Scribd
Upload
31 views2 pages

Tutorial 10: Name: Riya Lashkary Roll No.: J219

Riya Lashkary's tutorial discusses the integration of dynamic tunnels into SD-WAN networks. Dynamic tunnels allow sites to establish VPN tunnels on demand rather than statically. Cisco SD-WAN uses the Overlay Management Protocol to advertise routes between sites and allow dynamic tunnel establishment in a scalable way. The control plane is separated from the data plane, and routes can be selectively advertised to improve scalability. IPsec keys are securely exchanged over a persistent control channel between SD-WAN devices using PKI certificates, allowing keys to be prestaged and eliminating scaling issues from peer-to-peer IKE negotiation.

Uploaded by

Riya Agrawal
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
31 views2 pages

Tutorial 10: Name: Riya Lashkary Roll No.: J219

Riya Lashkary's tutorial discusses the integration of dynamic tunnels into SD-WAN networks. Dynamic tunnels allow sites to establish VPN tunnels on demand rather than statically. Cisco SD-WAN uses the Overlay Management Protocol to advertise routes between sites and allow dynamic tunnel establishment in a scalable way. The control plane is separated from the data plane, and routes can be selectively advertised to improve scalability. IPsec keys are securely exchanged over a persistent control channel between SD-WAN devices using PKI certificates, allowing keys to be prestaged and eliminating scaling issues from peer-to-peer IKE negotiation.

Uploaded by

Riya Agrawal
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

Name: Riya Lashkary

Roll No.: J219

Tutorial 10
TITLE: Integration of IPsec dynamic tunnels into SD-WAN

Q.1) Explain the integration of dynamic tunnels into SD-WAN Ans


When Cisco created dynamic tunnels in DMVPN, its original implementation distributed a
full set of underlay and overlay routes to all sites. That way each site would have a direct
underlay next-hop route to every other site such that when the tunnel endpoint route was
resolved, it resolved the WAN IP of the destination site router itself. A tunnel could then be
set up directly. It soon became apparent that in large-scale environments, the number of
routes began to scale unmanageably for smaller site routers with limited processing scale and
memory. Any dynamic tunnel implementation must manage this route scale to ensure that
smaller site routers are not overwhelmed by route table size or convergence processing.

Cisco SD-WAN further simplifies and builds upon what DMVPN did. With Overlay
Management Protocol (OMP), dynamic tunnel establishment can be integrated as part of
OMP updates in a way that allows for fast, more scalable tunnel establishment. Because of
experience gained from a wide range of DMVPN deployments over many years, Cisco
engineers have learned a lot about the network dynamics that can impact dynamic tunnel
scalability, and many of these learnings have driven the development of the new IPsec
architecture found in Cisco SD-WAN.
With OMP, the control plane is now separated from the data plane, and routes can be
advertised to all sites or just a subset of sites. These OMP routes can be tagged with a number
of different attributes. One of these route attributes can be “Dynamic.” When you want to
enable dynamic tunnels, you will use the route policy workflow in vManage to tag the OMP
Transport Location (TLOC) routes (WAN IPs) registered by any site or subset of sites as
Dynamic.
We can then filter the TLOCs such that vSmart will advertise only a hub TLOC and a
selected set of TLOCs marked as Dynamic. For TLOCs marked as Dynamic, the VPN tunnel
will be established on demand, rather than statically. We can control the topology and sites
where dynamic tunnels are allowed via vManage policies, minimizing the set of routes that
must be carried at each site.

SD-WAN also provides specialized features to mitigate the effects of loss. These include the
ability to turn on forward error correction to reconstruct errored packets at the destination or
to create duplicate, redundant traffic streams that can be sent on diverse paths through the
WAN. Both of these features consume significant additional bandwidth on WAN, which
comes at a real cost to your organization in terms of both dollars and efficiency.
Q.2) Explain how IP-sec secure tunnels are scaled and established in SD-WAN architecture
Ans –
One of the key factors when considering an SD-WAN architecture for your network is how
IPsec secure tunnels are established. The method used can have a big impact on the network
scale and may be noticed only at the most critical times – such as when a large companywide
videocast is starting or during an SD-WAN appliance failure at an aggregation site. Events of
these types can drive very high load on the CPU of SD-WAN data plane devices as they
struggle to keep up with a rush of tunnel-establishment requests from remote devices. Some
devices may not be able to keep up or may lose routing connectivity if the load on the
control plane CPU becomes too high, starving other processes.

These types of problems come from the peer-to-peer nature of IPsec and Internet Key
Exchange (IKE) tunnel establishment and the fact that in most networks, the far endpoint of
the tunnel is a large-scale aggregation device. This aggregation device often has too many
peers to keep up with if they all want to establish tunnels at the same time. In addition, IKE
protocol negotiation takes time to establish a secure channel for key exchange, and it does
this every time key exchange is required.

In Cisco SD-WAN, this problem is eliminated by creating a highly secure, preestablished


control channel among all SD-WAN devices. The channel is authenticated by Public Key
Infrastructure (PKI) certificate exchange and encrypted with the latest AES265-GCM
ciphers. It’s persistent and thus available for securely exchanging all kinds of information,
including IPsec keys for secure tunnel establishment between SD-WAN peers. Figure 2
illustrates how OMP advertises IPsec keys securely over this preestablished channel. This
means that keys can be exchanged and prestaged at SD-WAN peer devices and are available
immediately when needed. This prestaging eliminates the scale issues with peer-to-peer IKE
negotiation described earlier.

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy