SD-WAN terminology. In this video I want to talk about SD-WAN terminology such term that important in the SD-WAN. For example, T-Lock, for example, OMP or color.
But first I want to talk about some expressions some terminology that we mentioned in the previous video. Okay. Let's get started as you remember we are familiar with many topics with some topics in the SD-WAN.
You know that in SD-WAN we have three main controllers one first vManage and second vSmart the brain of SD-WAN and then vBond These are controllers of the SD-WAN. Vmanage is the management plane, Vsmart is the control plane and Vbond is the orchestration plane. And also we have WANH. WANH are data plane in the SD-WAN. For example we can use VH or CH or other types of van age in the SD-WAN.
Because of that, when you talk about SD-WAN, this means that you talk about these components. Okay? Okay.
And you know that in the SD-WAN, we have two type of connections. Two type of connections. First, control connections.
And second, data connections. All of the connections in the SD-WAN are secure. Control sessions or control connection are establishing between controllers and between controllers and WAN-AIDS. Okay?
For example, we know that between V-Band and V-Smart we have a control connection over DTLS for example and also between VBand and VManage we have control connection over for example DTLS and also between VManage and Vsmart next we have connection secure connection over DTLS and also after this control connection we have data plane connection data plane connection between van edge I use VH VH or CH not important now for us in data plane we have IPSec connections and we use IPSec to secure end-to-end communication between VH or between one edge in the data plane also we have some control connection between vmanage and one h vmanage and one edge for example vh over dtls or tls and also vsmart and vh okay vsmart and VH over DTLS or TLS. VBOND, VSMART, VBOND, VMANAGE, VMANAGE, VSMART, VMANAGE, VH, VSSTART, VSMART, VH and also a temporary connection between VBOND and VH over DTLS. You know that this is temporary and because After the first establishment of this secure connection and sending vManage IP and vSmart IP from v1 to vH, we don't need to disconnection because of that it is teared down. Okay.
These are our control connections and Also, data plane connection, all of these connections are secure. Some over DTLS or TLS and some over IPSec. You know that we don't use IPSec for control communication. And we use IPSec only in the data plane between vanages. Okay.
The next topic that I want to review in this video that we can use some form of these controllers and van-edge in the SD-WAN. For example, for vManage, we have a virtual machine or VM and the vManage is only provided. as a VM.
We don't have a physical VM. We manage the VM. It's software.
Okay? SW. Software.
And also, VSmart is a VM. And we have VSmart as a software. And also, VBond. VBond also is a VM.
And we have it. as a software but van edge are van edge are provided in the form of vm that is a software or as a appliance that is the hardware okay only van edge can be provided as an appliance and as a as an hardware okay vmanage is software vsmart is software vbond is software all of these controllers are softwares are virtual machines that we can deploy this virtual machine over es6i vmware es6r or kvm linux kvm okay but van edge is software if you order software. One edge can be hardware if you order hardware.
Okay, only one edge can be in the form of hardware or software. This is an important point that you should know. Okay, this is the first line.
Let's get second line. In the SC-WAN, we use OMP. OMP or overlay management protocol OMP is the protocol that we use that in the SD-WAN for some tasks for many tasks for example routing for example policy advertisement for example key exchange I want to talk about some of them First I want to start with routing.
As you know in the SD-WAN as I mentioned in the previous videos, in the SD-WAN we have a few controllers, a few control planes. We know that the control plane is VSmart. Okay, we have one or two or three VS Mart and we have many data plane.
You know that we have one or two or three data plane per site. Maybe you have 2000 sites. If you have 2000 sites and every site has one or two edge, maybe you have 4000. data plane device or data plane data plane vm okay and you know that data plane in the sd-wan is van h's okay some or a little control plane vsmart many data planes van h's okay and you know that this is one of the benefits of sd-wan that we can reduce control plane Incompete of... traditional routing okay but how routing occurs in the SD-WAN this is now this is the topics that i want to talk about in this video okay let's talk about omp as you know omp is a routing protocol and also a protocol for exchanging keys and also a protocol for advertising policy.
OMP is used over DTLS connection or TLS connection between VSmart and VH or if you have two or three VSmart between VSmart. For example, if we have 2VH this is the first VH, VH1. VH1 is the edge rotor of our branch one of our branch and VH2 is another edge rotor of one of our branch for example we have here a branch with net A net A is the subnet of VH connected to VH1 and net B connected to VH2 Okay, and these two VHs are connected to the internet.
