If disaster recovery is configured, ensure that the following ports are opened over the out-of-band interface across the data centers between the primary and standby cluster:

Summary of ports needed for SD-WAN Manager disaster recovery

SD-WAN Manager Service	Protocol/Port	Direction
Disaster Recovery	TCP 8443, 830	bidirectional

Branch SD-WAN Router Design

Common Branch Design Principles

• Use of IP Prefix Aggregation: Banking Network Solutions implements IP prefix aggregation at all branch locations. Aggregation helps in reducing the size of routing tables and conserves address space by summarizing multiple contiguous IP addresses into a single, more efficient prefix.  
• Use of TLOC Color Restriction: TLOC color restriction is employed uniformly across all branch locations by Banking Network Solutions. This restriction ensures that SD-WAN tunnels are formed only between TLOCs of the same color, enhancing security and network segmentation.
• Use of Tunnel Groups: The deployment of Tunnel Groups is consistent across all branches within Banking Network Solutions. Tunnel Groups allow routers to form SD-WAN tunnels selectively, based on predefined groups, optimizing network traffic and resource utilization.

These design principles ensure a standardized and efficient network architecture across all branch locations within Banking Network Solutions' SD-WAN infrastructure, promoting scalability, security, and ease of management.

Banking Network Solutions operates 6000 + branch sites, each varying in size and design to cater to different operational requirements.

Large/Regional Branch Sites:

• These sites are deemed business-critical and are equipped with dual active circuits from distinct regional MPLS carriers. Both routers at these sites maintain Internet connectivity (via wired broadband or public LTE/5G) to enhance bandwidth and ensure high availability. Dual routers are deployed to manage WAN access at these paramount locations.

Medium-Sized Branch Sites:

• Medium-sized branches typically feature either one MPLS circuit from a regional carrier alongside Internet connectivity (wired broadband or public LTE/5G), or dual MPLS circuits from two regional carriers, with both circuits actively utilized. While these sites are essential, their criticality does not necessitate dual routers. Instead, a strategy emphasizing the swift replacement of networking equipment has been adopted. Hence, only a single router is deployed at Medium-Sized Branch Sites.

• Small Branch Sites and ATM:
  • Small branch sites encompass a broad spectrum, ranging from single ATM units co-located within larger retail establishments like grocery stores to compact kiosks offering limited financial services in shopping malls. These sites typically have a single provisioned circuit, either MPLS or Internet (wired broadband or LTE/5G), based on site availability. Small Branch Sites are perceived as having low criticality, leading to the deployment of a single router with integrated switch ports. In cases where the integrated switch ports are inadequate, a small standalone Layer 2 switch may supplement the router's networking capabilities.
• The distribution of Large/Regional, Medium-Sized, and Small Branch Sites within the Banking Network Solutions network is outlined in the following table.

Branch Site Type 1 (Small Branch and ATM)

  The following figure shows the high-level branch type 1 design

 

Below are the design considerations for Branch Site type 1.

WAN Edge Device Configuration:

• Branch Site Type 1 includes a single WAN Edge device with two WAN transports.

  WAN Facing Ports:

• Two specific GigabitEthernet interfaces will be designated as the WAN facing ports. These ports will be assigned to the primary VPN for WAN transport connections.

  LAN Facing Port:

• Another GigabitEthernet interface will be designated as the LAN facing port. Dot1q sub-interfaces will be configured on this port, and these sub-interfaces will be assigned to the various service VPNs to handle internal traffic.

Branch Site Type 2 (Large/Medium Branch Sites)

  The following figure shows the high-level branch type 2 design

 

Below are the design considerations for Branch Site type 2 with MPLS transport with TLOC extension.

WAN Edge Device Configuration:

• Branch Site Type 2 includes two WAN Edge devices, each with a single WAN transport.

TLOC Extensions:

• TLOC extensions are configured between the two WAN Edge routers, allowing each device to access both WAN transports. These TLOC-extension links are part of the primary VPN for WAN transport connections.

WAN Facing Ports:

• Specific GigabitEthernet interfaces on each WAN Edge device will be designated as the WAN facing ports. These ports will be assigned to the primary VPN for WAN transport connections.

LAN Facing Port:

• Another GigabitEthernet interface on each WAN Edge device will be designated as the LAN facing port. Dot1q sub-interfaces will be configured on these ports, and these sub-interfaces will be assigned to the various service VPNs to handle internal traffic.

TLOC-Extension Ports:

• A specific GigabitEthernet interface on each WAN Edge device will be designated as the TLOC-extension port. Dot1q sub-interfaces will be configured on these ports for different WAN transports.
• If there is no direct connectivity between the WAN Edge routers, TLOC-extension sub-interfaces will be extended via the core switches. In this case, dot1q sub-interfaces on the designated LAN facing port will be used for this extension.

Branch Site Type 3 (Small Branch and ATM)

The following figure shows the high-level branch type 3 design

 

Below are the design considerations for Branch Site type 3 with One MPLS transport and One 4G/MPLS Transport

WAN Edge Device Configuration:

• Branch Site Type 3 includes a single WAN Edge device with two WAN transports: one MPLS transport and one 4G/MPLS transport.

       WAN Facing Ports:

• Specific GigabitEthernet interfaces will be designated as the WAN facing ports and assigned to the primary VPN for WAN transport connections.

       LAN Facing Port:

• Another GigabitEthernet interface will be designated as the LAN facing port. Dot1q sub-interfaces will be configured on this port, and these sub-interfaces will be assigned to the various service VPNs to handle internal traffic.

Branch Site Type 4 (Small Branch)

The following figure shows the high-level branch type 4 design

 

Below are the design considerations for Branch Site Type-4 with MPLS and Internet transport.

