[Part 5] Cisco SDWAN - vBond Controllers
Orchestration Plane { The Cornerstone of Cisco SD-WAN Fabric }
Introduction
In a software-defined wide area network (SD-WAN) architecture, the vBond controller plays a critical role in orchestrating the connectivity and authentication between various elements within the SD-WAN fabric.
Understanding the purpose and functionality of the vBond controller is essential to grasp the inner workings of Cisco SD-WAN. In this article, we will delve into the intricacies of vBond, its role within the SD-WAN fabric, and provide a detailed explanation of how it operates.
What is vBond Controller?
At its core, the vBond controller is a centralized orchestration component within the Cisco SD-WAN architecture.
It acts as the initial point of contact for SD-WAN devices, facilitating secure authentication and bootstrapping of the network elements.
The vBond controller establishes secure tunnels (DTLS/TLS) with each SD-WAN device in the fabric, ensuring secure communication and enabling the establishment of control and data plane connections.
Read more: Cisco SDWAN Planes
Role of vBond Controller
The vBond controller fulfills several vital roles within the SD-WAN fabric, including:
Authentication and Identity Management
NAT-T Support
Device Bootstrapping
Overlay Network Establishment
Authentication and Identity Management
vBond authenticates SD-WAN devices and ensures their identity before allowing them to join the SD-WAN fabric. It verifies device certificates, authorizes device enrollment, and securely distributes control plane information.
When an SD-WAN device boots up, it initiates contact with the vBond controller. The vBond controller verifies the device's identity, checks its certificate, and authorizes its enrollment into the SD-WAN fabric.
Once authenticated, the vBond controller and the SD-WAN device establish a secure DTLS (Datagram Transport Layer Security) tunnel. This secure tunnel is used for control plane communication between the vBond controller and the SD-WAN device.
NAT-T Support
In Cisco SD-WAN, the vBond controller plays a crucial role in handling Network Address Translation (NAT) within the fabric.
When a WAN Edge router connects to the vBond controller, it includes its real IP address (Private IP Address) and Port to the exchange information. If the router is behind a NAT device, the NAT device will translate the source IP and possibly the source port of the packet.
Since the message still contains the WAN Edge’s real IP Address and Port, the vBond controller is aware of this translation and sends a message back to the WAN Edge router, notifying it that it is behind a NAT.
The WAN Edge router updates its OMP TLOC route with this information and sends it to the vSmart controller. This information is then shared with other WAN Edge routers in the overlay network.
OMP - Overlay Management Protocol, which is used to exchange routing and encryption key information in Cisco SDWAN between vSmarts and WAN Edges.
No worry, the detailed explanation will come in later posts.
By exchanging this NAT information, all WAN Edge routers in the fabric can adapt their data plane accordingly. They will use the correct IP and port values to establish communication, even when they are behind a NAT device.
WAN Edges devices receive other Edge's information (Public IP, Private IP, NAT type, etc.), and use this information to establish a secure connection with each other (IPSec).
That's why they need to know the peer WAN Edge is behind the NAT device or not.
Device Bootstrapping
Device bootstrapping is a crucial aspect of the vBond controller's role in the SD-WAN fabric. During the bootstrapping process, the vBond controller delivers essential configuration parameters and establishes the initial connectivity for SD-WAN devices.
This process enables the devices to join the SD-WAN fabric and participate in the overlay network.
It simplifies the deployment process of SD-WAN devices and automates the provisioning of devices by eliminating the need for manual configuration.
This reduces the potential for human error and streamlines the overall deployment process, saving time and effort for network administrators.
The detailed onboarding WAN Edges with vBond bootstraps will be talked about in later specific posts.
Overlay Network Establishment
Through control plane messaging, vBond establishes secure control plane tunnels with SD-WAN devices.
Through the secure tunnel, the vBond controller provides critical control plane information to the SD-WAN device, including the IP addresses of other control plane elements such as vSmart controllers and vManage.
Read more: Cisco SDWAN vManage and Cluster
Key Takeaway
The vBond controller serves as a fundamental component of the Cisco SD-WAN fabric, enabling secure authentication, bootstrapping, and orchestration of SD-WAN devices.
My name is Nam who loves to talk and share knowledge related to Networking, Automation, and so on. More about me: nam-nguyen.me
Hope you enjoy the blog and don't forget to join the Tech-Learner-Hub to get more and more valuable content.