For example, connected to the internet from here, connected to iNet or internet, and also VH2 connected to iNet or internet. And also you know that we have a VSmart in some place, for example, in one cloud. that we can connect to that cloud from internet.
Vsmart. Okay? Brain of our routing. And here is the internet. Vsmart connected to internet and also VX are connected to the internet.
Okay. And you know that. We have in this topology Secure connection between VH and VSmart.
Look at here. This is for example DTLS connection between VH1 and VSmart over internet. Look at here for example DTLS connection over VH1 and also VSmart. another DTLS connection DTLS is a secure connection used only for control traffic another control connection between VH2 and VSWRT okay over or inside of this secure connection we have OMP because of that OMP is running in a secure tunnel and OMP packets are encrypted and transferred between VSmart and VHs. Okay, this is OMP.
OMP if you want find a similar protocol like OMP in the traditional routing you can think to BGP as you know in BGP we have a central point we can have a central point for propagating roads we we name it road reflector vsmart is like road reflector in BGP and omp is BGP is like BGP okay and over this secure connection we have Neighborship or we have two peer. A neighborship between VH1 and VSmart and an OMP neighborship between VH2 and VSmart. Okay, this is the first important points that you have two peer membership. A membership between one of the VHs and VSmart and another membership between another VH and another VSmart and also I want to mention that if you have more than one VSmart between the VSmart's are also we will have OMP membership okay OMP neighborship okay We will talk about OMP Neighborship between V-Smart's in another videos. In our video in this session, I want to talk about only one V-Smart and some V8s.
Okay? Because of that, OMP Neighborship or peer OMP Peer Membership between V8 and V-Smart are automatically established. Establishing. When the connection DTLS connection or TLS connection between VH and VSmart established automatically without doing anything, OMP now is run and neighborship is down.
Okay, one important question here is that what is the identifier for OMP? Is the identifier for OMP for a device is hostname? For example, OMP peer neighborship in VH1 choose VSmart hostname or in VSmart choose VH1?
No. In SD-WAN, we have a unique identifier, a very important unique identifier. We name it, we call it System IP.
System IP For example, 1111 is a unique identifier that we identify with that particular entity. This is a unique identifier. The system IP isn't row table and should only be unique.
The system IP only require the system IP only requirement is that uniqueness. Every device In the SD-WAN, for example, every device or every entity, for example, vSmart, vManage, vBond, vAids, should have a unique system IP. For example, in our scenario, the system IP of vSmart should be, can be 1111. This is the system IP. We configure it. You will see it in the scenarios I implemented in your video.
vsmartSystemIP is 1111. It's an example. And for example, vh1SystemIP in our example could be 1111. 10 for example it's only a simple example and vh2 system ip system ip only should be unique it's not rotable 1 1 1 12 1 1 20 okay and if the omp connection established between vh and vsmart the omp identifier Means system IP is can be seen in the VH as an OMP neighbor. For example, if you type a command or from vManage monitor, check the OMP peer neighborship, you can see that in VH1 we have one neighbor that the VSmart of our neighbor VSmart is 1111. And if you check in VSmart OMP Neighborship, you can see two system IP as a neighbor.
VH1, VH2, 11110, 11120. We will see all of these topics in our implementation of SD-WAN topologies. We are now understanding that OMP sessions are OMP sessions are establishing only between VSmart and VHs or VSmart and VSmart. But now it's not important VSmart and VSmart for us. Only VSmart and VHs. Okay.
But what is the usage of OMP in routing? Yes, it's a good question. When you have OMP, every VHs should send their OMP routes, their connected routes to the VSmart. VSmart is the central repository for all routes. As you know, when we have a WAN edge, I mentioned all of these topics in the previous video, when we have a WAN edge or for example VH, we have two sites.
