management capabilities for this environment.
  • Control: A mechanism which deploy all different topologies and policy enforcement.
  • Data: Responsible for carrying application data in the environment.


To deliver these capabilities the solution has four appliance types that will provide mentioned specific roles


Cisco vBond which is responsible for orchestration and initiates the bring up process of every vEdge device, at the first step it creates secure tunnel with vEdge and informs vSmart and vManage about its parameters like for instance IP address. It has to be fully connected with every device.


Cisco vManage that is a fully manageable centralized portal to run and operate software defined network (SD-WAN).


Cisco vSmart which is a controller for your network, it is responsible for managing all control and data policies by using special Overlay Management Protocol (OMP).


Cisco vEdge is a Viptella router which receive complete control and data policies from the vSmart, it is able to run routing protocol like OSPF, BGP to create connectivity on LAN side but also with MPLS provider if necessary. It establishes secure IPSec tunnels with others vEdges depending on selected topology.


Cisco cEdge is a IOS XE device running IOS XE SD WAN.


These four appliance types will make up the Cisco SD-WAN solution. vBond, vManage and vSmart, are the virtual entities which can reside on premise or in the cloud. The most common consumption of this is as a service directly from Cisco. vEdge is an actual router that will leverage in this solution and could be in various form factors such as: ASR or ISR, Virtualized Routers like  Cisco CSR1000v and Catalyst 8000 Edge Platforms.


Cisco SD-WAN Firewall Compliance

The security features available in the security policy dashboard on Cisco vManage enable the following capabilities within remote sites running IOS-XE SD-WAN WAN edge platforms.

vManage includes predefined workflows to facilitate several use cases based on intent, such as:

  • Compliance (Application Firewall | Intrusion Prevention)
  • Guest Access (Application Firewall | URL Filtering)
  • Direct Cloud Access (Application Firewall | Intrusion Prevention | Advanced Malware Protection | DNS Security)
  • Direct Internet Access (Application Firewall | Intrusion Prevention | URL Filtering | Advanced Malware Protection | DNS Security)

In addition, you can build your own custom policy by combining a custom variety of security features. Security features such as Application Firewall and IPS enabled on your WAN edge devices, enables customers to restrict access to certain Internet destinations for remote employees and guests, protect the internal network from malware in real-time and eliminate further cost to deploy any additional security equipment. Finally, using central management, makes it more intuitive to troubleshoot and monitor the SD-WAN overlay solution via the Cisco vManage GUI.


Leave a Reply

Related Post