Cisco SD WAN€¦ · If using Enterprise CA server, install the enterprise root CA chain. •...

Aleš TravnikarSystems Engineer / Instructor

Cisco SD-WANOd besed k dejanjem

• What do you need?

• Step 1 - Deploying Controllers

• Step 2 – Bringing Up Secure Control Plane

• Step 3 – Bringing Up Secure Data Plane

• Additional Tools

Agenda

What do you need?

Architecture

vManage

4GMPLS

Data Center CoLo Campus BranchCloud

WAN Edge

• Facilitates fabric discovery

• Disseminates control plane information

• Implements and distributes policies

Control Plane

• Single pane of glass

• Centralized provisioning

• Policies and Templates

Management PlaneOrchestrator

• Orchestrates control and management plane

• First point of authentication

• Facilitates NAT traversal

vSmart Controllers

Data Plane

• Physical or Virtual

• Zero Touch Provisioning

Step 1 – Deploying Controllers

vManage

vSmart vBond

Enterprise IT

PrivateCloud

Deploy

vManage

vSmart vBond

MSP Ops Team

MSPCloud

Deploy

Cisco Cloud Ops

vManage

vSmart vBond

CiscoCloud

Deploy

On-Premises Deployment

ESXi, KVM

vManage

vSmart vBond

PrivateCloud

Deploy

On-Premises Deployment - ESXi

1. Obtain documentation, software and verify system requirements.

2. Import OVA.

3. Perform installation and initial configuration:

4. If using Enterprise CA server, install the enterprise root CA chain.

• Connectivity (IP, GW, DNS)• System-IP• Site-ID

• Organization-Name• vBond address • NTP

Installation Overview

Initial Configuration Settings

• System-IP – Unique identifier of a SD-WAN component

• 32-Bit dot decimal notation (an IPv4 Address)

• Logically a VPN 0 Loopback Interface, referred to as “system”

• Site-ID – Identifies logical location of individual node

• Configured on every WAN Edge

• When not unique, same location is assumed

• Organization-Name – SD-WAN overlay identifier

• Must match on all components

• Example: "Cisco Connect – 2019"

Certificate Authority Options

vManage

vBondvSmart

RootRoot

SignedSigned

Signed

EnterpriseEnterprise

Enterprise

vManage

vBondvSmart

RootRoot

SignedSigned

Signed

• DigiCert certificates are the default option.

• Enterprise certificates can be used for On-Prem. deployment.

• Need to install root CA chain.

Deploying vManage on VMware ESXi

Verifying vManage System Requirements

• SSD required for normal vManage performance.

• Private lab setup for learning purposes will work with less resources.

• *vManage Cluster requires dedicated interface for message bus.

Devices vCPUs RAM OS Volume Database Volume

Bandwidth vNICs

1-250 16 32 GB 16 GB 500 GB,1500 IOPS

25 Mbps 2

251-1000 32 64 GB 16 GB 1 TB,3072 IOPS

100 Mbps 2

1001 or more 32 64 GB 16 GB 1 TB,3072 IOPS

150 Mbps 3*

vManage Interface Properties

• By default, vManage OVA is configured with a single interface (eth0).

• Adding additional interface remaps eth0 to vNIC 2.

Control Interface

Management Interface

vNIC 2 vNIC 1

ESXi, KVM, AWS, MS Azure

VPN512VPN0

vNIC Interface Default VPN DHCP enabled

2 eth0 0 Yes Enabled

1 eth1 Not set No Disabled

Deploying vManage OVA on VMware ESXi

• Primary disk for OS consumes 19 GB.

Deploying vManage OVA on VMware ESXi (Cont.)

Singe Interface present by default.

Do not power on VM before adding additional disk for a DB installation.

Adding Additional Resources to the vManage VM

Additional Hard Disk will host vManagedatabase.

Specifying Capacity and Specifying Device Type

For Lab environment, a 100 GB disk size will be sufficient. For PoC/PoV or production environments, follow official requirements.

SCSI interface is not supported, make sure you select the IDE type.

Adding Additional Interface to vManage VM

Add additional interface for convenient OOB management.

Performing vManage Database Installation

• Default credentials: admin / admin

Configuring vManage Interface Settings

OOB management interface

Transport interface

vmanage(config)# systemvmanage(config-system)# system-ip 10.255.255.21vmanage(config-system)# site-id 1vmanage(config-system)# organization-name "Cisco Connect - 2019" vmanage(config-system)# vbond 10.0.0.22vmanage(config-system)# ntp server 203.0.113.1vmanage(config-system)# commitCommit complete.