WAN Edge Device Configuration:

• For Branch Site Type 4, there is a single WAN Edge device with dual WAN transports: one MPLS transport and one Internet transport.

WAN Facing Ports:

• Designated GigabitEthernet interfaces will serve as the WAN facing ports, connected to the primary VPN for managing WAN transport connections.

LAN Facing Port:

• Another GigabitEthernet interface will act as the LAN-facing port. Dot1q sub-interfaces will be configured on this port to connect to various service VPNs for internal traffic management.

Branch Site Type 5 (Large/Medium Branch Sites)

The following figure shows the high-level branch type 5 design

 

Below are the design considerations for Branch Site type 5 with MPLS transport with TLOC extension.

Devices: 2 WAN Edge devices

Transports:

• MPLS
• Internet

Topology and Connectivity:

• TLOC extensions between WAN Edge devices for access to MPLS and Internet transports.
• TLOC-Extension links integrated into VPN 0.

Port Configurations:

WAN Facing Ports:

• Designated for WAN connectivity.
• Assigned to VPN 0.

LAN Facing Port:

• Designated GigabitEthernet interface.
• Configured with dot1q sub-interfaces for Service VPNs.

TLOC-Extension Port:

• Designated GigabitEthernet interface between WAN Edge devices.
• Dot1q sub-interfaces assigned for MPLS and Internet transports.
• Utilization of Core switches for TLOC-Extension in absence of direct connectivity.
• Dot1q sub-interfaces on LAN facing port used for extension scenarios.

This template ensures clarity and organization in presenting the design considerations for Branch Site Type 5 configurations involving multiple WAN Edge devices and dual transports

Branch Site Type 6 (ATM)

The following figure shows the high-level branch type 6 design

 

Below are the design considerations for Branch Site Type-6 with MPLS and one 4G Internet transport.

Device Type: Single WAN edge device

Transports:

• MPLS
• 4G Internet

Port Configuration:

WAN Facing Ports:

• Designated for WAN connectivity.
• Assigned to VPN 0.

LAN Facing Port:

• Designated GigabitEthernet interface.
• Configured with dot1q sub-interfaces.
• Sub-interfaces assigned to Service VPNs.

This setup ensures effective management of MPLS and 4G Internet transports, with clearly defined WAN and LAN facing ports tailored to specific VPN assignments and internal traffic segregation using dot1q sub-interfaces.

Future Design Options for Banking Networking Solutions

Hierarchical SD-WAN – MRF ( Multi-Region Fabric) – Design Option 1

 

• Banking Network Solutions considered re-designing the network infrastructure within each SD-WAN overlay to be based on multiple smaller regions, hierarchically connected to an SD-WAN backbone. This hierarchical SD-WAN design offers several advantages:
• Multi-region fabric (hierarchical) SD-WAN design simplifies centralized control policy creation for hub-and-spoke topology.
• Large/Regional Branch Sites would serve as SD-WAN Regional Hub Sites, reducing the number of SD-WAN devices per regional fabric and tunnels required within each regional full-mesh.
• Smaller number of SD-WAN devices per regional fabric allows the use of lower-priced SD-WAN routers within branch sites.
• Significant effort required to redistribute circuits and circuit bandwidth from existing Data Center Sites to Regional Hub Sites to accommodate the new architecture.
• Expanded role of Large/Regional Branch Sites as SD-WAN Regional Hub Sites necessitates re-evaluation of the support model, including staffing, physical space, power systems, and air conditioning requirements.
• Banking Network Solutions decided to table the multi-region fabric (hierarchical) SD-WAN design initially and consider it as a potential future design.

Benefits of MRF

Cisco SD-WAN Multi-Region Fabric offers Banking Network Solutions the capabilities to enhance, scale up, and, more importantly, simplify their Cisco SD-WAN fabric across regions. Cisco SD-WAN Multi-Region Fabric helps you:

• Scalability: The hierarchical structure allows for easy scalability by adding new regions or expanding existing ones without significant impact on the overall architecture. This flexibility accommodates the growing needs of Banking Network Solutions.
• Improved Performance: With optimized traffic management between regions, the hierarchical SD-WAN design enhances application performance and user experience. This is achieved by directing traffic along the most efficient paths within the network.
• Centralized Management: Centralizing network management and configuration simplifies operations for Banking Network Solutions. With a hierarchical design, management tasks can be streamlined, reducing administrative overhead.
• Resilience: Redundant links and failover mechanisms at both regional and backbone levels ensure high availability and resilience against network failures. This robustness minimizes disruptions to banking operations.
• Security: Implementing security policies and segmentation at multiple levels enhances the overall security posture of Banking Network Solutions. With granular control over network access and traffic flows, the hierarchical SD-WAN design bolsters cybersecurity defenses.

In summary, the deployment of a multi-region fabric Cisco Catalyst SD-WAN design in a hierarchical structure empowers Banking Network Solutions to modernize their network infrastructure, meet evolving demands, and adapt to future challenges effectively.

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/hierarchical-sdwan/hierarchical-sdwan-guide/migrate.html

Multiple Overlay – Design Option 2

In planning for future scalability, Banking Network Solutions can explore the option of deploying multiple overlays, replicating the successful design strategy employed in their single overlay infrastructure. This approach ensures scalability by accommodating increased network demands, provides redundancy and resilience to mitigate downtime, optimizes performance through traffic segregation, facilitates geographic expansion while maintaining reliability, streamlines management with proper tools and strategies, and ensures readiness for evolving technology and business needs, thus offering a robust and adaptable network architecture for long-term growth.

