Cisco SD-WAN POC Process BRKRST-2559

3 Steps to Deploy Cisco
SD-WAN On-Prem
Andraz Piletic, Consulting Engineer / Instructor
Prashant Tripathi, Technical Marketing Engineer
BRKRST-2559
#CLUS
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session
How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
Webex Teams will be moderated cs.co/ciscolivebot#BRKRST-2559

by the speaker until June 16, 2019.
#CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
Complete your
online session • Please complete your session survey
evaluation after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live water bottle.
• All surveys can be taken in the Cisco Live
Mobile App or by logging in to the Session
Catalog on ciscolive.cisco.com/us.
Cisco Live sessions will be available for viewing
on demand after the event at ciscolive.cisco.com.
#CLUS BRKRST-2559 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Agenda
• SD-WAN deployment options
• Deploying controllers On-Prem
• On-Prem ZTP
• Design specifics for On-Prem deployment
• Useful lab tools
Architecture Orchestrator
Management Plane
• Orchestrates control and
• Single pane of glass vManage management plane
vBond
• Centralized provisioning • First point of authentication
• Policies and Templates • Facilitates NAT traversal
Control Plane
• Facilitates fabric discovery
• Disseminates control plane
information vSmart Controllers
• Implements and distributes policies
MPLS 4G Data Plane

INET • Physical or Virtual
WAN Edge • Zero Touch Provisioning
Cloud Data Center CoLo Campus Branch
Controllers Deployment Options
Cisco Cloud Ops MSP Ops Team Enterprise IT
Deploy Deploy Deploy
vManage vManage vManage
vSmart vBond vSmart vBond vSmart vBond

Cisco MSP Private
Cloud Cloud Cloud
Step 1 – Deploying Controllers
Installation Overview
1. Obtain documentation, software and verify system requirements.
2. Import OVA.
3. Perform installation and initial configuration:

• Connectivity (IP, GW, DNS) • Organization-Name
• System-IP • vBond address
• Site-ID • NTP
4. If using Enterprise CA server, install the enterprise root CA chain.
Initial Configuration Settings
• System-IP – Unique identifier of a SD-WAN component
• 32-Bit dot decimal notation (an IPv4 Address)
• Logically a VPN 0 Loopback Interface, referred to as “system”
• Organization-Name – SD-WAN overlay identifier

• Must match on all components
• Example: "CLUS 2019 BRKRST – 2559"
• Site-ID – Identifies logical location of individual node

• Configured on every WAN Edge
• When not unique, same location is assumed
Certificate Authority Options
• DigiCert certificates can be used also in on-prem deployment.
• Need to contact CloudOps for approval.
• Root certificate is preinstalled in the software.
• Enterprise certificates can be used for

on-prem controllers deployment.
• Need to install root certificate chain and sign
all CSRs manually.
• Cisco PKI can be used for on-prem controllers deployment.

• CSRs can be automatically signed using configured Smart
account and internet connectivity from vManage.
• Manual signing is supported via PnP portal.
Deploying vManage
on VMware ESXi
Verifying vManage System Requirements
Devices vCPUs RAM OS Volume Database Bandwidth vNICs
Volume
1-250 16 32 GB 16 GB 500 GB, 25 Mbps 2
1500 IOPS
251-1000 32 64 GB 16 GB 1 TB, 100 Mbps 2
3072 IOPS
1000+ 32 64 GB 16 GB 1 TB, 150 Mbps 3*
3072 IOPS
• SSD required for normal vManage performance.

• Private lab setup for learning purposes will work with less resources.
• * vManage Cluster requires dedicated interface for message bus.
vManage Interface Properties
vNIC 2 vNIC 1
vNIC Interface Default VPN DHCP State

enabled
2 eth0 0 Yes Enabled
VPN0 VPN512
1 eth1 Not set No Disabled
• By default, vManage OVA is configured

Control Management
Interface Interface with a single interface (eth0).
• Adding additional interface remaps eth0
to vNIC 2.
ESXi, KVM, AWS, MS Azure
Deploying vManage OVA on VMware ESXi
• Primary disk for OS consumes 19 GB.
Deploying vManage OVA on VMware ESXi (Cont.)
Singe Interface present by default.
Do not power on VM before adding additional disk for a DB installation.
Adding Additional Resources to the vManage VM
Additional Hard Disk will host vManage database.
Specifying Capacity and Specifying Device Type
SCSI interface is not supported, make