One site is service site and another site is transport site. Okay. Transport sites are connected transport site is connected to the transport networks for example internet for example mpls for example lt or other types of other transports and service sites connected to our lan okay for example we have a vrf in our vh vrf1 as you know we use vpn VPN and VPN means VRF but in SD-WAN terminology we use VPN okay for example we have VPN 1 one VPN simple okay and in VPN 1 you see that we have NetA NetA is a service site route and in routing we should send we should advertise are connected or learned routes to another router and after we are advertising the connected routes to other routers other routers can send data to us this is routing okay in the SD-WAN we should send our routes or connected routes for example or the routes that we are learning from the service side today we are smart with omp here we have omp and send with omp for example net a to vsmart and also net b from vh2 to vsmart and now in vsmart we have two routes one net a from vh1 and then net B from VH2.
I should mention here that VH1 and VH2 can be represented in the other form. For example, T-Lock. I should talk about T-Lock.
Now I use the Van-edge or VH1. This is the same as next top in the, for example, traditional routine. After VSmart learn these routes VSmart can advertise these routes to the other runnages.
For example VSmart can advertise net B to VH1 and net A to VH2 and after that VH2 will be VH2 can send traffic for net B to VH1 and VH1 can send traffic for netp to VH2 okay it's like BGP road reflector but we have mentioned we but we should know some and other terms for completing these types of routing for example in the SD-WAN terminology we use An important terminology names TLOC. TLOC or transport location. TLOC or transport location is like next stop in the BGP. I want to review a basic example in BGP.
For example, look at here this is BGP and traditional routing between R1 and R2. we have bgp session okay and r1 have net a and also the ip of r1 the ip of interface of r1 connected to r2 is ip1 and r2 ip2 okay you know that with when r1 send with bgp update net a to r2 It also sends some attributes, some BGP attributes. For example, next stop. Next stop, IP2. And this means that when R2 receive this.
update this BGP update R2 knows that it can send traffic for net a to IP to to IP one next up is IP one to IP one okay you can see in our tools routing table or RIB that for sending traffic to net a I should you use the next hop of ip1 and then if r2 receive traffic for net a okay it sent it forward traffic toward to ip1 and after that traffic is received will be received in net a okay this is the traditional routing In the SD-WAN routing, we don't use next stop. We use T-Lock. T-Lock or transport location. Because of that, when, for example, VH1 sends NetA to VSmart, it sends also the T-Lock of its connection.
But what is the T-Lock? For example, here we have a TLOC. I will talk about this in this video but for now only I use TLOC1.
For when sending NetA to VSmart it sends also TLOC1. This means that if anyone or everyone want to send traffic to NetA it should be sent to TLOC1. TLOC is like next stop in BGP.
And also if here is TLOCK2, okay, VH2 send NetV to VSmart with TLOCK2. TLOCK is same as next stop. And this means that VSmart, if anybody, if anyone want to send traffic to NetV, it should send the traffic. to TLOC too.
Yes, I know. I know that you are you don't know about TLOC. Because of that, first we should talk about TLOC. After we understand TLOC, we can continue the routing. Because of that, first let's get started with TLOC and after that we can continue we will continue this routing.
okay what is a TLUK? TLUK is transport location TLUK means transport location and TLUK has a definition i want to talk about TLUK especially okay the TLUK definition is this definition TLUK TLUK equal to first system ip i explain i will explain all of these components plus color oh what is the color we will talk about it and finally encapsulation okay system ip you know system ip and color you don't know color this is the first time i want to talk about color and encapsulation okay i will especially talk about encapsulation first i should remember that We can have many sites in our company. For example, in this scenario, we have two sites in our company. One site has one VH and other site has another VH. For example, we have one site here, Site 1. Site or Organization.
In Site 1, we can have one H or two H for redundancy and high availability. or more edge okay but for now we have for example one edge vh vh1 and vh1 can connect to many transport types for example vh1 can connect to internet and also connect to mpls internet is a public transport and mpls is a private transport Also, maybe you have site 2. For example, site 1 is data center and site 2 one of our remote branches. Okay, site 2. Here we have VH2 and also we have connected VH2 to internet and MPLS. Okay, as you know, as you remember, in the traditional routing, we use this.
terminologies we have router and then we have interface okay and every interface has ip address the ip address is assigned to the interface not to the router if you have one interface you have one ip address for that interface if you have two interfaces you You should assign two IP addresses to that interfaces. You notice in the SD-WAN terminology is the same. You have one WAN edge, one edge is the router.