Benefits of Multiple Overlays:

• Scalability: Implementing multiple overlays allows for easier scalability as the network grows, enabling Banking Network Solutions to accommodate increasing demands and traffic without overburdening a single overlay.
• Redundancy and Resilience: Having multiple overlays provides redundancy and resilience, ensuring that if one overlay experiences issues or failures, the other overlay can continue to operate, thus minimizing downtime and disruptions to banking operations.
• Traffic Segregation: Different overlays can be dedicated to specific types of traffic or applications, allowing for better traffic segregation and prioritization based on business needs and requirements.
• Geographic Expansion: Multiple overlays can support geographic expansion more effectively, allowing Banking Network Solutions to extend their network infrastructure to new regions or locations while maintaining performance and reliability.
• Ease of Management: Managing multiple overlays may introduce some complexity, but with proper management tools and strategies, Banking Network Solutions can effectively oversee and control the entire network infrastructure while maintaining centralized management policies
• Future-Proofing: Considering multiple overlays as part of future scaling plans ensures that Banking Network Solutions can adapt to evolving technology trends and business requirements, providing a future-proof network architecture that can support long-term growth and innovation.
• Overall, incorporating multiple overlays into future scaling plans offers several benefits, including scalability, redundancy, traffic segregation, geographic expansion support, ease of management, and future-proofing the network infrastructure for Banking Network Solutions.

Multiple SDWAN Overlay – Option A

 

Multiple SDWAN Overlay  - Option B

 

High Availability and Redundancy

When designing a Cisco SD-WAN solution for the Banking Networking Solutions, ensuring high availability and redundancy is crucial to maintain the continuous operation of critical financial services and applications. Here are key considerations for implementing high availability and redundancy in a Cisco SD-WAN deployment

Dual-Active Edge Routers :

• Deploy dual-active edge routers at branch offices to ensure redundancy and load balancing of traffic.
• Configure these routers in an active-active mode, where both routers actively participate in forwarding traffic and can take over each other's traffic load in case of failure.
• Asymmetric routing occurs when incoming and outgoing packets of a communication session take different paths through the network, potentially leading to challenges in network monitoring, security enforcement, and Quality of Service (QoS) management.

  Active-Standby Edge Routers:  

• Active-Standby edge routers ensure high availability by designating one router as active (handling traffic) and the other as standby (ready to take over if needed). 
• This setup minimizes downtime during hardware or software failures, ensuring continuous service availability for network operations. 

  Redundant WAN Links :

• Establish redundant WAN links from branch offices to the SD-WAN fabric, including MPLS, Internet, and 4G/LTE connections.
• Our SD-WAN router currently does not support aggregation of WAN links. However, it does support redundant WAN links from the same provider, allowing configuration of TLOC on loopback interfaces to enhance redundancy and reliability.

Application-Aware Routing :

• Dynamic Path Selection: Application-aware routing employs dynamic path selection algorithms to continuously evaluate network conditions such as link quality, latency, and jitter in real-time.
• Policy-based Traffic Steering: It utilizes policies to define thresholds for network metrics. When these thresholds are exceeded, traffic is automatically redirected to alternative paths to ensure optimal performance for critical applications.
• Enhanced Application Performance: By prioritizing application requirements over traditional routing metrics, application-aware routing enhances overall application performance and reliability, adapting to changing network conditions proactively.

Active-Active Data Centers :

• Deploy active-active data centers with redundant SD-WAN gateways to ensure continuous availability of services and applications hosted in the data center.
• Use load balancing and traffic engineering techniques to distribute traffic across multiple data center links and servers, minimizing the risk of downtime and improving scalability.

Controller Redundancy :

• Deploy redundant controllers, such as Cisco Controllers and SD-WAN Manager, in geographically diverse locations to ensure high availability of centralized management and orchestration functions.
• Configure controllers in a cluster mode with automatic failover capabilities to provide seamless operation in case of controller failure or maintenance.

Resilient Control Plane :

• Design a resilient control plane architecture with distributed control plane nodes to prevent single points of failure and improve fault tolerance.
• Use Overlay Management Protocol (OMP) to establish peer relationships between control plane nodes and exchange routing information.

Monitoring and Alerting :

• Implement proactive monitoring and alerting mechanisms to detect and respond to network faults and performance degradation in real time.
• Use network management tools and platforms to monitor key performance indicators (KPIs), link utilization, and availability metrics, and trigger automated alerts and notifications for remediation.

By implementing these high availability and redundancy measures, financial institutions can ensure continuous operation of their SD-WAN infrastructure, minimize downtime, and maintain service reliability for critical financial services and applications.

SD-WAN Manager DR for High Availability

In the Banking Network Solutions infrastructure, there are a total of 12 SD-WAN Manager instances distributed between the primary Data Center (DC) and the Disaster Recovery (DR) site:

DC SD-WAN Manager Cluster:

• Six SD-WAN Manager instances located in the Data Center from an active cluster for centralized network management and control.

DR SD-WAN Manager Cluster:

• Another six SD-WAN Manager instances located in the Disaster Recovery site serve as a standby cluster to provide redundancy and failover capability in case of DC failure.

IP Space Configuration:

• The SD-WAN Manager instances in the DR site are configured with a different IP address space compared to those in the DC, ensuring distinct identification and separation.

Tunnel Interface Shutdown:

• To prevent the SD-WAN Manager instances in the DR site from joining the overlay network unintentionally, their tunnel interfaces are placed in a shutdown mode until needed.

Configuration and Certification:

• The SD-WAN Manager instances in the DR undergo a thorough configuration and certification process to ensure their readiness for activation during failover scenarios.

Database Backup:

• Regular snapshots and backups of the SD-WAN Manager configuration database are taken to facilitate restoration and recovery processes in case of unexpected failures.

