Skip to main content
Cisco SD-WAN
Product Documentation
Viptela Documentation

The Virtual IP Fabric

The complexity in legacy enterprise networks stems from three main sources:

  • There is no clear separation between entities that exchange data traffic and the transport network that binds these entities together. That is, there is no clear separation between hosts, devices, and servers on the service side of the network and the interconnects between routers on the transport side of the network.
  • Policy and control decisions are embedded at every hop across the enterprise network.
  • Security is a time-intensive, manual process, and security management must be implemented either at every node in the network or by using centralized security servers to manage group keys.

The Viptela Secure Extensible Network (SEN) uses time-tested and proven elements of networking in innovative ways to build the secure, virtual IP fabric. These networking elements include:

  • Using routing and routing advertisements to establish and maintain the flow of traffic throughout the network.
  • Layer 3 segmentation, sometimes called virtual routing and forwarding (VRF), to isolate different flows of traffic. This is useful to separate traffic from different customers or different business organizations within an enterprise.
  • Peer-to-peer concepts to set up and maintain bidirectional connections between pairs of protocol entities
  • Authentication and encryptions.
  • Policies for routing and data traffic.

With five simple steps, the Viptela virtual IP fabric transforms a complex legacy network into an easy-to-manage, scalable network:

  • Step 1: Separate transport from the service side of the network.
  • Step 2: Centralize routing intelligence and enable segmentation.
  • Step 3: Secure the network automatically.
  • Step 4: Influence reachability through centralized policy.
  • Step 5: Simplify orchestration and provisioning.

Step 1: Separate Transport from the Service Side of the Network


The job of the transport network is to carry packets from one transport router to another. The transport network need only know about the routes to follow to reach the next-hop or destination router. It need not know about the prefixes for non-transport routers, the routers that sit behind the transport routers in their local service networks.

Separating network transport from the service side of the network allows the network administrator to influence router-to-router communication independently of the communication between users or between hosts.

This approach has many benefits:

  • The network administrator can choose transport circuits based on SLA and cost.
  • The routing system can assign attributes to transport links for optimal routing, load balancing, and policy-based routing.​

Step 2: Centralize Routing Intelligence and Enable Segmentation

Every router at the edge of a network has two sides for routing: one to the transport network and one to the service side of the network. To have any-to-any communication among all routers, all routers need to learn all prefixes. Traditionally, routers learn these prefixes using full-mesh IGP/BGP or by enabling routing on an overlay tunnel (for example, BGP or IGP over MPLS or GRE). Various techniques allow the scaling issues associated with full-mesh routing adjacencies to be mitigated or eliminated, such as employing a route reflector for BGP.


The Viptela fabric builds on the route reflector model by centralizing routing intelligence. Essentially, all prefixes learned from the service side on a router are advertised to a centralized controller, which then reflects the information to other routers over the network's control plane. The controllers do not handle any of the data traffic; they are involved only in control plane communication.

This approach has many benefits:

  • The centralized controller can use inexpensive or commodity servers for control plane processing.
  • The routers can use off-the-shelf silicon, allowing cost benefits from economies of scale.
  • Scale challenges associated with full-mesh routing on the transport side of the network are eliminated.
  • The network administrator can create multiple segments without the need for complex signaling protocols. For example, in the figure here, all Px prefixes can be part of one VPN, while all Sx prefixes can be part of a different VPN.

Note: The centralized controller only “influences” routing on the routers. The controller does not participate in every flow going through the network, nor does it participate in routing on the service side. This design allows the routers to have local intelligence—enough intelligence to make local site decisions quickly.

Step 3: Secure the Network and Links Automatically

The Viptela fabric identifies transport side links and automatically encrypts traffic between sites. The associated encryption keys are exchanged over a secure session with the centralized controller. Secure sessions with the controller are set up automatically using RSA and certificate infrastructure.

This approach has many benefits:

  • The Viptela fabric itself authenticates all devices participating in the network, which is an important step to secure the infrastructure.
  • The fabric automatically exchanges encryption keys associated with the transport links, eliminating the hassle of configuring thousands of pair-wise keys.
  • The fabric ensures that the network is not prone to attacks from the transport side.​

Step 4: Influence Reachability through Centralized Policy

s00010.pngPolicy configured on a centralized controller strongly influences how prefixes are advertised among the routers. For example, if all traffic between routers P3 and P4 in the figure here has to make a U-turn at router vEdge-1, the network administrator can apply a simple route policy on the centralized controller. The controller then passes the policy to the affected edge routers. The network administrator does not need to provision the policy on each individual router.

This approach has many benefits:

  • The controller centrally influences access control, that is, which prefixes are allowed to talk to each other inside a VPN.
  • The controller optimizes user experience by influencing transport link choice based on SLA or other attributes. The network administrator can color transport links (such as gold and bronze), and allow applications to map the colors to appropriate transport links.
  • The network administrator can map business logic from a single centralized point.
  • The network can react faster to planned and unexpected situations, such as routing all traffic from high-risk countries through an intermediate point.
  • The network can centralize services such as firewalls, IDPs, and IDSs. Instead of distributing these services throughout the network at every branch and campus, the network administrator can centralize these functions, achieving efficiencies of scale and minimizing the number of touch points for provisioning.

Step 5: Simplify Provisioning and Management

Legacy network devices are provisioned and monitored manually through a CLI. Network administrators must type configurations line by line, and enter operational commands one at a time on individual devices in order to retrieve and read status information. This method is error prone and time consuming when provisioning and troubleshooting a network, and it can present serious difficulties when devices are in remote locations or when management ports are inaccessible.


The Viptela SEN centralizes and significantly simplifies provisioning and management through the vManage Network Management System (NMS). The vManage NMS provides an easy-to-use, graphical dashboard from which you can monitor, configure, and maintain all Viptela devices and links in the overlay network. For example, the dashboard's GUI provides a templated view of various configurations to ease provisioning a service, so all common elements, such as AAA and company-specific servers, can be pushed to multiple devices with a single click, from a single point.

This approach has many benefits:

  • The network administrator provisions and manages the network as a whole, efficiently and easily, as opposed to a piece-meal approach that deals with individual devices one at a time.
  • The network administrator has improved network visibility (for example, viewing network-wide VPN statistics) from a single point.
  • Troubleshooting tasks are simplified and presented visually, instead of requiring network administrators to read lengthy configurations and output from individual devices.
  • Was this article helpful?