© 2019 NIL, Security Tag: PUBLIC 1nil.com © 2019 NIL, Security Tag: PUBLIC
© 2019 NIL, Security Tag: PUBLIC 2
Aleš TravnikarSystems Engineer / Instructor
Cisco SD-WANOd besed k dejanjem
© 2019 NIL, Security Tag: PUBLIC 3
• What do you need?
• Step 1 - Deploying Controllers
• Step 2 – Bringing Up Secure Control Plane
• Step 3 – Bringing Up Secure Data Plane
• Additional Tools
Agenda
© 2019 NIL, Security Tag: PUBLIC 4
What do you need?
© 2019 NIL, Security Tag: PUBLIC 5
Architecture
vManage
4GMPLS
INET
Data Center CoLo Campus BranchCloud
WAN Edge
• Facilitates fabric discovery
• Disseminates control plane information
• Implements and distributes policies
Control Plane
• Single pane of glass
• Centralized provisioning
• Policies and Templates
Management PlaneOrchestrator
• Orchestrates control and management plane
• First point of authentication
• Facilitates NAT traversal
vSmart Controllers
vBond
Data Plane
• Physical or Virtual
• Zero Touch Provisioning
© 2019 NIL, Security Tag: PUBLIC 6
Step 1 – Deploying Controllers
vManage
vSmart vBond
Enterprise IT
PrivateCloud
Deploy
vManage
vSmart vBond
MSP Ops Team
MSPCloud
Deploy
Cisco Cloud Ops
vManage
vSmart vBond
CiscoCloud
Deploy
© 2019 NIL, Security Tag: PUBLIC 7
On-Premises Deployment
ESXi, KVM
vManage
vSmart vBond
PrivateCloud
Deploy
© 2019 NIL, Security Tag: PUBLIC 8
On-Premises Deployment - ESXi
1. Obtain documentation, software and verify system requirements.
2. Import OVA.
3. Perform installation and initial configuration:
4. If using Enterprise CA server, install the enterprise root CA chain.
• Connectivity (IP, GW, DNS)• System-IP• Site-ID
• Organization-Name• vBond address • NTP
Installation Overview
© 2019 NIL, Security Tag: PUBLIC 9
Initial Configuration Settings
• System-IP – Unique identifier of a SD-WAN component
• 32-Bit dot decimal notation (an IPv4 Address)
• Logically a VPN 0 Loopback Interface, referred to as “system”
• Site-ID – Identifies logical location of individual node
• Configured on every WAN Edge
• When not unique, same location is assumed
• Organization-Name – SD-WAN overlay identifier
• Must match on all components
• Example: "Cisco Connect – 2019"
© 2019 NIL, Security Tag: PUBLIC 10
Certificate Authority Options
vManage
vBondvSmart
Root
RootRoot
SignedSigned
Signed
EnterpriseEnterprise
EnterpriseEnterprise
Enterprise
Enterprise
vManage
vBondvSmart
Root
RootRoot
SignedSigned
Signed
• DigiCert certificates are the default option.
• Enterprise certificates can be used for On-Prem. deployment.
• Need to install root CA chain.
© 2019 NIL, Security Tag: PUBLIC 11
Deploying vManage on VMware ESXi
© 2019 NIL, Security Tag: PUBLIC 12
Verifying vManage System Requirements
• SSD required for normal vManage performance.
• Private lab setup for learning purposes will work with less resources.
• *vManage Cluster requires dedicated interface for message bus.
Devices vCPUs RAM OS Volume Database Volume
Bandwidth vNICs
1-250 16 32 GB 16 GB 500 GB,1500 IOPS
25 Mbps 2
251-1000 32 64 GB 16 GB 1 TB,3072 IOPS
100 Mbps 2
1001 or more 32 64 GB 16 GB 1 TB,3072 IOPS
150 Mbps 3*
© 2019 NIL, Security Tag: PUBLIC 13
vManage Interface Properties
• By default, vManage OVA is configured with a single interface (eth0).
• Adding additional interface remaps eth0 to vNIC 2.
Control Interface
Management Interface
vNIC 2 vNIC 1
ESXi, KVM, AWS, MS Azure
VPN512VPN0
vNIC Interface Default VPN DHCP enabled
State
2 eth0 0 Yes Enabled
1 eth1 Not set No Disabled
© 2019 NIL, Security Tag: PUBLIC 14
Deploying vManage OVA on VMware ESXi
• Primary disk for OS consumes 19 GB.
© 2019 NIL, Security Tag: PUBLIC 15
Deploying vManage OVA on VMware ESXi (Cont.)