Standby SD-WAN Manager Restoration:

• In the event of an unexpected failure of the active SD-WAN Manager NMS, the most recent configuration database backup is used to restore the standby SD-WAN Manager NMS. Once restored, the standby SD-WAN Manager NMS can be activated, ensuring minimal disruption to network operations.

By following these measures, Banking Network Solutions can maintain high availability and resilience in their SD-WAN management infrastructure, ensuring continuous network operations even in the face of unforeseen challenges or disasters.

SD-WAN Controller High Availability

 

SD-WAN Controller Deployment:

• Banking Network Solutions plans to deploy 8 SD-WAN Controller instances organized into 8 groups to effectively manage their SD-WAN infrastructure.
• Controller affinity group assigns each Controller to a specific group, which enhances control and oversight across the network.

Deployment Strategy:

• SD-WAN Controllers are configured in an active-active mode:
• 4 instances located in the primary Data Center (DC).
• 4 instances situated in the Disaster Recovery (DR) site.
• Redundancy is ensured with 2 instances in cold-standby mode at both the DC and DR sites, serving as backups in case of virtual machine failures.

Affinity Group and Redundancy:

• Affinity Group settings establish redundancy between Controllers in the DC and DR sites, facilitating seamless failover and continuity of network management operations.
• This approach optimizes WAN Edge router connections, supporting efficient network operation and redundancy across Banking Network Solutions' SD-WAN infrastructure.

SD-WAN Validator High Availability

 

SD-WAN Validator Deployment:

• Banking Network Solutions plans to deploy 8 SD-WAN Validator instances in their network infrastructure.
• Host entries will be configured instead of relying on DNS to ensure more reliable and predictable communication.

Redundancy and Grouping Strategy:

• Validators are grouped to ensure redundancy between primary (DC) and secondary (DR) sites.
• For the first 1500 WAN Edges, host entries point to SD-WAN Validator 1 & 2 in the DC, with entries pointing to SD-WAN Validator 1 & 2 in the DR. For the Second 1500 WAN Edges, host entries point to SD-WAN Validator 2 & 3 in the DC, with entries pointing to SD-WAN Validator 2 & 3 in the DR. This grouping pattern repeats for subsequent groups of 1500 WAN Edges.

Cold-Standby Instances:

• Both DC and DR environments include 2 SD-WAN Validator instances in cold-standby mode.
• These standby instances act as backups in case of virtual machine failures, enhancing overall redundancy and reliability within the infrastructure.

SD-WAN Head-End Scalability

SD-WAN Head-End scalability is crucial for ensuring your network can handle growing bandwidth demands, increasing numbers of sites, and diverse traffic patterns. Here's an overview of key approaches to achieve SD-WAN Head-End scalability:

  Vertical Scaling:

• Function:  Increases the processing power and memory of existing head-end hardware.
• Benefits:

• Simpler implementation, often requiring only hardware upgrades to existing equipment.
• Potentially cost-effective for smaller increases in capacity.

• Considerations:

• Limited scalability compared to horizontal scaling.
• May not be suitable for significant increases in network size or complexity.
• Hardware upgrades might disrupt network operations, requiring careful planning and scheduling.

  Horizontal Scaling:

• Function:  Adds additional head-end instances to distribute the workload and increase overall capacity.
• Benefits:

• Highly scalable, allowing significant increases in network size and complexity.
• Enables elastic scaling, adding head-end instances as needed to meet growing demands.
• Improves fault tolerance, with remaining head-ends continuing operations if one fails.

• Considerations:

• Requires additional hardware or virtual resources for each added head-end instance.
• Complexity increases with more head-ends, requiring careful configuration and management.
• May introduce potential performance impacts if not properly implemented and configured.

Banking Network Solutions Scalability Considerations

• 6000+ branch sites in total, comprising of:
• 3 x DC/DR/NDR sites with 4 cEdge per site
• 100 x sites with 2 cEdge per site
• 6000 x sites with 1 cEdge per site
• 3 service VPNs for branch sites for segmentation

Scalability Considerations – Controllers

 SD-WAN Manager

Note: For Banking Network Solutions SDWAN, Two - 6 Node SD-WAN Manager Clusters are deployed.  Active Cluster (DC) and Cold Standby Cluster (DR)

 SD-WAN Controller

• 2,000 WAN edge with control connections over a single transport = 2000 OMP sessions and 2000 DTLS per SD-WAN Controller
• 2,000 WAN edge with control connections over dual transports = 2000 OMP sessions and 4000 DTLS per SD-WAN Controller
• Configurations on the WAN Edge routers dictate how many total connections or OMP sessions are made to the multiple SD-WAN Controllers
• Controller group configurations are used to achieve affinity, and help to manage scale & SD-WAN Controller connection preferences
• For large deployments (> 2000 WAN Edge), affinity (an additional design tool) are used to manage SD-WAN Controller horizontal scaling

Note: For Banking Network Solutions SDWAN, Horizontal scale out model with 8 SD-WAN Controllers are deployed.  4 SD-WAN Controller in DC and 4 SD-WAN Controller in DR along with controller affinity.

Additional Considerations:

• Scalability limitations of different SD-WAN controller platforms (SD-WAN Manager and SD-WAN Validator) should be evaluated based on specific deployment requirements.
• Network infrastructure, geographical distribution, and traffic patterns should be factored into the overall scalability plan.

 SD-WAN Validator

• For <1500 WAN Edge with no HA a single SD-WAN Validator instance is adequate
• For <1500 WAN Edge with HA requirement, 2 SD-WAN Validator is recommended
• For >1500 WAN Edge, Horizontal scale out of two more SD-WAN Validators is required

Note: For Banking Network Solutions SDWAN, Horizontal scale out model with 8 SD-WAN Validator is deployed.  4 SD-WAN Validator in DC and 4 SD-WAN Validator in DR

WAN Edge

There is a limit on the number of BFD session tunnels that each cEdge router can accommodate. A BFD session tunnel is defined as an active IPsec data plane tunnel.

