From the course: Implementing Cisco Software-Defined Wan (SD-WAN) for your Enterprise and Cloud

Cisco SD-WAN fabric operations - Cisco Tutorial

From the course: Implementing Cisco Software-Defined Wan (SD-WAN) for your Enterprise and Cloud

Start my 1-month free trial Buy for my team

Cisco SD-WAN fabric operations

- [Instructor] In this lesson, I want to walk through the fabric initialization between two edge devices. So to start with, edge devices will authenticate to the vBond. So in this case, R1 will authenticate to the vBond. And then the vBond is going to authenticate with the R1 device. And then after that, we will go through the process of orchestrating connectivity to the vManage. And it'll also orchestrate connectivity to the vSmart. Now, in this point in time, most of the interesting magic is going to happen between the edge devices and the vSmarts. So I'd like to go ahead and clear that out and draw that up a little bit cleaner. So we've established the DTLS tunnel. And inside of that, we have OMP established. The next thing that we will do is we'll take all the service-side prefixes, whether they came from a routing protocol or they're directly attached. And those network prefixes need to be advertised towards the vSmarts. Now, at this point in time, any policies that need to process can process on the vSmarts before those network prefixes are then advertised down to R2. Now, at the same time that this is happening from R1 to R2, R2 is doing the same thing up to the vSmarts and back down to the R1. Now, at this point in time, as far as where both of those nodes are, they have full reachability information and the fact that the subnets have been advertised to the vSmart and then back down to the other edge and then vice versa. In addition, the TLOCs, which are the encapsulating interface IP addresses and colors and system IPs, have been advertised to each other. So they now have the correct information they need to start forming the tunnels. They also have the encryption keys that are necessary to encrypt those tunnels. And any policies that have actually needed to a process were already processed and applied as part of the route advertisement process. So now that all these edge devices know that they need to connect with the other edge devices through what the vSmart has told 'em, they'll start the process of building up the IPsec tunnel. And then once we have the IPsec tunnel established, then we'll bring up a BFD session to verify the health and state of that tunnel. Now I want to dive a little bit deeper in how the encryption keys are built or generated. So first and foremost, each edge device is responsible for generating its own encryption keys. So in this case, R1 has generated two encryption keys. So Key1 will be used for Transport1 and Key2 will be used for Transport2. Now, those encryption keys will then be advertised through an OMP update to the vSmart and back down to the other edge device because that vSmart knows where the tunnels need to form. Now, R2 has received those keys and he knows that Key1 is going to be for Transport1 and Key2 is for Transport2. Now, just as before, R2 will generate his own encryption keys. In this case, Key3 will be for Transport1 and then Key4 will be for Transport2. And those encryption keys will be advertised back up to the vSmart and back down to R1. So now both devices have the appropriate information to know what to encrypt and how to decrypt it with the private and public keys that each device created. So within that being said, they will now be able to successfully establish that IPsec tunnel. One of the benefits of this is it gets rid of one of those famous technologies that I love to troubleshoot. I'll give you a hint if you don't know what it is. There is a presidential campaign in the 1950s that went, "I like Ike." That's right, this helps get rid of IKE and simplifies the administration of bringing up those tunnels. And if we want to go through and force a key change, we can do that very quickly and easily. And this concludes this lesson.

Contents