Singe Interface present by default.
Do not power on VM before adding additional disk for a DB installation.
© 2019 NIL, Security Tag: PUBLIC 16
Adding Additional Resources to the vManage VM
Additional Hard Disk will host vManagedatabase.
© 2019 NIL, Security Tag: PUBLIC 17
Specifying Capacity and Specifying Device Type
For Lab environment, a 100 GB disk size will be sufficient. For PoC/PoV or production environments, follow official requirements.
SCSI interface is not supported, make sure you select the IDE type.
© 2019 NIL, Security Tag: PUBLIC 18
Adding Additional Interface to vManage VM
Add additional interface for convenient OOB management.
© 2019 NIL, Security Tag: PUBLIC 19
Performing vManage Database Installation
• Default credentials: admin / admin
© 2019 NIL, Security Tag: PUBLIC 20
Configuring vManage Interface Settings
OOB management interface
Transport interface
© 2019 NIL, Security Tag: PUBLIC 21
vmanage(config)# systemvmanage(config-system)# system-ip 10.255.255.21vmanage(config-system)# site-id 1vmanage(config-system)# organization-name "Cisco Connect - 2019" vmanage(config-system)# vbond 10.0.0.22vmanage(config-system)# ntp server 203.0.113.1vmanage(config-system)# commitCommit complete.
Configuring vManage System Parameters
• Organizational-Name is case sensitive, always use quotes.
• vBond server can be specified as a domain name.
• System-IP must be unique on every component in the SD-WAN fabric.
© 2019 NIL, Security Tag: PUBLIC 22
Finalize vManage Initial System Configuration
© 2019 NIL, Security Tag: PUBLIC 23
Installing Enterprise Root Certificate
Paste CA certificate in PEM format.
© 2019 NIL, Security Tag: PUBLIC 24
Deploying vBond on VMware ESXi
© 2019 NIL, Security Tag: PUBLIC 25
Verifying vBond System Requirements
• Only SSD-based volumes are officially supported.
• vBond is installed using vEdgeCloud OVA.
• OVA is preconfigured with four vCPUs.
Devices vCPUs RAM OS Volume
Bandwidth vNICs
1-50 2 4 GB 8 GB 1 Mbps 2
51-250 2 4 GB 8 GB 2 Mbps 2
251-1000 2 4 GB 8 GB 5 Mbps 2
1001+ 4 8 GB 8 GB 10 Mbps 2
© 2019 NIL, Security Tag: PUBLIC 26
Configuring vBond System Parameters
• Keyword local in the vbond command defines the vBond role.
vedge(config)# systemvedge(config-system)# host-name vBondvedge(config-system)# system-ip 10.255.255.22vedge(config-system)# site-id 1vedge(config-system)# organization-name "Cisco Connect - 2019" vedge(config-system)# vbond 10.0.0.22 localvedge(config-system)# commitCommit complete.
© 2019 NIL, Security Tag: PUBLIC 27
vBond Interface Properties
• OVA is preconfigured with four vNICs, only two interfaces are supported.
Control Interface
Management Interface
vNIC 2 vNIC 1
ESXi, KVM, AWS, MS Azure
VPN512VPN0
vNIC Interface DefaultVPN
DHCP enabled
State
1 eth0 512 Yes Enabled
2 ge0/0 0 Yes Enabled
3 ge0/1 No Disabled
4 ge0/2 No Disabled
© 2019 NIL, Security Tag: PUBLIC 28
Configuring vBond Interface Settings
• The VPN0 interface is preconfigured for WAN.
• The tunnel-interface configuration settings lock down the interface and also prevent incoming NETCONF connections.
• When vBond is integrated with vManage, vManage establishes the NETCONF connection.
• Recommendation: disable the tunnel-interface configuration while performing controller integration.
• Alternative: temporarily allow the netconf service.
© 2019 NIL, Security Tag: PUBLIC 29
Configuring vBond Interface Settings (Cont.)
