Cisco SD-WAN: Basic Configuration Lab
Table of Contents
This post walks you through how to get a Cisco SD-WAN lab operational with a minimal number of steps. Sometimes the most difficult part of learning a new technology is reaching the point of basic operation where you can then really begin to explore how things work and compare it to what you already know. Some background information, tips and caveats are also briefly explored, but the intention is to get you forwarding user traffic with minimum hassle while learning about the fundamental architecture of the Cisco SD-WAN solution.
This post is also available on LinkedIn and Medium.
This is the topology we’ll be using for this lab:
There are a few excellent resources available on how to stand up the controller infrastructure. I highly recommend reading these posts by Alin Iorguta and Brad Searle. My friend Tim McConnaughy also has an incredible series of posts on understanding Cisco’s SD-WAN architecture and its components that you should read and bookmark. For a lab environment, standing up the controller infrastructure is not especially difficult, so I decided to include this lab’s setup as an appendix at the end. Please refer to it if you are starting from zero.
Planning sites and system IDs
Whether you are deploying Cisco SD-WAN in a lab or in production, you should take some time to carefully plan out the values you’ll use for sites and system IDs. Sites are a 32-bit number (4.3 billion possibilities). System IDs are also a 32-bit number, but follow the dotted decimal format and must be within the valid unicast IP address range.
The system IDs are only referenced within the SD-WAN fabric, so they can be any valid unicast IP address, even if it’s a public address that you don’t own. This allows you to potentially get more creative with the numbering scheme. The system ID is similar in concept to a loopback address or a routing protocol router ID, but the chosen address cannot be assigned to any interfaces on the SD-WAN device, and must be unique across the entire fabric.
One common practice if you have spare IP addresses (and what is used in this
lab) is to have a system ID value that is on the same IP subnet that the
SD-WAN device participates in. For example, in this lab topology, the cEdge
S100-CE1
will have an interface IP address of 10.100.10.1
, so I set the
system ID to 10.100.10.2
. Throughout the lab topology, I made the system ID
of all the SD-WAN devices one higher than one of the device IP addresses.
Planning VPNs
Within the Cisco SD-WAN fabric, VPNs are very similar in concept to VRFs in traditional routing and maintain strict separation across the fabric by default. Just like with VRFs, any particular interface (or subinterface) can belong only to a single VPN. Devices attached to an interface in one VPN cannot communicate with devices in another VPN unless policy is put in place to allow it.
By default, devices within a single VPN can reach any other device within the same VPN, and the topology across the SD-WAN fabric is full-mesh (any-to-any). This can be adjusted per-VPN via policy. In other words, within the same SD-WAN fabric, you can have one VPN with a full-mesh topology, another with hub-and-spoke, and another with limited reachability only between selected sites (partial-mesh).
Planning and implementing templates
When you initially set up the SD-WAN environment (as was done in the
appendix), only default templates exist and no custom VPNs are
defined. With no customization, all SD-WAN devices have interfaces in VPN 0
(the transport VPN) and can reach each other in a full-mesh. In order to start
passing user traffic across the SD-WAN fabric, you must define a Service VPN
(any VPN other than 0
or 512
).
VPN and device configurations are done through “feature” templates. Feature templates are then combined into a “device” template and attached to individual devices. Templates are the preferred method of manually configuring all aspects of edge devices as opposed to using the CLI. You can create device-oriented CLI templates containing variables, but this is considered legacy and you should work to familiarize yourself with configuring everything with feature templates instead.
Most templates contain variables of some kind whose values are defined when the templates are attached to devices. This requires some careful planning (and practice!) to implement efficiently. You will have much less work to do in the future if you take the time to plan, standardize, and avoid exceptions wherever possible. More exceptions means more individual templates to manage, which leads to template sprawl.
VPN 0 templates
This lab environment was instantiated with manual ‘skinny’ (or bootstrap) configurations in order to get the SD-WAN devices to communicate with each other. This means VPN 0 was initially configured manually. However, in order to start configuring devices via templates, we need to first create a feature template for VPN 0 so that we do not lose connectivity when we start applying subsequent templates. For this post, I am keeping as many defaults and changing as few settings as possible to build a foundation for more advanced topics in the future. The goal here is to start passing user traffic with minimal configuration.
When creating templates, as you select multiple devices, the list of available
sub-templates is reduced to those that are supported across all the selected
devices. For example, if you click CSR1000v
and vEdge Cloud
individually,
you will see that there are different feature templates each of them support
individually, in addition to the overlapping templates.
In vManage, navigate to Configuration > Templates > Feature > Add Template
.
Then select CSR1000v
and vEdge Cloud
, and click the VPN
template.
Add a name and a description to the template. This is another piece that
requires some careful consideration and planning within a production
environment. Well-named templates are easier to reference, understand, and
manage. This is something you will get better at with experience. For this lab,
we are creating two templates for VPN0
. One template will be attached to
devices with a single uplink, and the other for devices with two uplinks.