It is the node. We call it node. In SD-WAN, we call it node. Node is WAN edge. We have one node for example in site one or maybe two node or maybe three nodes okay it's possible but now we have two node in two site one node per site and in in a node we have two connections or two interface we use the the name of circuit for these interfaces okay we don't use internet We don't use interface.
We use circuit. The circuit of internet. The circuit of MPLS. Here the circuit of internet and also the circuit of MPLS.
Okay, let's review. In this scenario, we have two sites. Per site in our scenario, we have one VH.
One node and per node we have two circuits. Okay, if you have two circuits, you need two identifiers such as traditional routing. If you have two interfaces, you need two IP addresses. Okay, the identifier of every circuit is TLAC. We don't use IP address for this circuit.
We use TLOC. For example, we have here two TLOC. TLOC1, the identifier of internet connection of one edge one of site one and TLOC2, the identifier, the unique identifier of MPLS circuit of VH1 in site one.
And also we have TLAC3 the unique identifier of internet circuit of VH2 off-site 2 or inside 2 and also TLAC4 okay TLAC is equal to the IP address of interfaces in the traditional router okay very good and now You are know that T-Lock is a unique identifier or is a tag or is a tag for a circuit. For example, if you have one van edge and two transport types, you will have two T-Lock. T-Lock 1, T-Lock 2. And according to the definition of T-Lock, we can write the T-Lock exactly. For example, If I use this system IP in site 1, 1, 1, 1, 1, for example, it's an example, or 1, 1, 1, 10, and also 1, 1, 1, 20 in site 2, the T-Lux are right here.
1, 1, 1, 1, 1, 1, 1, 1, 10 system IP plus color. We don't know. color okay i should speak about the color i should talk about the color color and then encapsulation the first step is system ip okay and in TLOC2 in TLOC2 also the system IP is 11110 and then color and then encapsulation and here in the TLOC3 we have 11120 and color and encapsulation and in TLOC4 11120 color encapsulation as you know we can't configure same ip address in the two interfaces of a router and also we can't configure two same t lock we can't configure two same t lock in the one one edge because of that we need another identifier another unique identifier another another part for TLOC to be unique okay because of that we use color color is a identifier is a distinct identifier for TLOC we use color for many things for example when we talk about NAT we will use color but for now color is a Tools that we can unique with that the T lock. Okay, how we can Unique T lock with color for example, we have some predefined color Okay, let's mention here color has two types public color and private color private color private color for our discussion this is not important that we mention private or public because the private or public color is important in the NAT topics in the SD-WAN now it's not important for us that we are using private color or public color because of that I don't want to delve into these topics now But also I say that for example a public color may be busy internet or another colors and private color for example MPLS and another.
I don't want to delve to the color concept now. When we talk about NAT or OTHER. Topics related to color I will talk about it this okay because of that when you use Color you have when you use color in T lock you can you can write T lock define T lock to 11110 plus busy internet busy internet means business internet or internet and When you use color? you can use MPLS when you're configuring circuits in the SD-WAN you should define the color for example when you attach a circuit to internet it's good to use this internet color it's optional but it's better that you use the color is similar to the real encapsulation in the real transport okay I use this internet for internet types MPLS for MPLS, LT for LT or other colors. And also we have colors blue, green, red, yellow, other colors.
Now it's better that we use the color same as transport types. Okay. And here also for T-Lock 3, the color is busy internet. And also for MPLS is MPLS.
As you see now the T-locks are unique. This means that for example when 1H1 send net A to VSmart and VSmart send this net A to VH2 with T-lock 1 T-lock 1 is unique maybe 1H1 has 2 connection to two transports for example internet and mpls with the color we can unit that to transport look at here in our example we have one h1 connected only to internet and van h2 connected only to internet but if you have van h1 connected to internet and also van h1 connected to mpls okay and you you have now two tlog tlog1 tlog2 the tlog1 is system ip since the system ip of van h1 plus color internet plus encapsulation we will talk about encapsulation but and also for transport connection to mpls you have tlac2 that is the system ip of vh1 and plus mpls when you send net a and you want only that net a traffic received in internet you can send net a plus t with the tlac1 and when vs smart received this update and sent this to the for example vh2 in vh2 this information now is received if you want to send traffic to net a you should use only tlac1 not tlac2 for example vh2 also has connection to internet and mpls and have two TLOC, for example, TLOC3 and TLOC4. Okay, TLOC3 and TLOC4. Okay, and after that, when you send NetA with TLOC1 to VSmart, and VSmart sends NetA with TLOC1 to the 1H, 1H2 knows that for receiving, for sending traffic to NetA, to NetA, It should use TLOC1 over internet and don't use and VH2 doesn't use TLOC4 to receive to TLOC2. Only TLOC1.