• For DC WAN Edge C8500: Max number of IPSEC tunnels is 8000
• For Branch WAN Edge C8200 :  Max number of IPSEC tunnels is 1500 to 2500, depending on the HW model.

Note: For Banking Network Solutions SDWAN Hub and Spoke topology, to reduce the number of tunnels built on DC WAN edge routers

• DC WAN edge routes are grouped into two different groups
• Branch WAN edge router forms tunnels to DC WAN edge routers from one of the group

SD-WAN Topologies

SD-WAN deployments can utilize various topologies to connect different network locations and optimize traffic flow.

Hub and Spoke Topology

In the Banking Network Solutions SD-WAN solution, the hub-and-spoke topology will be used. In a hub-and-spoke topology, the WAN Edge routers at DC/DR/NDR site will act as the hubs that receive the data traffic from all the branch sites. Once they receive the data they would redirect the traffic to the appropriate destinations. This topology reduces the number of IPsec tunnels by restricting direct IPsec tunnels between all the branches and hence spoke routers do not need to spend their CPU for these tunnels. Hub-and-spoke topologies save on tunnel capacity since tunnels are only built to the hub routers. It is also beneficial from the administrative point of view in applying centralized policies at WAN Edge hub routers to control the traffic between all sites.

• Simplified management:  Centralized configuration and control of network policies and security settings from the hub.
• Efficient bandwidth utilization:  Traffic can be aggregated and backhauled to the internet through the central hub, optimizing bandwidth usage.
• Increased security:  Centralized security policies and potential firewall deployment at the hub can offer enhanced security posture.

The following diagrams illustrate HUB(DC) & Spoke / Partial Mesh topologies

SD-WAN Topology – Hub/Spoke

SD-WAN Topology – Partial Mesh

The choice between Hub and Spoke and Partial Mesh Tunnels depends on your specific needs and network characteristics:

• Network size and complexity:  Consider the number of sites, traffic patterns, and potential future growth.
• Security requirements:  Evaluate your security needs and how each topology aligns with your security posture.
• Performance and latency:  Choose the topology that optimizes performance and minimizes latency for your critical applications.
• Hybrid approaches:  Combining Hub and Spoke with Partial Mesh Tunnels might be suitable in scenarios with diverse traffic patterns and varying needs across different sites.
• SD-WAN solutions:  Many SD-WAN solutions offer built-in support for both Hub and Spoke and Partial Tunnel functionalities, providing flexibility in network design.

In Banking Network Solutions, the choice of Hybrid Tunnels topology was made to have Voice traffic between Contact Centre locations required to avoid latency.

By understanding the advantages and limitations of each topology and carefully considering your specific needs, you can choose the most appropriate SD-WAN architecture for your organization.

SD-WAN policy Design

In SD-WAN policy design, various elements are used to define how traffic is handled, routed, and controlled across the network. Here are some key components:

1. Color : Colors are used to classify traffic into different categories based on specific criteria such as application type, source/destination IP addresses, or quality of service (QoS) requirements. Each color represents a different class or type of traffic, allowing for granular control and prioritization.
2. Transport Locator : Transport locators define the physical or logical paths through which traffic will be forwarded across the network. They specify the network interfaces, tunnels, or service provider links that traffic will traverse to reach its destination. Transport locators can be configured based on factors such as cost, latency, bandwidth, or security requirements.
3. Tunnel-Group : Tunnel groups are used to group together multiple network tunnels or paths that share similar characteristics or properties. By defining tunnel groups, administrators can apply common policies, settings, and attributes to a set of tunnels, simplifying management and configuration tasks.
4. Restrict : Restrictions are used to enforce specific access control policies or limitations on traffic flows within the SD-WAN environment. Restrictions can include bandwidth limitations, traffic shaping policies, access control lists (ACLs), or quality of service (QoS) policies that dictate how traffic is permitted or restricted based on predefined criteria.

These components work together to define the behavior, routing decisions, and quality of service parameters for traffic traversing the SD-WAN environment. By carefully configuring and managing these elements within SD-WAN policies, organizations can ensure optimal performance, reliability, and security for their network traffic.

In Banking Network Solutions, many networks/routes will be advertised into the SD-WAN overlay network from the data centres. Below are some of the routes that we would receive from the DC/DR/NDR.  

• Default route - 0.0.0.0/0
• DC LAN subnets
• DR LAN subnets
• NDR LAN subnets
• Public Cloud DX/ER Private Subnets via DR & NDR

  As the prefixes will be large and change any time, the routes received on the service side at DC/DR/NDR will be matched with OSPF Tags.

The following design considerations apply:

• DC Originated LAN routes will be the set to OSPF Tag 10 in the DC LAN
• DR Originated LAN routes will be the set to OSPF Tag 20 in the DC LAN
• NDR Originated LAN routes will be the set to OSPF Tag 30 in the NDR LAN
• There are AWS Direct Connect and Azure Express route connectivity in DR and NDR.
• Routes received from the Cloud providers will be tagged in DR with Tag 820 and in NDR with Tag 830 in OSPF with their respective LAN networks.
• Default Route will be advertised from DC/DR/NDR into the SD-WAN fabric.
• SDWAN Controller/vSmart will advertise this default route to all remote sites by default. However, this behaviour will be modified with policies as follows:
  • While the default route is advertised to Remote sites, OMP Route Preference (300, 200, 100) will be modified to prefer the default route from DC, DR and NDR in order
• OSPF tag 10, 20, 30, 820 & 830 will be mapped to OMP tags while redistributing the OSPF to OMP in DC/DR/NDR Wan Edge routers.
• Routes advertised from DC with Tag 10 will be set with highest OMP preference of 300 and advertised to the remote branches
• Routes advertised from DR with Tag 20 will be set with highest OMP preference of 300 and advertised to the remote branches
• Routes advertised from NDR with Tag 30 will be set with highest OMP preference of 300 and advertised to the remote branches
• Routes advertised from DR with Tag 820 will be set with OMP preference of 200 and advertised to the remote branches
• Routes advertised from DR with Tag 820 will be set with OMP preference of 300 and advertised to the remote branches

