Cisco Catalyst SD-WAN Control Components and Device Management Guide, Releases 26.x and Later
Describes the basic system settings, which are a set of parameters that enable the Cisco Catalyst SD-WAN fabric to function.
Basic system settings are a set of parameters that enable the Cisco Catalyst SD-WAN fabric to function. They include
device properties such as name and IP address
network time configuration
user access to devices
system logging, and
network interface parameters.
Device and SD-WAN Control Component properties, together called host properties, are the parameters that Cisco Catalyst SD-WAN uses to construct a view of the network topology. They include:
Device system IP address:
This provides a fixed location of the device in the overlay network. This address is independent of any of the interfaces and interface IP addresses on the device. The system IP address is one of the four components of the Transport Location (TLOC) property of each device.
IP address of the SD-WAN Validator for the network domain, or a domain name system (DNS) name that resolves to one or more IP addresses for SD-WAN Validator:
An SD-WAN Validator automatically orchestrates the process of bringing up the overlay network, admitting a new device into the overlay, and providing the introductions that allow the device and SD-WAN Controllers to locate each other.
Domain identifier and the site identifier:
These system-wide host properties are required on all devices, except for the SD-WAN Validators, to allow the Cisco Catalyst SD-WAN software to construct a view of the topology
Configure the host properties. Refer to the information about the overlay network bring-up process in the Cisco Catalyst SD-WAN Getting Started Guide.
Network Time Protocol (NTP), is a networking protocol for synchronizing the clocks of devices throughout a network. It ensures that the time on all participating components of the network is accurate and synchronized.
Cisco Catalyst SD-WAN implements NTP to synchronize and coordinate time distribution across the fabric. NTP uses a intersection algorithm to select the applicable time servers and avoid issues caused due to network latency. The servers can also redistribute reference time using local routing algorithms and time daemons. NTP is defined in Network Time Protocol Version 4: Protocol and Algorithms Specification, RFC 5905.
Authentication, authorization, and accounting (AAA) is a framework for controlling access to resources. It includes:
Authentication: Verifying the identity of a user or device seeking access.
Authorization: Authorizing access to the resources a user is permitted to use, based on predefined policies and privileges.
Accounting: Tracking and logging user activities within the network.
In Cisco Catalyst SD-WAN, AAA, in combination with RADIUS and Terminal Access Controller Access-Control System (TACACS+) user authentication, controls which users are allowed access to devices, and what operations they are authorized to perform after they are logged in or connected to the devices.
The Cisco Catalyst SD-WAN implementation of AAA includes:
Authentication: Users log in with a username and a password. A local device can authenticate users or authentication can be performed by a remote device, either a RADIUS server or a TACACS+ server, or both in a sequence.
Authorization: Authorization is implemented using role-based access. Access is based on groups that are configured on the devices. A user can be a member of one or more groups. User-defined groups are considered when performing authorization, that is, the Cisco Catalyst SD-WAN software uses group names received from RADIUS or TACACS+ servers to check the authorization level of a user. Each group is assigned privileges that authorize the group members to perform specific functions on the corresponding device. These privileges correspond to specific hierarchies of the configuration commands and the corresponding hierarchies of operational commands that members of the group are allowed to view or modify.
Accounting: From Cisco IOS XE Catalyst SD-WAN Release 17.5.1a, accounting generates a record of commands that a user executes on a device. Accounting is performed by a TACACS+ server.
Wide area networks (WAN) and wireless local area networks (WLAN) are two types of networks primarily differentiated by geographical reach and connectivity methods.
Geographical reach: Extensive for WAN; limited for WLAN, such as a single building.
Connectivity: Combination of wired and wireless technologies for WAN; wireless for WLAN.
For wired networks (WANs), Cisco Catalyst SD-WAN devices can run IEEE 802.1X software to prevent unauthorized network devices from gaining access to the WAN. IEEE 802.1X is a port-based network access control (PNAC) protocol that uses a client–server mechanism to provide authentication for devices wishing to connect to the network.