I am naming the first template VPN0_1_uplink
.
After naming the template and adding a description, the only other thing we
need to do here is define the static default route for this lab. Click the
New IPv4 Route
button. Set the Prefix
variable to global 0.0.0.0/0
.
Then click the Add Next Hop
link, and set the address to a Device Specific
variable. Variable names must be unique, and I chose default_next_hop
for
this template. The variable value will be defined when you attach the template
to a device. Click the Add
button to complete the next hop setting, then
click the Add
button again to add the default route to the template. Click
the Save
button at the bottom.
Now we get to see part of the usefulness of using templates. From the feature
templates screen, click the three dots on the right side of the
VPN0_1_uplink
template, and then click Copy
. You are presented with a
dialog box to update the template name and description. I’ll bet you guessed
that I used VPN0_2_uplinks
, and you are correct. Click the three dots on the
right side of the row for the new template, then click Edit
.
Now we only need to change what is different for this template, which in this case is just adding a second next-hop for the default route for the devices with dual uplinks. Each VPN template can only have a single definition for any particular route (but of course the template can contain definitions for multiple routes). With the traditional Cisco IOS CLI, you would define two static default routes with different next-hops. With the VPN template, we define the single static default route, but with two different next-hops.
Click the pencil icon under the Action
section of the default route.
Then click 1 Next Hop
.
Since variable names must be unique, change the current name. Remember you will
need to refer to this variable when attaching the template to a device, so make
sure the variable name is meaningful. I am using default_next_hop_1
.
Click Add Next Hop
and define another variable, default_next_hop_2
.
Click Save Changes
twice, then click Update
.
VPN Interface templates
The VPN template defines the VPN itself, but we need interfaces to attach. The VPN Interface templates describe the configuration of the physical or logical interfaces themselves. This is another area where planning and consideration for your environment is important. Most of your templates should cover the widest and most generic (e.g. most-deployed) options available.
There is a tradeoff between the number of templates and the amount of information that must be entered through variables. To help guide that decision, look at what is common and what is different in what you are trying to do. In this topology, all of the links are common in that they are full-duplex gigabit Ethernet with static IP addressing. Differences include interface names, whether or not they will carry 802.1Q-tagged traffic, and whether they will belong to the transport VPN or a service VPN.
When the interface templates are assigned to a device template, they can only be used once per VPN. This means for devices with dual uplinks, you will need two individual interface templates. To reduce the number of templates, determine what is common across the largest number of your sites. For example, if most of your branch sites are set up so that the first WAN interface always connects to an MPLS L3VPN while the second interface always connects to a public Internet service, you could create a template for each transport type, which is what we will do for this lab.
Add a new feature template, and select CSR1000v
and vEdge Cloud
device
types. Then click the VPN Interface Ethernet
template type. I am naming
this one VPN0_private1
. Set the Shutdown
to global no
, and the
Interface Name
to the device-specific variable vpn0_int_private1
. Also
set the IPv4 Address
to the device-specific variable vpn0_ip_private1
.
Set the Tunnel Interface
to global on
, and the Color
to global
private1
. Click the Save
button at the bottom to finalize the template.
From the Feature Template section, copy the previous template and name it
VPN0_public-internet
. Modify all the variables to change from private1
to public-internet
.
Device templates
To get an idea where we are going with this and to start seeing the templates in action, we are going to create and apply device templates for our three SD-WAN edges. Device templates are a collection of feature templates. You can also create device templates based on the CLI, which may be useful for transitioning to SD-WAN from a legacy skill set, but it is considered the less-preferred way of configuring devices in this environment.
Device templates are created per device-type so that only features pertaining to that particular device can be configured. However, you can have multiple templates for the same type of device. We are going to create two device templates, one for the vEdge and one for the cEdges in the lab topology.
With this lab topology, we only need these two device templates for now because both of our cEdge sites have dual uplinks. If one site had a single uplink while the other had dual uplinks, we would need two separate device templates to account for this, even though they are the same kind of device. This is another area where careful planning and standardization is to your advantage when rolling out Cisco SD-WAN.
From Configuration > Templates > Device
, click the Create Template
button, and select From Feature Template
. Choose the vEdge Cloud
for
the device model. I am naming this vEdge_single_uplink
. For now, the only
settings we need to modify are to change the VPN 0
template to
VPN0_1_uplink
and the associated VPN Interface
to VPN0_private1
. Even
though we won’t be using a VPN 512 interface right now, it still needs to be
specified in the template for a vEdge, so select the factory default, a VPN
interface, and add the default template. Then click the Create
button at the
bottom.
Create another device template, and choose CSR1000v
. I named this one
CSR1Kv_dual_uplink
. With this version of vManage code, the cEdge templates
specify AAA
and Cisco-AAA
templates, which cannot be used together.
Change the AAA
template to None
. Set VPN 0
to VPN0_2_uplinks
, and
VPN Interface
to VPN0_private1
. Under Additional VPN 0 Templates
, add
a new VPN Interface and set it to VPN0_public-internet
. Then click the
Create
button at the bottom.