This is the unique identifier of the transport or the circuit that we want to use to routing. Because of this, TLOC is an important identifier, is an important tag for a circuit. But what is the encapsulation?
In SD-WAN data plane, we have two types of encapsulation. One type and better type is IPsec and other type is GRE. You know that IPsec is secure because in IPsec we have authentication, we have encryption, we have confidentiality and other security aspects.
but in gre we don't have any type of security okay because of that although we can use gre but we don't use gre anytime we only and better to use ipsec after after that when h2 receive net a with t lock one it should establish a secure connection with for example IPsec to the 1H or unsecure connection for example GRE to the 1H1 but 1H2 how but how 1H2 knows know that what type of connection secure or unsecure connection should be established between VH2 and VH1 with the encapsulation look at here When we configuring T-Lock, we configure for example, system IP and color and also encapsulation. For example, I use IPSec. This is the encapsulation IPSec and also for MPLS, I use IPSec. And here also on IPSec, we will configure it in the T-Lock configuration or over the interface configuration. IPsec you will you will configure all of these concepts okay now don't you you shouldn't think to configuration only to concepts okay after net a was received from vsmart with omp to vh2 vh2 knows that to send traffic to net a it should use tlac1 tlac1 means system ip system ip of vh1 for example 11110 plus color busy internet plus encapsulation type ipsec this means that vh2 if you want to send traffic to net a you should configure you should establish a tunnel to system ip of 1110 over busy internet connection for example and also with IPSec, not GRE.
You see that you know that now that T-Lux has information for the VH2 to establish a connection to send traffic to the, for example, NetA. All of the information is here, are here. For example, system IP of destination, transport type. and also encapsulation type although we need a we need another information for example how can we reach to one one one ten we will talk about that but if we use one one one ten one one one ten as a system ip and we can establish one one with one one one ten session over busy internet and with ipsec we can have a secure connection between 1h2 and 1h1 and send traffic between of them look at here after this advertisement between 1h1 1 1h1 and 1h2 we will have a secure connection you know that in the data plane secure connections are establishing with IPSec.
Okay? Yes, I know that many topics should I consider and should I explain to clarify these concepts. But first you should understand the outline.
The outline is every VanEck should send their connected or learned routes in the service site with OMP over DTLS connection to the VSmart. You know that we don't have any control connection between VHs, VHs. For example, between VH1 and VH2, we don't have OMP peer neighborship. Because of that, we can't send, for example, net A with OMP to VH2 from VH1.
We only can send omp routes to vsmart and after that vsmart propagate that routes to other routers okay this is easy after sending the routes to other routers other routers other van edge now is knowing that they can send traffic to for example net in our example with what What system IP? In what transport? And with what encapsulation type? Okay? This is SD-WAN.
As you remember, I mentioned in the previous video that in the SD-WAN, all of the routers don't need to calculate the routing tables. All calculations are done in the VSmart. All of these routers send their routes to VSmart and in VSmart calculation about best routes are occurring and after that send the selected routes to other vanages such as BGP route reflector.
It's the same topic. Now you understand one of the function of OMP and also you know about color but a little. We should talk about color in the next videos more specifically. But now you know that a color is a tag that we can unique T-Lock.
If you use only system IP Yes, the T-locks of one van edge are distinct from the T-locks in other van edge. But the T-locks in one van edge need another parameter that is color. With color, we can unique the T-locks in the one van edge. But color... has another usage.
We will talk about that. in the other videos. Okay, don't worry about the concept of color more than the concepts that mentioned in this video. Now, okay, this is how routing occurs in the SD-WAN.
We should implement this type of routing and after that we will understand more and more and also I want to mention Another topic for routing. Look at here in 1H1, this is for example 1H1 and we have net A and also you know that we have OMP. OMP that is the routing protocol of SD-WAN in between 1H and for example VSmart.
Okay. First things that I want to mention is that the OMP is a proprietary protocol. OMP can't use in the service site. OMP only is using inside of SD-WAN overlay.