  SD-WAN Control Policy for DC/DR/NDR Route Preference to Group 1 branches

SD-WAN Control Policy for DC/DR/NDR Route Preference to Group 2 branches

 

• Routes advertised from the remote branches from VPN 10, will be set with OMP Tag 100 and advertised to DC/DR/NDR
• Routes advertised from the remote branches from VPN 20, will be set with OMP Tag 200 and advertised to DC/DR/NDR
• Routes advertised from the remote branches from VPN 30, will be set with OMP Tag 300 and advertised to DC/DR/NDR
• While redistributing the Remote branch routes into the OSPF at DC/DR/NDR, OMP Tags will be mapped to OSPF tags as per the below table in each DC accordingly.

 

Branch Site OMP Tag	Service VPN	DC OSPF Tag	DR OSPF Tag	NDR OSPF Tag
100	10	510	610	710
200	20	520	620	720
300	30	530	630	730

 

• In Oder to avoid the routing loops, the branch routes that are advertised to the DC/DR/NDR Lan will be dropped in the OSPF matching all the OSPF tags in the range (510 – 730) found in the above table on the SD-WAN edge routers using table-map configurations under OSPF in their respective VRF/VPNs.

  SD-WAN Control Policy for OSPF - OMP Tagging and Route Loop Avoidance.

• At remote sites , Static and Connected routes will be redistributed into OMP with Tagging and metrics
• A remote site will advertise all prefixes available within that site only.

Direct Internet Access (DIA)

Cisco SD-WAN Direct Internet Access is a solution that improves the user experience for SaaS applications at remote sites by eliminating the performance degradations related to backhauling Internet traffic to central data centers. DIA allows control of Internet access on a per VPN basis.

Direct Internet Access

This section explains how the Internet Access at branches will be replaced by Direct Internet Access (DIA) provided by Cisco SD-WAN edges. Internet access at DCs will not use SD-WAN Edges since it is normally handled by dedicated devices in the DMZ within the Data Centers.

Benefits of using DIA include :

• Reduced bandwidth consumption, latency and cost savings on WAN links by offloading Internet traffic from the private WAN circuit.
• Improved branch office user experience by providing Direct Internet Access (DIA) for employees at remote site locations

Cisco SD-WAN Direct Internet Access is characterized by providing different options and large flexibility to customers. DIA can be controlled by routing, by policy or by a combination of the two and it can be also redirected to a cloud-based security solution (like Cisco Umbrella). Different options for primary and backup path can be used. This section first describes the general principles for branch DIA.

Branch Direct Internet Access (Plane DIA)

Branch DIA

Branch DIA covers two main use cases, branch internal employees and guest. As shown in the figure, branch (remote-site) employees are allowed direct access to the Internet for cloud- based applications and user web access. This is achieved by configuring the WAN edge routers as an Internet exit point. Internal employee Internet traffic uses the directly connected Internet transport for direct Internet access, while the corporate traffic uses the SDWAN tunnels to the destination.

Branch Internal User DIA Traffic

Branch users access the Internet directly for user web access and cloud-based applications, without routing their traffic via the internal network and through the Hub sites.

In general DIA use, segmentation is useful in keeping authenticated employee or users separate from the guest users and it is achieved by assigning users and guests to different SDWAN service VPNs.

For DIA, NAT translation for packets exiting into the internet within the branch is enabled on the WAN edge devices via NAT. NAT is a required feature when providing a local breakout.

The NAT type used can be of different types: overload (i.e. NAT interface) or NAT pool or loopback. The most common is NAT overload that is the mapping of multiple unregistered IP addresses to a single registered IP address by using different ports. NAP pool allows a larger and configurable pool of public IP to be used. NAT loopback use the loopback interface on the inside. The NAT operation on outgoing traffic is performed in VPN 0, which is always only a transport VPN. The router's connection to the Internet is in VPN 0.

There are two ways in which traffic from the service VPNs (user or guest) can be redirected to the DIA on VPN0:

• DIA with NAT DIA Route traffic redirection
• Centralized data policy

Guest Access

Cisco SD-WAN provides an easy and secure way to create an isolated Guests segment that is isolated from the enterprise network and has its own security policies. Typical DIA traffic policies include:

• Restricting bandwidth usage of guest’s users
• Restricting access to certain Internet resources
• Restricting access to internal  enterprise resources
• Protecting the network from malicious content

Security

Cisco SD-WAN allows pushing the security stack directly on the WAN edge devices onsite. This reduces the need for security appliances at every branch, by providing inbuilt security features which include DNS security, Application-aware firewall, URL filtering, IPS/IDS, and Advanced Malware Protection (AMP).

In addition, instead of enabling the security stack at the WAN edge routers, the DIA feature allows for routing the traffic through a cloud security provider. In this case, the traffic from a particular remote site is routed to the cloud security provider through point-to-point IPsec tunnels. The cloud security provider then pushes the traffic through the predefined security policies and route it out to the Internet.