Now we attach the templates to devices. Click the three dots on the right-side
of the vEdge_single_uplink
row, and select Attach Devices
. Choose
DC1-VE1
from the list and click Attach
. At this stage, you have the
option of configuring the variables individually, or exporting and importing
a CSV file. We will configure the devices individually, but you can see how
much quicker it would be to configure your devices using CSV files if you
have more than a handful of edges.
Click the three dots, and select Edit Device Template
. Now you are
presented with the variables you created within the feature templates. You
should be able to immediately see how creating good, meaningful variable
names is very important. The variables and values for DC1-VE1 are:
I made a mistake in provisioning where I named the edge DC-VE1
when it
was onboarded instead of DC1-VE1
. This is where you can set or correct that
value. Even though the hostname, system IP and site ID have already been set,
these values can be changed, which is why you must re-enter them when you
attach the device template for the first time. Also note that when configuring
interfaces, you must use the full interface name as the device sees it (e.g.
ge0/0
for a vEdge or GigabitEthernet0/0
for a cEdge). Click Update
,
and then click Next
.
Now you are presented with a ‘pre-provisioning’ screen. You don’t have to do
anything here, and can just click Configure Devices
to proceed if you wish.
However, you can also click on any device in the list to view what
configuration will be applied, how it compares to the current configuration,
and set a rollback timer in case the new configuration permanently breaks
communications with the controller. The config diff feature, in particular, is
very nice. After you click Configure Devices
, the template is pushed to the
device(s). You can view the progress, and if any errors occur, the
configuration is rolled back and you should be informed as to why the
configuration failed.
Go back to the device templates section and attach the two cEdges to the CSR1Kv template. These are the values I used for this lab:
S100-CE1:
S200-CE1:
Once the values are entered and the configuration is applied, hopefully everything goes well and all of your devices stay online. At this point, we have essentially replicated what was done during the initial edge device onboarding (refer to the appendix), but with templates. We are now ready to start bringing user traffic into the SD-WAN fabric.
Service VPN
As you have seen, it takes a decent amount of prerequisite work before you can
start passing user traffic across the SD-WAN. Luckily, the basic process of
adding a service VPN is very similar to what we’ve already covered. Service
VPNs carry user traffic, and are any VPN with an ID other than 0
or 512
.
As of v19.2, you can have a total of 64 VPNs in a single fabric.
From the template configuration section in vManage, create a new feature
template and select the CSR1000V
and vEdge Cloud
devices. Choose the
VPN
template. For this template, I am naming it VPN10_basic
. Set the VPN
to global value 10
. Under the Advertise OMP
section, set Static
and
Connected
to global on
, and then click the Save
button at the bottom.
Next we need to create VPN interface templates for this service VPN. Once again, you need to consider that for each device, you can use a VPN interface template only once per VPN, so if you have multiple interfaces participating in the same VPN on the same device, you need a different interface template for each of them. For this lab, all of our SD-WAN edges have three LAN-facing subinterfaces, so we need three VPN interface templates.
Create a new feature temple, selecting the CSR1000V
and vEdge Cloud
devices. Choose the VPN Interface Ethernet
template. I named this one
VPN10_int_vlan10
. Set the Shutdown
value to global on
, and the
Interface Name
to device-specific variable vpn10_int_vlan10
. We are
still using static addresses, so set the IPv4 Address
to device-specific
variable vpn10_ip_vlan10
.
The last settings we will change for this template for now are under the
Advanced
section. We need to change the IP MTU
to global 1400
and the
TCP MSS
to global 1360
. This is sort of a ‘catch-all’ value and is just
fine for the lab, but is something else that needs serious consideration in a
production network. With DMVPN tunnels, these settings were very common. The
standard MTU is 1500, and the edge device must perform packet fragmentation if
the MTU is set lower and the devices attached to the subnet are not modified
accordingly.
In practice, for normal user traffic, this might not be a big deal, especially
for smaller branch offices with low volumes of traffic. Another consideration
with the Cisco SD-WAN architecture is if you are going to use 802.1Q-tagged
subinterfaces (which we will in this lab). When using tagged subinterfaces,
you must either set the parent interface to have an MTU that is at least 4
bytes higher (e.g. 1504
), or set all of your subinterfaces to be at least 4
bytes lower. When you set the MTU to 1400
and ensure your attached devices
are also configured accordingly, you account for the overhead of the different
encapsulations (802.1Q, IPsec, etc.).
Copy the template two more times, and change the values for VLANs 20
and
30
, respectively.
When using subinterfaces, the parent interface also needs its own template,
and it must belong to VPN 0
. You will receive an error when you push out
the template if you have subinterfaces without the parent interface belonging
to VPN 0. Though it is in VPN 0, it will not be sourcing any tunnels and will
not have an IP address assigned. This essentially acts as a placeholder.