Okay, you know that OMP only use for changing routes between VAs and VSmart or VSmart and VSmart okay but you know that for example in VH1 maybe we have routing with the transport site for example here is R1 and we use OSPF we use EIGRP we use BGP okay OSPF here and also we have VH2 that is using OSPF for routing or EIGRP for routing VH2 and here for example EIGRP or VR2 for example maybe all of the routings in land side with one protocol or some type of protocols okay look at here it's an important topics here we have Vsmart you know that between vsmart and one edge we use omp okay in the transport site only in the transport site here is the transport site vpn0 transport site and in the service site transport site okay and in the service site we use we can use many type of protocols or a static routing okay service site okay here van h1 van h2 here is service site or here for example okay and if we learn in vh1 with ospf some routes we should send these routes to omp how can we send the OSPF routes with OMP. What is your guess? Yes, with redistribution.
We can redistribute OSPF to OMP in 1H1. Redistribute OMP to OSPF to OMP and send net A to VSmart. And also we can redistribute net B that I received from EIGRP to OMP to send to the VSmart because of that in some cases we should redistribute routing protocol routes that are received to OMP to send to VSmart and after From OMP the routes are receiving we should redistribute again OMP into our service side routing protocol. For example, we receive net A with OMP we should redistribute it to the EIGRP.
We will configure it. You will see all of these topics. Because of that, now you are know that We use redistribution, we can use. not every time, many times, you can redistribute the routes received from the routing protocols in service side to the OMP as a routing protocol in transport side and after that redistribute OMP to another routing protocol.
This is one of other important points that we should consider. Okay. You know that OMP wrote and sent policies and used for a key exchange inside of the DTLS connection.
Because of that, OMP is using, is working as secure form. It's an important point. Another important aspect that I should consider about OMP is that as I mentioned before all of the things that is occurring inside of the SD-WAN is proprietary are proprietary if you remember when I talk about traditional router I said that we have control plane we have data plane and other plane I mentioned before that the communication between control plane and data plane is unique, is proprietary, is Cisco proprietary. Why? Because it's inside of the box, inside of the router.
But the communication between router with other router, for example, routing protocols updates, for example, OSPF is Non-proprietary. It's a standard. Why?
Because maybe we use Cisco router with another brand router. Because of that, we should use a standard protocol. We should use a standard rules.
But inside of the box, we use, we can use proprietary concepts. Okay, you know that. And also because of that, in SD-WAN terminology, we are using With proprietary protocol, we are using proprietary protocol for exchanging routes inside of the road, inside of the SD-WAN.
You know the name of that protocol is OMP and this is Cisco proprietary and inside of SD-WAN and we can use OMP with relation to for example outside rotors, outside of overlay rotors. and only we can use omp inside of the sd-wan but it can exchange it can redistribute root routes from outside of sd-wan overlay for example service side into the omp we can exchange these roots with redistribution okay and you know that maybe More than one VSmart in our SD-WAN. If you have more than VSmart and this is for redundancy and load sharing, for example, we have VSmart 1 and VSmart 2, all of this process are repeated for these two VSmart. For example, VSmart 1 and VSmart 2. Okay, VSmart 1 router. system IP is for example 1111 and VSmart 2 1112 and this process the process of advertising routes to VSmart and then advertising routes with OMP from VSmart to 1H are repeated okay with two VSmart it's it's it's an obvious topics but when for example VH2 receive net A from two VSmart It should accept one of these routes.
By default, 1H uses the VSmart with the lower system IP. For example, if VSmart 1 sends this NetA and VSmart 2 sends this NetA, 1H2 only accepts one of those routes. By default. The route that is received from VSmart with lower system IP in this in this example in our example the VSmart one has system IP of 1111 and VSmart 2 has system IP of 1112 and you see that VSmart 1 has lower system IP. Congratulations you are now understanding the routing you are now knowing the process of routing inside of the festival but With more videos talking about routing and with more practice and implementing SD-WAN topics, you will understand better and better.
For now, it's sufficient. For now, it's sufficient to review these topics and after that, we can understand another topics. After a while, we can implement. the first scenario in the first scenario we will show some topics for example routing table omp roots or other topics and after that we will understand better okay first review the topics in this video and try to understand more and more