Configuring vManage System Parameters

• Organizational-Name is case sensitive, always use quotes.

• vBond server can be specified as a domain name.

• System-IP must be unique on every component in the SD-WAN fabric.

Finalize vManage Initial System Configuration

Installing Enterprise Root Certificate

Paste CA certificate in PEM format.

Deploying vBond on VMware ESXi

Verifying vBond System Requirements

• Only SSD-based volumes are officially supported.

• vBond is installed using vEdgeCloud OVA.

• OVA is preconfigured with four vCPUs.

Devices vCPUs RAM OS Volume

Bandwidth vNICs

1-50 2 4 GB 8 GB 1 Mbps 2

51-250 2 4 GB 8 GB 2 Mbps 2

251-1000 2 4 GB 8 GB 5 Mbps 2

1001+ 4 8 GB 8 GB 10 Mbps 2

Configuring vBond System Parameters

• Keyword local in the vbond command defines the vBond role.

vedge(config)# systemvedge(config-system)# host-name vBondvedge(config-system)# system-ip 10.255.255.22vedge(config-system)# site-id 1vedge(config-system)# organization-name "Cisco Connect - 2019" vedge(config-system)# vbond 10.0.0.22 localvedge(config-system)# commitCommit complete.

vBond Interface Properties

• OVA is preconfigured with four vNICs, only two interfaces are supported.

Control Interface

vNIC 2 vNIC 1

VPN512VPN0

vNIC Interface DefaultVPN

DHCP enabled

2 ge0/0 0 Yes Enabled

3 ge0/1 No Disabled

4 ge0/2 No Disabled

Configuring vBond Interface Settings

• The VPN0 interface is preconfigured for WAN.

• The tunnel-interface configuration settings lock down the interface and also prevent incoming NETCONF connections.

• When vBond is integrated with vManage, vManage establishes the NETCONF connection.

• Recommendation: disable the tunnel-interface configuration while performing controller integration.

• Alternative: temporarily allow the netconf service.

Configuring vBond Interface Settings (Cont.)

Transport interface

Installing Local Root CA Chain

• Transfer the root certificate chain and perform import:

Deploying vSmart on VMware ESXi

Verifying vSmart System Requirements

• Only SSD-based volumes are officially supported

Devices vCPUs RAM OS Volume

Bandwidth vNICs

1-50 2 4 GB 16 GB 2 Mbps 2

51-250 4 6 GB 16 GB 5 Mbps 2

251-1000 4 16 GB 16 GB 7 Mbps 2

1001+ 8 16 GB 16 GB 10 Mbps 2

vSmart Interface Settings

Control Interface

vNIC 2 vNIC 1

VPN512VPN0

vNIC Interface Default VPN DHCP enabled

2 Eth0 0 Yes Enabled

1 Eth1 Not set No Disabled

• By default, vSmart OVA is configured with a single interface.

• Adding an additional interface remaps eth0 to vNIC 2.

Configuring vSmart Interface Settings

Transport interface

Configuring vSmart System Settings

vsmart(config)# systemvsmart(config-system)# system-ip 10.255.255.23vsmart(config-system)# site-id 1vsmart(config-system)# organization-name "Cisco Connect - 2019" vsmart(config-system)# vbond 10.0.0.22vsmart(config-system)# ntp server 203.0.113.1vsmart(config-system)# commitCommit complete.

Installing Local Root CA Chain

• Transfer the root certificate chain and perform import:

Step 2 – Bringing Up Secure Control Plane

Integrating Controllers

1. Add vBond and vSmart controllers into the vManage.

2. Generate CSRs.

3. Sign CSRs and upload certificates.

4. Configure tunnel interfaces and establish control connections.

5. Install the license file.

Adding Controllers to vManage

• vSmart is added using the same procedure.

Specify controller‘s IP address that is reachable from vManage VPN0 interface via NETCONF protocol (TCP 830).

Generating the CSR

Viewing and Transferring the CSR

Installing Signed Certificate

Configuring Interfaces for Control Connections

• Enable the tunnel-interface configuration on the VPN 0 interface on all controllers.

• On vBond, also specify the tunnel-interface encapsulation type.