You can copy one of the previous templates and change the name to
VPN0_int_parent1
. Change the Interface Name
to vpn0_int_parent1
and
set the IPv4 Address
to default. Also set the IP MTU
and TCP MSS
values
to default
.
Now we can attach the templates to the devices. From the device templates
configuration section, edit the vEdge template
. Under VPN 0, add a new VPN
Interface and reference the VPN0_int_parent1
template. Then click the plus
sign next to Service VPN
, and select VPN10_basic
in the dropdown. Click
VPN Interface
three times, and select the three VLAN interface templates.
Now click the Update
button to save the device template changes.
You’ll then see the list of devices that require values to be filled for the
variables. Click the three dots on the right-side of the device and select
Edit Device Template
. The values for this lab are as follows:
Perform the same set of steps for the cEdge device template
. Add the VPN 0
parent interface, the VPN 10 service VPN, and the three subinterfaces.
S100-CE1:
S200-CE1:
Success! Forwarding user traffic
At this point, you should be able to ping any of the .1
or .254
addresses
from both the edge routers and attached switches inside VPN 10.
You can see it takes a little more time than you might expect to reach that
IP for the first time. There are many factors that go into this, not the least
of which is the fact that this entire lab is running inside a single EVE-NG
virtual machine. The traceroute shows S200-CE1
as the first hop, then the
underlying transport is completely invisible until it reaches DC1-VE1
(just like an MPLS L3VPN with TTL propagation disabled). In fact, this goes
even deeper than a traditional SP-owned L3VPN because the edge resides behind
a couple of hops within the data center behind the SP-connected edge firewall.
From a cEdge, you can view the VPN routing table as you would like a traditional VRF:
You can get even more details from the command line with various
show sdwan omp
commands. But, of course, that’s old-school. You can get to
the same information (and a lot more) through vManage by going to
Monitor > Network > Device > Real Time
and select your desired information,
such as OMP Received Routes
.
Final thoughts
Like many Cisco products, there is a huge amount of functionality within Cisco’s SD-WAN. Before you can explore that functionality, you have to get over the hurdle of creating a baseline configuration. It was my hope that this post was able to bring you to that point where you now have a working environment and enough initial introduction to the platform to comfortably explore further in your lab. I recommend looking through the official configuration guides, as well as bookmarking the Cisco SD-WAN Community Resources page.
What was covered in this long post is not even the tip of the iceberg. There are so many functional components to the architecture and you really must invest a lot of time to become an expert with this solution. However, there is something in Cisco SD-WAN for everyone from entry-level support to seasoned experts and architects.
As with most all-encompassing technologies, Cisco SD-WAN requires extensive and careful planning and tweaking for a successful deployment. Very large-scale environments have several design and operational implications. For example, I demonstrate adding three interfaces to a VPN. What if you needed to add hundreds of them? Instead of clicking through the web interface, you would be better served by automating this process by utilizing the vManage API (thanks Tim!). Do you need to connect thousands of sites together? How is that going to impact the tunnel capacity of your edge devices? How will you ensure your support staff is able to transition from your legacy environment to operating SD-WAN? These are all questions that your team needs to carefully evaluate before rolling out this technology.
Appendix: Initial Lab Setup
Please refer to the topology image at the top of this post.
If you’re completely new to Cisco SD-WAN or would like to follow along with this post in your own lab, this appendix goes over standing up the controllers and performing initial device onboarding. I decided to put this at the end so that those who are more familiar with the architecture could dive in faster and skip this initial setup, if desired. I thought about breaking this up into a separate post, but I personally like things consolidated whenever possible, and a small Twitter poll agreed with me (very scientific, I know).
In order to run your own self-hosted lab, your Cisco CCO account must have the privileges to generate or access a PnP vBond controller profile, assign devices to your account for licensing, and download the provisioning file (aka serial number file), in addition to being able to download the appropriate software images. If you do not have the appropriate relationship with Cisco (customer, partner, internal employee, etc.) then you won’t have access to these required components to host your own lab. However, you can still learn this Cisco SD-WAN solution and apply the concepts of this article by reserving a DevNet Sandbox. Note: please do not contact me about getting these required resources for your own lab, I am unable to help with that.
Alin Iorguta has a great post on his site poc::v:lab on how to create licenses for your devices, set up the PnP vBond controller profile, and obtain the provisioning file necessary to complete this lab.
The official documentation says that the vBond IP address must be publicly reachable. For the purpose of setting up your own self-hosted lab, this does not have to be true. You just need the IP address of the controller specified in the PnP vBond profile to match what you will set up in the lab environment. In a self-hosted production deployment, the vBond is typically placed on a DMZ and NAT may be used to reach it. For this lab topology, I used static routing at the SP1 and SP2 devices to eliminate NAT in order to keep things simple for now.