For Lab environment, a 100 GB disk size will sure you select the IDE type.
be sufficient. For PoC/PoV or production
environments, follow official requirements.
Adding Additional Interface to vManage VM
Add additional interface for convenient OOB management.
Performing vManage Database Installation
• Default credentials: admin / admin

Configuring vManage Interface Settings
OOB management interface
Transport interface
Configuring vManage System Parameters
• Organizational-Name is case sensitive, always use quotes.

• vBond server can be specified as a domain name.
• System-IP must be unique on every component in the SD-WAN fabric.
Finalize vManage Initial System Configuration
Configure Organizational Name and vBond

address in Administration > Settings
Installing Enterprise Root Certificate
Paste CA certificate in PEM format.
vManage automatically distributes root

certificate also to other controllers.
Utilizing Cisco PKI
vManage reaches out via VPN0 to the PnP portal to

submit CSRs and retrieve signed certificates.
You need to populate Smart Account Credentials

before generating CSRs.
Deploying vBond
on VMware ESXi
Verifying vBond System Requirements
Devices vCPUs RAM OS Volume Bandwidth vNICs
1-50 2 4 GB 8 GB 1 Mbps 2
51-250 2 4 GB 8 GB 2 Mbps 2
251-1000 2 4 GB 8 GB 5 Mbps 2
1001+ 4 8 GB 8 GB 10 Mbps 2
• Only SSD-based volumes are officially supported.

• vBond is installed using vEdgeCloud OVA.
• OVA is preconfigured with four vCPUs.
Configuring vBond System Parameters
• Keyword local in the vbond command defines the vBond role.
vBond Interface Properties
vNIC 2 vNIC 1

enabled
VPN0 VPN512
2 ge0/0 0 Yes Enabled
3 ge0/1 No Disabled
4 ge0/2 No Disabled
Control Management
Interface Interface
• OVA is preconfigured with four vNICs,
only two interfaces are supported.
Configuring vBond Interface Settings
• The VPN0 interface is preconfigured for WAN.
• The tunnel-interface configuration settings lock
down the interface and also prevent incoming
NETCONF and SCP/SSH connections.
• When vBond is integrated with vManage, vManage
establishes the NETCONF and SCP connection.
• Recommendation: disable the tunnel-interface
configuration while performing controller
integration.
• Alternative: temporarily allow the netconf and sshd
service.
Configuring vBond Interface Settings (Cont.)
Transport interface
Deploying vSmart
on VMware ESXi
Verifying vSmart System Requirements
Devices vCPUs RAM OS Volume Bandwidth vNICs
1-50 2 4 GB 16 GB 2 Mbps 2
51-250 4 6 GB 16 GB 5 Mbps 2
251-1000 4 16 GB 16 GB 7 Mbps 2
1001+ 8 16 GB 16 GB 10 Mbps 2
• Only SSD-based volumes are officially supported
vSmart Interface Settings
vNIC 2 vNIC 1

enabled
2 Eth0 0 Yes Enabled
VPN0 VPN512
1 Eth1 Not set No Disabled
• By default, vSmart OVA is configured

Control Management
Interface Interface with a single interface.
• Adding an additional interface remaps
eth0 to vNIC 2.
Configuring vSmart Interface Settings
Transport interface
Configuring vSmart System Settings
Step 2 – Bringing
Up Secure Control
Plane
Integrating Controllers
1. Add vBond and vSmart controllers into the vManage.
2. Generate CSRs.
3. Sign CSRs and upload certificates.
4. Configure tunnel interfaces and establish control connections.
5. Install license file.