Application Prioritization and QoS

In the Banking Network Solutions application prioritization and Quality of Service (QoS) are crucial for ensuring optimal performance and reliability of critical financial applications. Here are key considerations for implementing application prioritization and QoS in a Cisco SD-WAN deployment:

The QoS feature on the Edge routers works by examining packets entering at the edge of the network. The localized data policy can be used to:

• Provision QoS
• Classify incoming data packets into multiple forwarding classes based on their importance level
• Spread the classes across different interface queues
• Schedule the transmission rate level for each queue.

A class map can be configured for each output queue to specify the bandwidth, buffer size, and packet loss priority (PLP) of the output queues. This allows the Edge to determine how to prioritize data packets for transmission to the destination. Depending on the priority of the traffic and configuration, the Edge router assigns packets higher or lower bandwidth, buffer levels, and drop profiles.

In Banking Network Solutions following Four Class QoS model will be deployed. Banking Network Solutions Critical/Non-Critical applications are differentiated based on the IP details for classification.

 

Class	Class-1	Class-2	Class-3	Class-4
Traffic type	Control/Priority Traffic	Critical Subnet Traffic	Non-Critical Subnet Traffic	Best Effort/Default
BW Allocation	10%	40%	20%	30%
Typical Expected Business Traffic	Control/Priority Traffic	Interactive Video, Mission critical applications, Financial transactions	E-mail, Client Server transactions, Intranet applications, Streaming Audio/Video	Web browsing, FTP, LAN-to-LAN data transfer

  Application Identification:

• Utilize deep packet inspection (DPI) and application recognition capabilities to accurately identify and classify financial applications, such as trading platforms, banking portals, and transaction processing systems.
• Create application-aware policies based on application signatures, protocols, or port numbers to prioritize and differentiate traffic flows based on their importance to business operations.

Traffic Prioritization:

• Define QoS policies to prioritize traffic based on application criticality, latency sensitivity, and user requirements.
• Allocate dedicated bandwidth, priority queues, and buffer resources to high-priority applications to ensure timely delivery and low latency for critical transactions and real-time data feeds.

Traffic Shaping and Policing:

• Implement traffic shaping and policing mechanisms to regulate bandwidth utilization and enforce QoS policies across the SD-WAN fabric.
• Shape outbound traffic to smooth bursty traffic patterns and prevent congestion, while policing inbound traffic to enforce rate limits and prevent bandwidth abuse.

Class-Based QoS :

• Organize traffic into different classes or traffic profiles based on their characteristics, such as delay-sensitive, mission-critical, or best-effort traffic.
• Apply differentiated QoS policies to each traffic class, specifying parameters such as bandwidth guarantees, latency thresholds, and packet drop probabilities to meet service level objectives (SLOs).

Dynamic Path Selection :

• Leverage dynamic path selection algorithms to intelligently route traffic over the most suitable path based on application requirements and network conditions.
• Consider factors such as link quality, latency, jitter, and available bandwidth when selecting optimal paths for different types of traffic, dynamically adjusting routing decisions as network conditions change.

Application Performance Monitoring :

• Monitor application performance metrics, such as response times, throughput, and packet loss rates, to assess the effectiveness of QoS policies and identify areas for optimization.
• Use performance monitoring tools and dashboards to visualize application performance across the SD-WAN fabric and troubleshoot performance issues proactively.

Continuous Optimization :

• Continuously review and optimize QoS policies based on evolving business requirements, application usage patterns, and network performance metrics.
• Collaborate with application owners, network engineers, and business stakeholders to refine QoS policies and ensure alignment with business priorities and performance objectives.

Per Tunnel QoS

This feature allows to apply a Quality of Service (QoS) policy on individual tunnels, ensuring that branch offices with smaller throughput are not overwhelmed by larger aggregation/hub sites. Per-tunnel QoS on a hub allows to shape tunnel traffic to individual spokes. It also differentiates individual data flows going through the tunnel or the spoke for policing.

Per-tunnel QoS for Cisco SD-WAN provides the following benefits -

• A QoS policy is configurable on the basis of session groups, thus providing the capability of regulating traffic from hub to spokes at a per-spoke level.
• The hub cannot send excessive traffic to a small spoke and overrun it.
• The maximum outbound bandwidth and QoS queue are set up automatically when each spoke registers with an Overlay Management Protocol (OMP) message.
• The amount of outbound hub bandwidth that a “greedy” spoke can consume can be limited; therefore, the traffic can’t monopolize a hub’s resources and starve other spokes.

Few restrictions of per-tunnel QoS feature to be noted as below -

• Only Cisco IOS XE SD-WAN devices can be configured as hubs but both Cisco IOS XE SD-WAN devices and Cisco vEdge device can be configured as spokes.
• Per-tunnel QoS can only be applied on hub-to-spoke network topologies.

Per-Tunnel QoS

In Banking Network Solutions, per-tunnel QoS will be deployed to take advantage of above-mentioned features as primarily Banking Network Solutions network topology is Hub and Spoke type.

By implementing these best practices for application prioritization and QoS in a Cisco SD-WAN deployment, Banking Network Solutions can ensure reliable and responsive delivery of critical Banking applications, improve user experience, and maintain business continuity even during periods of high network congestion or degraded performance.

VPN Segmentation:

Service VPN Segmentation in Banking Network Solutions' SD-WAN

Following their SD-WAN migration, Banking Network Solutions implemented network segmentation using up to four Service VPNs for enhanced security.  

Service VPN Descriptions:

• Service VPN 10 (Employee VPN) : Internal business applications for employees.