Set up the CA
I am using EVE-NG Pro to host the lab environment. The Pro version features
built-in Docker containers, which I will be using to set up the root
Certificate Authority machine. The Cisco SD-WAN trust model is based on X.509
certificates. No device in the SD-WAN fabric can participate without having
valid certificates installed. While I am using a container for this purpose,
if you don’t have the Pro version of EVE-NG, you can use any virtual machine
with OpenSSL installed. You can even use the vManage VM (via the vshell
command) to generate the root certificate, but using a separate device makes
it easier to distribute the certificates later. Using a VM with a GUI (web
browser) also enables you to keep the lab 100% self-contained within the
hypervisor.
Since I am using the eve-gui-server
container, I set the startup
configuration to match my lab topology:
ip addr add 10.0.0.10/24 dev eth0 || true
ip route add default via 10.0.0.1 || true
grep -qxF 'PermitRootLogin yes' /etc/ssh/sshd_config || echo 'PermitRootLogin yes' >> /etc/ssh/sshd_config
/etc/init.d/ssh restart
The first two lines set the IP address and default gateway, while the last two lines enable logging into the container via SSH with the root account (which is root / eve by default in EVE-NG). The last lines check the SSH config file to see if root login is enabled, add the appropriate line if it’s not present, and restart the SSH server.
Next, generate the root key and certificate from a command prompt on the CA:
openssl genrsa -out SDWAN.key 2048
openssl req -new -x509 -days 2000 -key SDWAN.key -out SDWAN.pem -sha256 \
-subj "/C=$A/ST=$B/L=$C/O=$D/CN=$E"
The -subj
switch is entirely optional and the $
variables must be
replaced with actual values. $D
must match what you specified for the
Organization Name
when you created the PnP vBond controller profile. $E
can match $D
, but it doesn’t have to. If you don’t add the -subj
switch
and include values, you will be asked to enter the values individually, and
the Organization Name
must match. The -sha256
switch is also optional.
The OpenSSL documentation goes into more detail if you want to learn
more about the different possible combinations.
The SDWAN.pem
file is what will be distributed to and installed on all of
the devices that participate in the SD-WAN fabric, including the controllers
and edge devices (vEdge Cloud and CSR1000v for this lab).
Set up the vBond
Open a console to the vBond VM. The default login for all images in this lab is admin / admin, and starting with 19.2 / 16.12, you must create a new admin password upon first login. Enter an initial ‘skinny’ configuration to assign basic information, and then download and install the root certificate:
conf t
system
host-name vBond
system-ip 10.10.0.4
site-id 10000
organization-name YOUR-LAB
vbond 10.10.0.3 local vbond-only
!
vpn 0
interface ge0/0
ip address 10.10.0.3/24
no tunnel-interface
no shutdown
ip route 0.0.0.0/0 10.10.0.1
!
commit and-quit
vshell
scp root@10.0.0.10:SDWAN.pem .
exit
request root-cert-chain install /home/admin/SDWAN.pem
The organization-name
setting must match what you used in the PnP vBond
profile and be the same across all SD-WAN devices in the fabric. All devices
in the fabric must also know how to reach a vBond. The vBond image is the
same as the vEdge Cloud, so the local vbond-only
configuration is how the
VM knows to function as a vBond for the fabric.
In Cisco SD-WAN terms, a VPN is very similar in concept to a VRF, and VPN0
is the transport
VPN used on all SD-WAN devices. The configured static route
applies only to VPN0. VPN0 is also what the IPsec and/or GRE tunnels will be
built over. With the ‘skinny’ configuration, we are temporarily disabling the
VPN0 tunnel interface until we configure the vSmart and vManage so that we
don’t run into a ‘chicken-and-the-egg’ problem with trusting certificates.
The vshell
command brings you into a bash shell where you can use SCP to
copy the root certificate from the CA machine. After the file is copied, exit
bash, and install the certificate. You can verify the root cert installation
with the show certificate root-ca-cert
command.
Set up the vSmart
The initial configuration for the vSmart is very similar to the vBond:
conf t
system
host-name vSmart
system-ip 10.0.0.201
site-id 10000
organization-name YOUR-LAB
vbond 10.10.0.3
!
vpn 0
interface eth0
ip address 10.0.0.200/24
no tunnel-interface
no shutdown
ip route 0.0.0.0/0 10.0.0.1
!
commit and-quit
vshell
scp root@10.0.0.10:SDWAN.pem .
exit
request root-cert-chain install /home/admin/SDWAN.pem
Set up the vManage
When you first log into the console of the vManage VM, after setting the initial admin password, you are prompted with where you wish to store the data that vManage generates. After selecting the partition, you are asked to format it. When the initialization is complete, the vManage VM reboots. After the system is ready again, you can proceed with the skinny configuration.
conf t
system
host-name vManage
system-ip 10.0.0.101
site-id 10000
organization-name YOUR-LAB
vbond 10.10.0.3
!
vpn 0
interface eth0
ip address 10.0.0.100/24
no shutdown
ip route 0.0.0.0/0 10.0.0.1
!
commit and-quit
vshell
scp root@10.0.0.10:SDWAN.pem .
exit
request root-cert-chain install /home/admin/SDWAN.pem
Now use a web browser (from the CA in this lab topology and all further
examples) to log into the vManage web console at https://10.0.0.100:8443
.