IEEE 802.1X authentication requires three components:
Requester: Client device, such as a laptop, that requests access to the Wide-Area Network (WAN). In the Cisco Catalyst SD-WAN overlay network, a supplicant is any service-side device that is running 802.1X-compliant software. These devices send network access requests to the router.
Authenticator: A network device that provides a barrier to the WAN. In the overlay network, you can configure an interface device to act as an 802.1X authenticator. The device supports both controlled and uncontrolled ports. For controlled ports, the Cisco Catalyst SD-WAN device acts as an 802.1X port access entity (PAE), allowing authorized network traffic and preventing unauthorized network traffic ingressing to and egressing from the controlled port. For uncontrolled ports, Cisco Catalyst SD-WAN, acting as an 802.1X PAE, transmits and receives Extensible Authentication Protocol over IEEE 802 (EAP over LAN, or EAPOL) frames.
Authentication server: Host that is running authentication software that validates and authenticates requesters that want to connect to the WAN. In the overlay network, this host is an external RADIUS server. This RADIUS server authenticates each client connected to the 802.1X port interface Cisco Catalyst SD-WAN device and assigns the interface to a virtual LAN (VLAN) before the client is allowed to access any of the services offered by the router or by the LAN.
For wireless LANs (WLANs), routers can run IEEE 802.11i to prevent unauthorized network devices from gaining access to the WLANs. IEEE 802.11i implements Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access II (WPA2) to provide authentication and encryption for devices that want to connect to a WLAN. WPA authenticates individual users on the WLAN using a username and a password. WPA uses the Temporal Key Integrity Protocol (TKIP), which is based on the RC4 cipher. WPA2 implements the NIST FIPS 140-2–compliant AES encryption algorithm along with IEEE 802.1X-based authentication, to enhance user access security over WPA. WPA2 uses the Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP), which is based on the AES cipher. Authentication is done by either using preshared keys or through RADIUS authentication.
Network segmentation is the division of a network into smaller, isolated logical segments.
Segmentation is a fundamental part of enhancing security, improving network performance, and simplifying manageability. The core idea is to restrict communication between different parts of the network.
The Layer 3 network segmentation in Cisco Catalyst SD-WAN is achieved through VRFs on devices. When you configure the network segmentation on a device using SD-WAN Manager, the system automatically maps the VPN configurations to VRF configurations.
A network interface is the component that enables a device in a network to connect to other devices, to send and receive data. There are numerous interface properties relevant to a Cisco Catalyst SD-WAN fabric.
In the SD-WAN fabric, interfaces are associated with VPNs that translate to VRFs. The interfaces that participate in a VPN are configured and enabled in that VPN. Each interface can be present only in a single VPN.
Devices use VRFs in place of VPNs. When you configure a device in SD-WAN Manager, the system automatically maps the VPN configurations to VRF configurations.
The fabric has these types of VPNs and VRFs:
VPN 0: Transport VPN:
Carries control traffic using the configured WAN transport interfaces. Initially, VPN 0 contains all the interfaces on a device except for the management interface, and all the interfaces are disabled. This is the global VRF in Cisco IOS XE Catalyst SD-WAN software.
VPN 512: Management VPN:
Carries out-of-band network management traffic among the devices in the fabric. The interface used for management traffic is in VPN 512.
On devices, VPN 512 is configured by default and enabled. On devices, the management VPN is converted to VRF Mgmt-Intf.
On SD-WAN Control Components, VPN 512 is not configured by default.
For each network interface, you can configure a number of interface-specific properties, such as
DHCP clients and servers
VRRP
interface MTU and speed, and
Point-to-Point Protocol over Ethernet (PPPoE).
At a high level, for an interface to be operational, you must configure an IP address for the interface and mark it as operational (no shutdown). In practice, you always configure additional parameters for each interface.
Management interfaces enable you to manage and monitor devices in the Cisco Catalyst SD-WAN fabric, allowing you to collect information from the devices in an out-of-band fashion and to perform operations on the devices, such as configuring and rebooting them.