• Service VPN 20 (ATM VPN): Financial applications accessed by ATMs and other devices. (Required at all branch sites)

• Service VPN 30 (Monitoring VPN): Logging information (syslog/SNMP traps) and in-band management. (Required at all branch sites)

Site ID – Planned/Utilised in DC WAN Edge Routers

• Site ID Definition: The site ID is a 32-bit unique integer used to identify locations within the SD-WAN network.
• Purpose: It identifies the source location of an advertised prefix within the network.
• Relevance for Controllers: While SD-WAN controllers do not directly utilize the site ID, it is still required to be set in the configuration.
• Centralized Control Policy: Establishing a Site ID List helps enforce structure within the network's centralized control policy.  
• Site Type Consideration: The policy is applied based on-site types, so defining the range of site IDs for each type is crucial.  
• Future Scaling: The site ID ranges are designed with future scaling in mind, ensuring that as the network grows, there is room for expansion without reconfiguration.

Traffic Engineering

Traffic engineering plays a crucial role in optimizing network performance and ensuring efficient utilization of resources in the financial sector. When deploying Cisco SD-WAN in this vertical, several key traffic engineering features should be leveraged:

Dynamic Path Selection:

• Utilize dynamic path selection algorithms to intelligently route traffic over the most optimal paths based on real-time network conditions, application requirements, and business priorities.
• Implement algorithms such as dynamic multipath optimization (DMPO) to dynamically distribute traffic across multiple paths and avoid congestion or performance degradation on any single link.

Application-Aware Routing:

• Implement application-aware routing policies to prioritize and steer traffic based on the specific requirements of financial applications.
• Define routing policies that consider application characteristics, such as latency sensitivity, bandwidth requirements, and quality of service (QoS) parameters, to ensure optimal performance and user experience.

By leveraging dynamic path selection, application-aware routing traffic engineering features in Cisco SD-WAN, financial institutions can optimize network performance, ensure reliable connectivity for critical transactions, and enhance user experience across the network infrastructure.

BFD Path Quality

BFD is used not only to detect blackout conditions but is also used to measure various path characteristics such as loss, latency, and jitter. These measurements are compared against the configured thresholds defined by the application-aware routing policy, and dynamic path decisions can be made based on the results in order to provide optimal quality for business-critical applications.

For measurements, the WAN Edge router collects packet loss, latency, and jitter information for every BFD hello packet. This information is collected over the poll-interval period, which is 10 minutes by default, and then the average of each statistic is calculated over this poll-interval time. A multiplier is then used to specify how many poll-interval averages should be reviewed against the SLA criteria. By default, the multiplier is 6, so 6 x 10-minute poll-interval averages for loss, latency, and jitter are reviewed and compared against the SLA thresholds before an out-of-threshold decision is made. The calculations are rolling, meaning, on the seventh poll interval, the earliest polling data is discarded to accommodate the latest information, and another comparison is made against the SLA criteria with the newest data.

Since statistical averages are used to compare against configured SLA criteria, how quickly convergence happens depends on how far out of threshold a parameter is. Using default settings, the best case is an out-of-threshold condition that occurs after 1 poll interval is completed (10 minutes) and in the worst case, it occurs after 6 poll intervals are completed (60 minutes).  When an out-of-threshold condition occurs, traffic is moved to a more optimal path.

The following figure shows an example when an out-of-threshold condition is recognized when latency suddenly increases. When latency jumps from 20 ms to 200 ms at the beginning of poll-interval 7, it takes 3 poll intervals of calculations before the latency average over 6 poll intervals crosses the configured SLA threshold of 100 ms.

You may want to adjust application route poll-interval values, but you need to exercise caution, since settings that are too low can result in false positives with loss, latency, and jitter values, and can result in traffic instability. It is important there is enough BFD hellos per poll interval for the average calculation, or large loss percentages may be incorrectly tabulated when one is lost. In addition, lowering these timers can affect overall scale and performance of the WAN Edge router.

For 1 second hellos, the lowest application route poll-interval that should be deployed is 120 seconds. With 6 intervals, this gives a 2-minute best case and 12-minute worst case before an out-of-threshold is declared and traffic is moved from the current path. Any further timer adjustments should be thoroughly tested and used cautiously.

Note: You may want to adjust application route poll-interval values, but you need to exercise caution, since settings that are too low can result in false positives with loss, latency, and jitter values, and can result in traffic instability.

Deployment

When deploying Cisco SD-WAN in the financial sector, it's essential to consider various deployment aspects to ensure a successful implementation. Here are key considerations for each phase of the deployment process:  

Implementation Prerequisites :

• Assess network infrastructure readiness, including existing hardware, software, and connectivity requirements.
• Define business and technical requirements for SD-WAN deployment, such as performance objectives, security policies, and regulatory compliance mandates.
• Ensure sufficient resources, including skilled personnel, budget allocation, and project timelines, to support the deployment effort effectively.

Deployment Considerations:

• Evaluate deployment options, such as phased rollout vs. full deployment, based on organizational priorities, risk tolerance, and resource availability.
• Plan for network migration and cutover strategies to minimize disruption to business operations during the transition to SD-WAN.
• Consider scalability, flexibility, and future growth requirements when designing the SD-WAN architecture to accommodate evolving business needs and technological advancements. Top of Form

Deployment by Branch Size:

Large, Medium & Small Branch Sites: Require 3 Service VPNs (Employee, ATM, Monitoring)

Optional: Service VPN 40 (Guest) if customer-facing representatives are present. Business decision to offer Service VPN 40 (Guest) in select small branches based on cost-effectiveness.

Future Considerations:

• Customer-facing web applications are currently on-premises but may move to the cloud.
• Guest Wi-Fi access in small branches allows for potential future customer service opportunities.

Key Takeaways:

• Banking Network Solutions prioritizes secure network segmentation using Service VPNs.
• They tailor Service VPN deployment based on branch size and function.
• Guest Wi-Fi access is a strategic decision for potential customer engagement.