If the VM has recently rebooted, it may take a few minutes before the web
interface is fully available. You’ll be prompted with a warning about using a
self-signed certificate, which you can ignore since this is just a lab
environment. Login as ‘admin’ with the password you set.
Navigate to Administration > Settings
and edit the Organization Name
to
match what you’ve been entering everywhere else. Then edit the vBond
setting and enter the vBond address. Finally, since this is a self-contained
lab using self-signed certificates, set the Controller Certificate Authorization
setting to Manual
. If you had your own PKI with a CA
hierarchy, you could use the Enterprise Root Certificate
setting.
Now, from the web browser, go to
https://10.0.0.100/dataservice/system/device/sync/rootcertchain
to
request a resync of the vManage database via API call. You may be asked for
the admin password again.
Prepare the controller certificates
Within vManage, navigate to Configuration > Devices > Controllers > Add Controller > vBond
. Enter the vBond IP address you’ve been configuring
everywhere else (10.10.0.3
in this topology), along with the admin username
and password. Uncheck Generate CSR
. Follow the same steps for adding the
vSmart controller (10.0.0.200
in this lab), leaving the Protocol
setting
at the default DTLS
and not generating a Certificate Signing Request yet.
Now navigate to Configuration > Certificates > Controllers
. For each
controller, click the three dots in the right column and select Generate CSR
.
The reason we do it here instead of the previous step is it allows you to save
the CSR as a file. As I download each file, I rename them to vManage.csr
,
vBond.csr
and vSmart.csr
respectively, and move them into the same folder
on the CA machine as the root key and certificate. After you have all three
CSR files, create and sign the device certificates:
openssl x509 -req -in vManage.csr -CA SDWAN.pem -CAkey SDWAN.key \
-CAcreateserial -out vManage.pem -days 2000 -sha256
openssl x509 -req -in vBond.csr -CA SDWAN.pem -CAkey SDWAN.key \
-CAcreateserial -out vBond.pem -days 2000 -sha256
openssl x509 -req -in vSmart.csr -CA SDWAN.pem -CAkey SDWAN.key \
-CAcreateserial -out vSmart.pem -days 2000 -sha256
After the certificates are generated and signed, go to Configuration > Certificates > Controllers
and click the Install Certificate
button in the
upper-right corner. Install the vManage.pem
, vBond.pem
and vSmart.pem
files. After successful installation, back on the controller certificate
configuration page, you’ll see certificate serial number listed for each
controller.
Connect the controllers
At this point, when you go to the vManage dashboard, you’ll see that vManage knows about itself, and nothing else.
The next step is to enable the VPN0
tunnel interfaces on the three SD-WAN
controllers. Log into the console on both vManage and vSmart and enter these
commands:
conf t
vpn 0
interface eth0
tunnel-interface
commit and-quit
Enter these commands on vBond:
conf t
vpn 0
interface ge0/0
tunnel-interface
encapsulation ipsec
commit and-quit
Shortly after, the dashboard updates to reflect the new connectivity:
This can be further verified from Monitor > Network
, where all three
controllers are shown as reachable:
Upload the WAN Edge List
The final step in preparing the initial controller infrastructure is to upload
the provisioning file you obtained from Cisco earlier. Note once again that
I am unable to assist you in obtaining this. Go to Configuration > Devices
and click Upload WAN Edge List
. Select your provisioning file. There is an
option Validate the uploaded vEdge List and send to controllers
. In a lab
setting, it is safe to check this box. If you don’t check the box, your
authorized SD-WAN edge devices are uploaded to vManage, but they are in the
invalid
state until you change them to staging
or valid
.
Keeping a device in the invalid
state until you are ready to bring it into
the SD-WAN fabric increases security in a production environment. The
controllers essentially ignore any devices in the invalid
state. The
staging
state allows you to bring the edge device into the fabric, but not
participate in routing. In other words, it will establish control connections
but not transit any user traffic. This is useful in production when you want
to bring a device online, but you’re not yet ready to use it, which might
happen in either a greenfield environment, or when the cutover from the old
WAN environment to the new one will occur remotely.
After uploading the WAN Edge List, you’ll see your devices in `Configuration
Devices`. For each device, you’ll see the chassis number and token value which we’ll use in the next steps. Physical devices have a serial number that does not change, but virtual devices have a token (aka OTP one-time password) that changes each time the WAN Edge List is imported. For example, if you delete a device from the list, then re-upload the provisioning file, that single device will be re-added to the list with the same chassis number, but a different token value.
If you did not check the Validate
box when you uploaded the serial file,
you will need to go to Configuration > Certificates > WAN Edge List
and
click either Staging
or Valid
for the edge device under the Validate
column.
Now we are ready to bring our edges onboard!