Adding Controllers to vManage
Specify controller‘s IP
address that is reachable
from vManage VPN0
interface via NETCONF
and SCP/SSH.
• vSmart controllers are added using the same procedure.
Generating the CSR
Viewing and Transferring the CSR
Installing Signed Certificate
Configuring Interfaces for Control Connections
• Enable the tunnel-
interface configuration
on the VPN 0 interface
on all controllers.
• On vBond, also specify

the tunnel-interface
encapsulation type.
Verifying Control Connections
Troubleshooting Control Connections
• # show control connections-history
Importing WAN Edge List
• If devices are not validated when importing the license file, you need to
manually enable each device under Configuration > Licensing.
Utilizing Cisco PKI
Utilizing Cisco PKI – Manual Method
• For environments where vManage cannot connect to the PnP servers
Utilizing Cisco PKI - Manually Submitting CSR
Utilizing Cisco PKI - Downloading Signed Cert
Local CA Server
Local Certificate Authority Server Options
• Customer‘s existing CA infrastructure:
• Microsoft CA is commonly used within enterprise environments.
• Convenient CA setups for lab testing and PoCs:

• XCA
• TinyCA
• OpenSSL
• The OpenSSL library is part of most Linux distributions by default.
• Can be used for simple certificate generation, signing CSRs, etc.
• If using subordinate servers, make sure you export/import the full root-ca
chain.
Generating Self-Signed Certificate Using OpenSSL
• ca.crt is the
new local root
certificate.
• You need to
import the
root
certificate on
all controllers
and WAN
Edge devices.
Setting up Local CA for CSR Signing
• Create a custom OpenSSL configuration file.
• Specify paths for new certs, db, serial

numbers, etc.
• Describe the path to private key and

certificate.
• Specify validity (in days).
• Specify policy.
Defining Local CA Folder Structure
• newcerts folder stores the
issued certificate.
• index.txt acts as the

database tracking the
issued certificate statuses
and their properties.
• serial file contains the next

available serial number in
hex.
Signing CSR Using OpenSSL Local CA
Step 3 – Bringing
Up Secure Data
Plane
Overview of Installation Steps - vEdgeCloud
1. Obtain software and verify system requirements.
2. Deploy OVA Template.
3. Perform initial configuration

(connectivity, system-ip, site-id, org-name, vbond address).
4. If using enterprise CA, install local root CA chain.
5. Activate vEdgeCloud by enrolling it into vManage.

Deploying vEdgeCloud on VMware ESXi
enabled
2 ge0/0 0 Yes Enabled
3 ge0/1 No Disabled
4 ge0/2 No Disabled
• Up to 8 vNICs are supported.
Generating Chassis UUID and OTP Token
• Generate bootstrap configuration to extract the UUID number and OTP

token for the vEdgeCloud activation.
Activating vEdgeCloud
Activating vEdgeCloud (Cont.)
• Verification
Zero Touch
Provisioning
Zero Touch Provisioning – WAN Edge Appliance
Controllers
Connection
• The PnP Connection Manager
Manager can redirect to cloud-hosted
or On-Prem controllers.
1 2
3 4 5
• New devices are linked to

organization using the Smart
Account when placing order.
Full Registration • Additional devices can be

IOS-XE SD-WAN and Configuration associated with the customer
using the PnP Connect portal
Requirements: on https://software.cisco.com.
 DHCP on WAN interface
 DNS to resolve devicehelper.cisco.com
ZTP – WAN Edge – Static IP Support
#cloud-boothook • Upon bootup, the router
system
personality vedge searches bootflash: or usbflash:
device-model vedge-ISR-4321
host-name WanEdge for filename ciscosd-wan.cfg.
system-ip 10.255.255.121
site-id 21
organization-name ""CLUS 2019 BRKRST - 2559""
console-baud-rate 9600
vbond 10.0.0.23 port 12346
! • The config file with basic
!
!
interface configuration, Root
interface GigabitEthernet0/0/0
no shutdown
CA, Organization Name, vBond
ip address 192.168.10.10 255.255.255.0
exit
information, is fed into the PnP
! process.
ip route 0.0.0.0 0.0.0.0 192.168.10.1
• Supported only on SD-WAN

