How does it work?
Everyone who related these network technologies knows SD-WAN. Network engineers like to work with cli. Sometimes working with cli is very hard for complex configurations. When we use the BGP, Evpn, Igp, IPsec and Vpn, etc.. together. We need automation for repeat configurations. By trying to manually configure all devices on the network, we need both manpower and a lot of time. This is where SD-WAN comes into play. The Versa-networks is one of the sd-wan vendors which do good well. The following figure shows the components of the versa-networks sd-wan.
This is like Mpls layer 3 VPN. There are some differences between them. As you continue to read the serial article you will better understand what I mean.
Also, Versa sd-wan combines network and security well. Versa includes some security features like NGFW, UTM in its structure.
Alright, How does the Versa-networks sd-wan work? I will show the following figure step by step.
Branch contacts controller
Controller contacts director to see if the branch is valid and starts the authentication
Director pushes the configuration to branch over the control network.
This part is very important to understand how versa sd-wan work.
Versa SD-WAN has three staging phases. When an SD-WAN branch device is powered up, it automatically goes through three stages before it becomes completely operational. A branch device comes pre-loaded with staging server configuration. In the IPsec configuration profile, the staging server IP address is given as a remote IP address.
Stage 1 is the prestaging phase:
IKE session starts between a branch and a staging server.
After the IKE session comes up, the staging server assigns an IP address to the branch.
The Versa Director IP address is notified to the branch.
A notification is generated to Versa Director that the branch device has come up.
Stage 2 is the staging phase:
Versa Director pushes the stage two configuration to the branch device, through the staging server.
The controller IP address, in the IPSec profile, is given as a remote IP. The branch device is rebooted.
After the branch device comes up with stage two configuration, it establishes the IKE session with the controller.
The controller assigns an IP address to the branch device and generates a notification to Versa Director.
Stage 3 phase:
Versa Director pushes the stage three configuration to the branch device, over the IKE session, and reboots the branch device.
The branch device is fully operational and is a part of the customer SD-WAN network.
IKE and IPsec sessions are created between branch and controller.
VXLAN and ESP sessions are created between branches
Branch-to-branch ESP is maintained using a lightweight DH keypair proprietary protocol.
For Stage 1 and 2, the IKE session is over VNI interfaces.
For Stage 3, the IKE session is over loopback (TVI) interfaces.
**Traditional MPLS use LDP and RSVP in the forwarding plane. Versa sd-wan uses IPSEC over VXLAN**
Versa-Networks improved by adding some features to the MP-BGP.
MP-BGP is an extensible protocol, and Versa has added a new set of BGP attributes (NLRI) that carry the information necessary additional information to build SD-WAN forwarding tunnels between CPEs, Controllers, and gateways. This information includes the transport WAN interfaces, NAT information, and PKI exchanges.
Another important difference is that the Versa SD-WAN solution does not need an IGP for BGP next-hop resolution. This is because the SD-WAN components (Controllers, CPEs, gateways) are all directly connected using direct overlay tunnels. This means that the BGP next hop is directly connected and does not need to be resolved by an IGP.
The Versa Networks solution supports the following SD-WAN overlay topologies:
Hub and spoke
Multi-VRF, or multitenancy
I will do installation according to full-mesh.
Thanks for Reading.