Edge onboarding
For this lab, I am using a vEdge Cloud v19.2.099
to represent a datacenter
headend router, and cEdge CSR1000v routers running IOS-XE 16.12.1e-SDWAN
code. The IOS-XE SDWAN image removes access to many of the features present
in the regular IOS-XE image. The commands may appear in the CLI, but you
can’t actually use them. Likewise, you’ll see right away that your usual
conf t
no longer works (which I think is kind of funny because it works
on the vEdge).
Now when entering configuration mode on a cEdge, you use config-transaction
or config-t
. This starts a new candidate configuration (hey, IOS finally
joins the 21st century!). For both vEdge and cEdge, we need to use a skinny
configuration to bring the device online just far enough to be able to
download the root certificate first.
A couple of notes on the cEdge routers. First, starting with IOS-XE 16.12, after you log into the console the first time, you must configure a user with a level 15 privilege otherwise you will lock yourself out of the router. For a physical IOS-XE device, this means doing the complete time-consuming password recovery procedure if you get locked out.
Second, it is important to get the root certificate installed before bringing up the tunnel interfaces. If the cEdge connects to the vManage without the proper root certificate, it gets stuck with a failed Certificate Signing Request and you will have to start over which includes wiping the lab router, and deleting and re-adding the edge from vManage. It’s best to just get it right the first time.
For the vEdge Cloud image that this lab uses, there is an issue with QEMU and
the virtio
vNIC where 802.1Q-tagged traffic does not get transmitted or
received. If you are using QEMU with a vEdge (such as with EVE-NG), set the
vNIC to E1000
to work around this issue.
cEdge
To bring the Site 100
cEdge device into the fabric, log into the console and
add the initial skinny configuration (also known as a bootstrap configuration,
though this specific term has a different meaning within the context of Cisco
SD-WAN, which is why I call it ‘skinny’).
config-transaction
!
hostname S100-CE1
username admin priv 15 secret admin
no ip domain lookup
!
system
system-ip 10.100.10.2
site-id 100
organization-name YOUR-LAB
vbond 10.10.0.3
exit
!
ip route 0.0.0.0 0.0.0.0 198.51.100.5
ip route 0.0.0.0 0.0.0.0 203.0.113.5
interface GigabitEthernet1
no shutdown
ip address 198.51.100.6 255.255.255.252
interface GigabitEthernet2
no shutdown
ip address 203.0.113.6 255.255.255.252
!
commit
end
Although the system
stanza is new, the remaining configuration items are
standard Cisco IOS. With this minimal configuration in place, you should now
be able to reach the CA machine to download and install the root certificate:
copy scp://root@10.0.0.10:/SDWAN.pem bootflash:
request platform software sdwan root-cert-chain install bootflash:SDWAN.pem
You can verify the certificate installation with the show sdwan cert root
command. You will see that many of the verification commands that you can
issue on a vEdge can be done on a cEdge by adding sdwan
to the front.
After the root certificate is installed, you can configure the tunnel interfaces:
config-transaction
!
interface Tunnel1
no shutdown
ip unnumbered GigabitEthernet1
tunnel source GigabitEthernet1
tunnel mode sdwan
exit
interface Tunnel2
no shutdown
ip unnumbered GigabitEthernet2
tunnel source GigabitEthernet2
tunnel mode sdwan
exit
sdwan
interface GigabitEthernet1
tunnel-interface
encapsulation ipsec
color private1
exit
interface GigabitEthernet2
tunnel-interface
encapsulation ipsec
color public-internet
exit
exit
!
commit
end
Now we need to activate the cEdge. From vManage, go to Configuration > Devices
and choose a CSR1000v
from your list. Click the three dots on the
right-side of the row, and select Generate Bootstrap Configuration
. Choose
the Cloud-Init
option. We will use the uuid
and otp
values in the next
cEdge CLI command:
request platform software sdwan vedge_cloud activate chassis-number UUID token OTP
Upon success, you’ll shortly see a message on the cEdge console about the
vmanage-admin
successfully authenticating. You’ll see a few more console
messages, and after approximately two minutes, you should see messages about
OMPD
connecting to vSmart. After the cEdge is fully connected, you’ll see it
in the vManage dashboard:
You can further verify from vManage by going to Monitor > Network
:
You can also verify from the cEdge with show sdwan control connections
:
Connections from the cEdge to the vSmart and vBond are established over both transport links (SP1 and SP2).
