Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
508
Views
30
Helpful
3
Replies

Inter-Controller Comms - Conflicting Cisco Docs

Go to solution
Steytler
Level 1
Level 1

‎03-02-2022 03:59 PM

I have 1 Cisco doc stating the inter controller communication protocol is DTLS and my ENSDWI digital learning course stating OMP.

 

I can't assume OMP because DTLS is just an underlay protocol to transport other protocols.  Where do I get an official answer?

 

From digital learning.

The exchange of control plane information over OMP peering sessions is a key piece in the Cisco SD-WAN high availability solution:

1.  Cisco vSmart controllers quickly and automatically learn when a Cisco vBond orchestrator or a router joins or leaves the network. They can then rapidly make the necessary modifications in the route information that they send to the routers.

2.  Cisco vBond orchestrators quickly and automatically learn when a device joins the network and when a Cisco vSmart controller leaves the network. They can then rapidly make the necessary changes to the list of the Cisco vSmart controller IP addresses that they send to routers joining the network.

OR

Cisco SD-WAN vManage and vSmart controllers initially contact and authenticate to the vBond controller, forming persistent DTLS connections, and then subsequently establish and maintain persistent DTLS/TLS connections with each other. WAN Edge devices onboard in a similar manner, but drop the transient vBond connection and maintain DTLS/TLS connections with the vManage and vSmart controllers.

https://www.cisco.com/c/en/us/td/docs/solutions/CVD/SDWAN/cisco-sdwan-design-guide.html

 

many thanks!

1 Accepted Solution

Accepted Solutions

Go to solution
Kanan Huseynli
VIP
VIP

‎03-03-2022 01:24 PM

Hi,

 

please note that controller to controller communication and edge router to controller communication (like you said -  underlay) is DTLS or TLS (vbond always uses dtls).

After controllers authenticates each other they are assumed in overlay. Then, routers are come into overlay after authenticated by vbond/vmanage/vsmart.

TLS/DTLS are just transport protocols and used to encrypt traffic for other SD-WAN operations (push policy, push configuration, exchange routing and control information). These operations are done using other protocols/operations., such as:

 

In SD-WAN overlay, OMP is used between vsmarts and between vsmarts&edge routers to exchange control plane information.

OMP itself is not encrypted traffic, this is just a protocol for control plane which is used for exchanging routing information, key distribution, pushing centralized policies from vsmart to edge routers (like BGP), but it runs over DTLS/TLS . Thus, in reality OMP is encrypted by DTLS/TLS (transport protocols).

Like OMP , Netconf is also can be seen in SD-WAN. It also runs over DTLS/TLS sessions (so encrypted by them) and used to push configuration/policy from vmanage to other controllers and to edge routers.

 

HTH,

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

View solution in original post

3 Replies 3

Go to solution
Kanan Huseynli
VIP
VIP

‎03-03-2022 01:24 PM

Hi,

 

please note that controller to controller communication and edge router to controller communication (like you said -  underlay) is DTLS or TLS (vbond always uses dtls).

After controllers authenticates each other they are assumed in overlay. Then, routers are come into overlay after authenticated by vbond/vmanage/vsmart.

TLS/DTLS are just transport protocols and used to encrypt traffic for other SD-WAN operations (push policy, push configuration, exchange routing and control information). These operations are done using other protocols/operations., such as:

 

In SD-WAN overlay, OMP is used between vsmarts and between vsmarts&edge routers to exchange control plane information.

OMP itself is not encrypted traffic, this is just a protocol for control plane which is used for exchanging routing information, key distribution, pushing centralized policies from vsmart to edge routers (like BGP), but it runs over DTLS/TLS . Thus, in reality OMP is encrypted by DTLS/TLS (transport protocols).

Like OMP , Netconf is also can be seen in SD-WAN. It also runs over DTLS/TLS sessions (so encrypted by them) and used to push configuration/policy from vmanage to other controllers and to edge routers.

 

HTH,

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

Go to solution
Steytler
Level 1
Level 1
In response to Kanan Huseynli

‎03-18-2022 06:45 PM

Epic - thanks.  

0 Helpful

Go to solution
svemulap@cisco.com
Cisco Employee
Cisco Employee

‎03-03-2022 02:08 PM

In addition to what has been covered, take a look at allow-service section
https://www.cisco.com/c/en/us/td/docs/routers/sdwan/command/sdwan-cr-book/config-cmd.html?dtid=osscdc000283#wp3800317946
which goes in detail on what are the services that are allowed. (by default / and / via configuration)

The design guide at https://www.cisco.com/c/en/us/td/docs/solutions/CVD/SDWAN/cisco-sdwan-design-guide.html#AdditionalPortsfortheVPN0Transport has
additional information.

HTH
Customers Also Viewed These Support Documents