IOS-XE (since 16.10).
Zero Touch Provisioning – vEdge HW Appliance
Public or On-Prem Controllers
ZTP vBond
• Public ZTP vBond can redirect
to cloud hosted or On-Prem
controllers.
1 2
3 4 5
• New devices are linked to

organization using the Smart
Account when placing order.
Full Registration
and Configuration • Additional devices can be
vEdge Router
associated with the customer
using the PnP Connect portal
Option1: Option2: on https://software.cisco.com.
 DHCP on WAN interface  Discover local addressing via ARP
 DNS to resolve ztp.viptela.com  Google DNS: resolve ztp.viptela.com
Configuring On-Prem ZTP vBond Server
Dedicated vBond server can act as a ZTP server. Required steps:
1. Activate the ZTP role.
2. Obtain a signed certificate by a trusted CA (Symantec / Digicert).
3. Define and upload the whitelist file.

4. Configure a local DNS server to resolve ztp.viptela.com with ZTP
vBond IP.
5. Define device templates.
Obtaining Signed Certificate by Trusted CA
• Generate and submit CSR to Symantec Certificate Enrollment portal
Obtaining Signed Certificate by Trusted CA (Cont.)
Uploading The ZTP Whitelist Chassis File
Define and verify chassis file
Apply chassis file
Validate ZTP entries
On-Prem Design
Specifics
Transport Colors
• TLOC Color used as static identifier for:
• TLOC Interface on WAN Edge device
• Underlay network attachment
• The specific color used is categorized as Private or Public

• Private Colors [mpls, private1-6, metro-ethernet]
• All other colors are public [default, red, blue,…, public-internet,…]
• Private vs Public color is highly significant

• Color setting applies to:
• WAN Edge to WAN Edge Communication
• WAN Edge to Controller Communication
Transport Colors and Control Connections
Local Color: Public Local Color: Private Local Color: Private
Controller Color: Public Controller Color: Public Remote Color: Private
Use: Public IP Use: Public IP Use: Private IP
INET MPLS MPLS

NAT NAT NAT NAT
Public IP Public Color

Private IP Private Color
On-Prem Controllers Hybrid Deployment
Controllers Communication
1 1 2 vSmart and vManage

point to the vBond public IP.
2 4
DMZ
Firewall 3 vBond learns interface IP
addresses of vSmart and
vManage.
3
4 vSmart and vManage use
vBond vSmart vManage public IP addresses for
communication.
Public IP address (post-NAT)
Public Color
2 WAN Edge
1 vBond/vSmart/vManage public IP
Data Center
Core Switch
1 addresses are advertised into MPLS.
MPLS
3 INET
2 WAN Edge points to the vBond public

IP address.
• vBond public IP address is reachable
DMZ
Firewall through MPLS and Internet transports.
3 WAN Edge communicates with vSmart

and vManage using public IP address.
vBond vSmart vManage
Public IP Public Color
Private IP Private Color
Controllers Communication 1 2 vSmart and vManage point
DMZ 1 DMZ 2 to the vBond NATed public IP.
1
2 3 vBond learns interface private
Firewall 1:1 1:1 1:1
NAT NAT NAT and NATed IP address of vSmart
4 and vManage.
4 vSmart and vManage use

3 private IPs for communication
• vSmart and vManage use private
vBond vSmart vManage color (non-default).
Public IP (post-NAT) Private Color
Private IP (pre-NAT)
1 WAN Edge 1 WAN Edge points to the vBond FQDN
MPLS that resolves both public and private IP.
2 Private IP Public IP
Data Center
Core Switch INET MPLS  
Internet  
1:1 1:1 1:1 2 WAN Edge communicates with
NAT NAT NAT
DMZ
Firewall
vSmart and vManage NATed public IP
over Internet and interface private IP over
MPLS
• Private color to private color uses private IP,
public color to public color uses public IP.
Public IP (post-NAT) Public Color Private Color
Private IP (pre-NAT)
Firewall Rules for On-Prem Controllers
UDP/12346-13046 UDP/12346 UDP/12346 UDP/12346-13046

UDP/12346 UDP/12346 TCP/ 23456 TCP/ Ephemeral
UDP/12346 UDP/12346-13046 UDP/12346-13046