Follow the same process for the second cEdge.
config-transaction
!
hostname S200-CE1
username admin priv 15 secret admin
no ip domain lookup
!
system
system-ip 10.200.10.2
site-id 200
organization-name YOUR-LAB
vbond 10.10.0.3
exit
!
ip route 0.0.0.0 0.0.0.0 198.51.100.9
ip route 0.0.0.0 0.0.0.0 203.0.113.9
interface GigabitEthernet1
no shutdown
ip address 198.51.100.10 255.255.255.252
interface GigabitEthernet2
no shutdown
ip address 203.0.113.10 255.255.255.252
!
commit
end
copy scp://root@10.0.0.10:/SDWAN.pem bootflash:
request platform software sdwan root-cert-chain install bootflash:SDWAN.pem
config-transaction
!
interface Tunnel1
no shutdown
ip unnumbered GigabitEthernet1
tunnel source GigabitEthernet1
tunnel mode sdwan
exit
interface Tunnel2
no shutdown
ip unnumbered GigabitEthernet2
tunnel source GigabitEthernet2
tunnel mode sdwan
exit
sdwan
interface GigabitEthernet1
tunnel-interface
encapsulation ipsec
color private1
exit
interface GigabitEthernet2
tunnel-interface
encapsulation ipsec
color public-internet
exit
exit
!
commit
end
request platform software sdwan vedge_cloud activate chassis-number UUID token OTP
Give it a couple of minutes, and you should see it online:
vEdge
Finally, we’ll onboard the datacenter vEdge for this simple topology. The process is very similar.
conf t
system
host-name DC1-VE1
system-ip 10.1.10.2
site-id 10000
organization-name YOUR-LAB
vbond 10.10.0.3
!
vpn 0
interface ge0/0
ip address 10.1.1.2/30
no tunnel-interface
no shutdown
ip route 0.0.0.0/0 10.1.1.1
!
commit and-quit
vshell
scp root@10.0.0.10:SDWAN.pem .
exit
request root-cert-chain install /home/admin/SDWAN.pem
conf t
vpn 0
interface ge0/0
tunnel-interface
encapsulation ipsec
commit and-quit
request activate vedge_cloud chassis-number UUID token OTP
Monitor > Network
:
At this point, the controllers and edges are all communicating with each other and you are essentially at a clean slate. Now jump to the beginning of this post and configure some templates!
Miscellaneous information
Software versions:
- Viptela: v19.2.099
- IOS-XE: v16.12.1e-SDWAN
SD-WAN System IPs:
- vManage: 10.0.0.101
- vBond: 10.10.0.4
- vSmart: 10.0.0.201
- DC1-VE1: 10.1.10.2
- S100-CE1: 10.100.10.2
- S200-CE1: 10.200.10.2
Interface IPs:
- DC1-FW1:
- g0/0 > 10.1.0.1 /30
- g0/1 > 10.10.0.1 /24
- g0/2 > 198.51.100.2 /30
- g0/3 > 203.0.113.2 /30
- DC1-SW1:
- VLAN 1 > 10.0.0.1 /24
- VLAN 2 > 10.1.0.1 /30
- VLAN 10 > 10.1.1.1 /30
- DC1-SW2:
- VLAN 10 > 10.1.10.254 /24
- VLAN 20 > 10.1.20.254 /24
- VLAN 30 > 10.1.30.254 /24
- DC1-VE1:
- ge0/0 > 10.1.1.2 /30
- ge0/1.10 > 10.1.10.1 /24
- ge0/1.20 > 10.1.20.1 /24
- ge0/1.30 > 10.1.30.1 /24
- S100-CE1:
- g1 > 198.51.100.6 /30
- g2 > 203.0.113.6 /30
- g3.10 > 10.100.10.1 /24
- g3.20 > 10.100.20.1 /24
- g3.30 > 10.100.30.1 /24
- S100-SW1:
- VLAN 10 > 10.100.10.254 /24
- VLAN 20 > 10.100.20.254 /24
- VLAN 30 > 10.100.30.254 /24
- S200-CE1:
- g1 > 198.51.100.10 /30
- g2 > 203.0.113.10 /30
- g3.10 > 10.200.10.1 /24
- g3.20 > 10.200.20.1 /24
- g3.30 > 10.200.30.1 /24
- S200-SW1:
- VLAN 10 > 10.200.10.254 /24
- VLAN 20 > 10.200.20.254 /24
- VLAN 30 > 10.200.30.254 /24
- SP1:
- g0/0 > 198.51.100.1 /30
- g0/1 > 198.51.100.5 /30
- g0/2 > 198.51.100.9 /30
- g0/3 > 192.0.2.1 /30
- SP2:
- g0/0 > 203.0.113.1 /30
- g0/1 > 203.0.113.5 /30
- g0/2 > 203.0.113.9 /30
- g0/3 > 192.0.2.2 /30
Routing:
- SP1:
- 10 /8 > 198.51.100.2
- 203.0.113.0 /24 > 192.0.2.2
- SP2:
- 10 /8 > 203.0.113.2
- 198.51.100.0 /24 > 192.0.2.1
- DC1-FW1:
- 10 /8 > 10.1.0.1
- 0 /0 > 198.51.100.1
- 0 /0 > 203.0.113.1
- DC1-SW1:
- 0 /0 > 10.1.0.2
- S100-CE1:
- VPN0: 0 /0 > 198.51.100.5
- VPN0: 0 /0 > 203.0.113.5
- S200-CE1:
- VPN0: 0 /0 > 198.51.100.9
- VPN0: 0 /0 > 203.0.113.9
Thank you for reading!