Secure and Redundant OAM Network
Contrail SD-WAN deployments include a secure OAM overlay network to provide end-to-end secure communications between on-premises devices and CSO. As shown in Figure 1, dedicated, IPsec-encrypted OAM tunnels enable on-premises devices to send management, routing, and logging traffic securely over the network to a provider hub. The hub then forwards that traffic to CSO.
The sites in both the hub-and-spoke and dynamic mesh deployment topologies must use at least one secure OAM tunnel. You accomplish this by setting one of the WAN links for use with OAM during the site onboarding process.
We recommend having at least two of your WAN links set for use as OAM as shown in Figure 1.
With the hub-and-spoke topology, each spoke site now has two sets of connections to the provider hub site: an overlay tunnel carrying data, and a separate, dedicated IPsec overlay tunnel carrying OAM traffic, as shown in Figure 2.
Since a normal dynamic mesh topology would not include a hub device for data traffic, one must be added for the secure OAM traffic. As shown in Figure 3, each spoke site has a new connection: a separate, dedicated IPsec overlay tunnel carrying OAM traffic to the provider hub.
OAM Provider Hub Design Options
There are two ways to implement the OAM hub, depending on design requirements. As shown in Figure 4, the options are as follows:
Data and OAM tunnels terminate on same provider hub device—this is a good option for small deployments, where the single hub device can handle both the data and OAM traffic.
Data and OAM tunnels terminate on separate provider hub devices—this option can be useful for larger deployments where the main hub device’s resources are needed to service the overlay tunnels carrying data traffic; a second hub device can be used to terminate the OAM tunnels.
Figure 4: OAM Tunnels - Provider Hub Design OptionsUsage Notes on Provider Hub Design Options:
An OAM provider hub can support multiple tenants, or can be dedicated to a single tenant.
Connectivity from the provider hub(s) to CSO should be private and secured, as it is not covered by the OAM tunnels.
We recommended that you implement multiple OAM provider hubs for redundancy and to ensure no loss of management or monitoring of the on-premises devices.
When a spoke site is multi-homed to multiple hub devices, one OAM tunnel should terminate on each hub. There is no configuration needed in CSO other than configuring multi-homing and specifying the two hubs. CSO automatically terminates one OAM tunnel on each hub device.
On-premises devices behind NAT are supported for hub-and-spoke and dynamic mesh deployments.