These are the available management interfaces:
CLI
IP Flow Information Export (IPFIX)
REST API
SNMP
System logging (syslog) messages
Cisco SD-WAN Manager
You can access a CLI on each device, and from the CLI, you configure overlay network features on the local device and gather operational status and information regarding that device. Using an available CLI, we strongly recommend that you configure and monitor all the Cisco Catalyst SD-WAN network devices from Cisco SD-WAN Manager, which provides views of network-wide operations and device status, including detailed operational and status data. In addition, Cisco SD-WAN Manager provides straightforward tools for bringing up and configuring overlay network devices, including bulk operations for setting up multiple devices simultaneously.
You can access the CLI by establishing an SSH session to a Cisco Catalyst SD-WAN device.
For a Cisco Catalyst SD-WAN device that is being managed by Cisco SD-WAN Manager, if you create or modify the configuration from the CLI, the changes are overwritten by the configuration that is stored in the Cisco SD-WAN Manager configuration database.
The IP Flow Information Export (IPFIX) protocol, also called cflowd, is a tool for
monitoring the traffic flowing through devices in the Cisco Catalyst SD-WAN fabric, and
exporting information about the traffic to a flow collector.
Cisco Catalyst SD-WAN implements cflowd Version 10, as specified in RFC 7011 and RFC 7012.
Cisco Catalyst SD-WAN Cflowd performs 1:1 traffic sampling. Information about all the flows is aggregated in the cflowd records. Flows are not sampled.
Devices do not cache any of the records that are exported to a collector.
For a list of elements exported by IPFIX, refer to the information about traffic flow monitoring with Cflowd in the Cisco Catalyst SD-WAN Policies Configuration Guide.
To enable the collection of traffic flow information, you must create data policies that identify the traffic of interest, and then direct that traffic to a Cflowd collector. Refer to the information about traffic flow monitoring with Cflowd in the Cisco Catalyst SD-WAN Policies Configuration Guide.
You can also enable cflowd visibility directly on devices without configuring a data policy, so that you can perform traffic flow monitoring on the traffic coming to the device from all the VPNs in the LAN. You can then monitor the traffic from Cisco SD-WAN Manager or from the device's CLI.
The Cisco Catalyst SD-WAN representational state transfer (REST) application programming interface (API) is a programmatic interface for controlling, configuring, and monitoring the devices in the network.
You can access the REST API through Cisco SD-WAN Manager.
The REST API calls expose the functionality of the Cisco Catalyst SD-WAN software and hardware to an application program. Such functionality includes the normal operations you perform to maintain the devices and the overlay network itself.
The Simple Network Management Protocol (SNMP) is an internet standard protocol that allows you to manage all the devices in the Cisco Catalyst SD-WAN network.
Cisco Catalyst SD-WAN supports supports SNMP v2c.
For SNMPv3, the PDU type for notifications is either SNMPv2c inform (InformRequest-PDU) or trap (Trapv2-PDU).
You can configure:
Properties for a device, such as device name, location, contact, and community, to enable the device to be monitored by a network management system.
SNMP servers to receive SNMP trap messages.
SNMP traps and trap groups. SNMP traps are messages that devices send to indicate an event or problem.
The object identifier (OID) for the internet port of the SNMP management information base (MIB) is 1.3.6.1.
System log (syslog) messages are records of events on a device that form a chronological log of the device status for auditing, debugging problems, and so on.
System logging operations use a mechanism similar to the UNIX syslog command to record system-wide, high-level operations that occur on the devices in the Cisco Catalyst SD-WAN network.
The log levels (priorities) of the messages are the same as those in standard UNIX commands. You can configure the priority of the syslog messages to log.
You can configure logging to store the syslog files locally on the device or to send them to a remote host.
Cisco SD-WAN Manager is a centralized network management system that
allows configuration and management of the devices in the Cisco Catalyst SD-WAN fabric, and
provides a dashboard displaying the operations of the entire network and of individual devices in the network.
Three or more Cisco SD-WAN Manager servers are consolidated into a Cisco SD-WAN Manager cluster to
provide scalability and management support for up to 6,000 devices
distribute Cisco SD-WAN Manager functions across multiple devices, and
provide redundancy of network management operations.