Verifying Control Connections

Troubleshooting Control Connections

• # show control connections-history

Step 3 – Bringing Up Secure Data Plane

Plug and Play Connect (PnP) Portal

https://software.cisco.com

Smart Account is required

Smart Account

Virtual Account

PnP – Adding Controller Profile

PnP - Adding Controller Profile Settings

PnP - Adding WAN Edge Devices

PnP - Providing Device Details

PnP – Downloading vManage License File

Importing WAN Edge List

• If devices are not validated when importing the license file, you need to manually enable each device under Configuration > Licensing.

Deploying vEdge Cloud Routers

Overview of Installation Steps:vEdge Cloud

1. Obtain software and verify system requirements.

2. Deploy OVA Template.

3. Perform initial configuration (connectivity, system-ip, site-id, org-name, vbond address).

4. If using enterprise CA, install local root CA chain.

5. Activate vEdgeCloud by enrolling it into vManage.

Deploying vEdgeCloud on VMware ESXi

vNIC Interface DefaultVPN

DHCP enabled

2 ge0/0 0 Yes Enabled

3 ge0/1 No Disabled

4 ge0/2 No Disabled

• Up to 8 vNICs are supported.

Generating Chassis UUID and OTP Token

• Generate bootstrap configuration to extract the UUID number and OTP token for the vEdgeCloud activation.

Activating vEdgeCloud

Activating vEdgeCloud (Cont.)

• Verification

Additional Lab Tools

Useful Link and Traffic Manipulators

• WANem – WAN Emulator

• Transparent bridge with easy to use GUI.

• Can introduce delay, loss, corruption, reordering, limited bandwidth.

• Ideal tool for virtual environment, when testing Application Aware Routing policies.

• wanem.sourceforge.net, releases with GNU GPL license.

• TRex – Realistic Traffic Generator

• Generates realistic traffic with stateful flow support.

• trex-tgn.cisco.com, developed by Cisco, released under Apache 2.0 license.

Next Steps

•Documentation:

https://sdwan-docs.cisco.com

• SD-WAN Guides (CVDs):

https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/SDWAN/CVD-SD-WAN-Design-2018OCT.pdf

https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/SDWAN/CVD-SD-WAN-Deployment-2018OCT.pdf

ENABLING IT FOR BUSINESS

Cisco SD WAN€¦ · If using Enterprise CA server, install the enterprise root CA chain. •...

Documents

Enterprise Voice-over-IP Traffic Monitoring

SIP Trunking: IP Telephony for the Enterprise

Enterprise IP Voice Communication Solution

Guidelines for Enterprise IP Multicast Address Allocation

vbond telesoft complaint|vbond telesoft pvt ltd complaints|vbond telesoft pvt ltd complaints|vbond telesoft complaints|vbond|vbond telesoft|vbond telesoft pvt. ltd

Ip Multicast Bes Practices for Enterprise Coustomers_c11-474791

AWS Enterprise Workloads on AWS IP Expo 2013

Enterprise IP Telephony Case Study - Kasetsart … Telephony Case... · Enterprise IP Telephony Case Study Net Day 2007 Enterprise IP Telephony Case Study TawinLiumpapangkul Solution

Deploying the BIG-IP v11 with Oracle PeopleSoft Enterprise

Troubleshooting Unified Contact Center IP Phone … · Web view2012/04/17 · Troubleshooting Unified Contact Center IP Phone Agent Enterprise Data Overview Enterprise Data is contextual

Alcatel-Lucent OmniPCX Enterprise Communication · PDF fileAlcatel-Lucent OmniPCX Enterprise Communication Server Alcatel-Lucent IP Touch 4068 Phone Alcatel-Lucent IP Touch 4038 Phone

W&M 2009 – IP Voice Mobility for the Enterprise

Enterprise IP Phone Enterprise IP Phones...Enterprise IP Phone Yealink IP series offers a comprehensive line of affordable IP phones at various price points meeting the need of enterprise,

IP DECT Multi-Cell Enterprise - miALERT

Conexant Enterprise Ip Telephony

33212201 BRKVVT 2308 DMS Integration in Enterprise IP Networks

Regional Staff Development Day October 23, 2009 K. Virginia Bond vbond@srk12.org vbond@srk12.org

DelphIP – Enterprise IP Managementconsensiainc.com/.../resources/home/delphIP-final.pdfThe Delphi Enterprise IP Management solution, is a scalable, comprehensive platform that enables

Choosing the Best Enterprise IP VPN or Ethernet Communication

High Bright Display Technologies & The Advantages of VBOND