TCP/23456-24156 TCP/23456-24156
Firewall DMZ
WAN Edge
Additional Lab
Tools
Useful Link and Traffic Manipulators
• WANem – WAN Emulator
• Transparent bridge with easy to use GUI.
• Can introduce delay, loss, corruption, reordering, limited bandwidth.
• Ideal tool for virtual environment, when testing Application Aware Routing policies.
• wanem.sourceforge.net, releases with GNU GPL license.
• TRex – Realistic Traffic Generator

• Generates realistic traffic with stateful flow support.
• trex-tgn.cisco.com, developed by Cisco, released under Apache 2.0 license.
• See DEVNET-1120 from CLUS 2018.
Next Steps
• Documentation: • SD-WAN Guides (CVDs)
https://sdwan-docs.cisco.com Design Guide, Deployment Guide
Cisco Documentation vManage Cluster White paper
• Webex Teams room
Questions
BRKRST-2559 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Complete your
online session • Please complete your session survey
evaluation after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live water bottle.
• All surveys can be taken in the Cisco Live
Mobile App or by logging in to the Session
Catalog on ciscolive.cisco.com/us.
Cisco Live sessions will be available for viewing
on demand after the event at ciscolive.cisco.com.
Continue your education
Demos in the
Walk-in labs
Cisco campus
Meet the engineer

Related sessions
1:1 meetings
Thank you
#CLUS
#CLUS

Cisco SD-WAN POC Process BRKRST-2559

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Cisco SD-WAN POC Process BRKRST-2559

Încărcat de

Drepturi de autor:

Formate disponibile

3 Steps to Deploy Cisco

Webex Teams will be moderated cs.co/ciscolivebot#BRKRST-2559

• Deploying controllers On-Prem

• Design specifics for On-Prem deployment

• Useful lab tools

MPLS 4G Data Plane

Cloud Data Center CoLo Campus Branch

Deploy Deploy Deploy

vManage vManage vManage

vSmart vBond vSmart vBond vSmart vBond

1. Obtain documentation, software and verify system requirements.

3. Perform installation and initial configuration:

4. If using Enterprise CA server, install the enterprise root CA chain.

• Organization-Name – SD-WAN overlay identifier

• Site-ID – Identifies logical location of individual node

• Enterprise certificates can be used for

• Cisco PKI can be used for on-prem controllers deployment.

• SSD required for normal vManage performance.

vNIC Interface Default VPN DHCP State

• By default, vManage OVA is configured

• Primary disk for OS consumes 19 GB.

Singe Interface present by default.

Do not power on VM before adding additional disk for a DB installation.

Additional Hard Disk will host vManage database.

SCSI interface is not supported, make

Add additional interface for convenient OOB management.

• Default credentials: admin / admin

• Organizational-Name is case sensitive, always use quotes.

Configure Organizational Name and vBond

Paste CA certificate in PEM format.

vManage automatically distributes root

vManage reaches out via VPN0 to the PnP portal to

You need to populate Smart Account Credentials

• Only SSD-based volumes are officially supported.

• Keyword local in the vbond command defines the vBond role.

vNIC Interface Default VPN DHCP State

• Only SSD-based volumes are officially supported

vNIC Interface Default VPN DHCP State

• By default, vSmart OVA is configured

3. Sign CSRs and upload certificates.

4. Configure tunnel interfaces and establish control connections.

5. Install license file.

• vSmart controllers are added using the same procedure.

• On vBond, also specify

• For environments where vManage cannot connect to the PnP servers

• Convenient CA setups for lab testing and PoCs:

• Specify paths for new certs, db, serial

• Describe the path to private key and

• Specify validity (in days).

• index.txt acts as the

• serial file contains the next

2. Deploy OVA Template.

3. Perform initial configuration

4. If using enterprise CA, install local root CA chain.

5. Activate vEdgeCloud by enrolling it into vManage.

• Up to 8 vNICs are supported.

• Generate bootstrap configuration to extract the UUID number and OTP

• New devices are linked to

Full Registration • Additional devices can be

• Supported only on SD-WAN

• New devices are linked to

2. Obtain a signed certificate by a trusted CA (Symantec / Digicert).

3. Define and upload the whitelist file.

• Generate and submit CSR to Symantec Certificate Enrollment portal