OOB management interface
Transport interface
© 2019 NIL, Security Tag: PUBLIC 30
Installing Local Root CA Chain
• Transfer the root certificate chain and perform import:
© 2019 NIL, Security Tag: PUBLIC 31
Deploying vSmart on VMware ESXi
© 2019 NIL, Security Tag: PUBLIC 32
Verifying vSmart System Requirements
• Only SSD-based volumes are officially supported
Devices vCPUs RAM OS Volume
Bandwidth vNICs
1-50 2 4 GB 16 GB 2 Mbps 2
51-250 4 6 GB 16 GB 5 Mbps 2
251-1000 4 16 GB 16 GB 7 Mbps 2
1001+ 8 16 GB 16 GB 10 Mbps 2
© 2019 NIL, Security Tag: PUBLIC 33
vSmart Interface Settings
Control Interface
Management Interface
vNIC 2 vNIC 1
ESXi, KVM, AWS, MS Azure
VPN512VPN0
vNIC Interface Default VPN DHCP enabled
State
2 Eth0 0 Yes Enabled
1 Eth1 Not set No Disabled
• By default, vSmart OVA is configured with a single interface.
• Adding an additional interface remaps eth0 to vNIC 2.
© 2019 NIL, Security Tag: PUBLIC 34
Configuring vSmart Interface Settings
34
OOB management interface
Transport interface
© 2019 NIL, Security Tag: PUBLIC 35
Configuring vSmart System Settings
vsmart(config)# systemvsmart(config-system)# system-ip 10.255.255.23vsmart(config-system)# site-id 1vsmart(config-system)# organization-name "Cisco Connect - 2019" vsmart(config-system)# vbond 10.0.0.22vsmart(config-system)# ntp server 203.0.113.1vsmart(config-system)# commitCommit complete.
© 2019 NIL, Security Tag: PUBLIC 36
Installing Local Root CA Chain
• Transfer the root certificate chain and perform import:
© 2019 NIL, Security Tag: PUBLIC 37
Step 2 – Bringing Up Secure Control Plane
© 2019 NIL, Security Tag: PUBLIC 38
Integrating Controllers
1. Add vBond and vSmart controllers into the vManage.
2. Generate CSRs.
3. Sign CSRs and upload certificates.
4. Configure tunnel interfaces and establish control connections.
5. Install the license file.
© 2019 NIL, Security Tag: PUBLIC 39
Adding Controllers to vManage
• vSmart is added using the same procedure.
Specify controller‘s IP address that is reachable from vManage VPN0 interface via NETCONF protocol (TCP 830).
© 2019 NIL, Security Tag: PUBLIC 40
Generating the CSR
© 2019 NIL, Security Tag: PUBLIC 41
Viewing and Transferring the CSR
© 2019 NIL, Security Tag: PUBLIC 42
Installing Signed Certificate
© 2019 NIL, Security Tag: PUBLIC 43
Configuring Interfaces for Control Connections
• Enable the tunnel-interface configuration on the VPN 0 interface on all controllers.
• On vBond, also specify the tunnel-interface encapsulation type.
© 2019 NIL, Security Tag: PUBLIC 44
Verifying Control Connections
© 2019 NIL, Security Tag: PUBLIC 45
Troubleshooting Control Connections
• # show control connections-history
© 2019 NIL, Security Tag: PUBLIC 46
Step 3 – Bringing Up Secure Data Plane
© 2019 NIL, Security Tag: PUBLIC 47
Plug and Play Connect (PnP) Portal
https://software.cisco.com
Smart Account is required
Smart Account
Virtual Account
© 2019 NIL, Security Tag: PUBLIC 48
PnP – Adding Controller Profile
© 2019 NIL, Security Tag: PUBLIC 49
PnP - Adding Controller Profile Settings
© 2019 NIL, Security Tag: PUBLIC 50
PnP - Adding WAN Edge Devices
© 2019 NIL, Security Tag: PUBLIC 51
PnP - Providing Device Details
© 2019 NIL, Security Tag: PUBLIC 52
PnP – Downloading vManage License File
© 2019 NIL, Security Tag: PUBLIC 53
Importing WAN Edge List
• If devices are not validated when importing the license file, you need to manually enable each device under Configuration > Licensing.
53
© 2019 NIL, Security Tag: PUBLIC 54
Deploying vEdge Cloud Routers
© 2019 NIL, Security Tag: PUBLIC 55
Overview of Installation Steps:vEdge Cloud
1. Obtain software and verify system requirements.
2. Deploy OVA Template.
3. Perform initial configuration (connectivity, system-ip, site-id, org-name, vbond address).
4. If using enterprise CA, install local root CA chain.
5. Activate vEdgeCloud by enrolling it into vManage.
© 2019 NIL, Security Tag: PUBLIC 56
Deploying vEdgeCloud on VMware ESXi
vNIC Interface DefaultVPN
DHCP enabled
State
1 eth0 512 Yes Enabled
2 ge0/0 0 Yes Enabled
3 ge0/1 No Disabled
4 ge0/2 No Disabled
• Up to 8 vNICs are supported.
© 2019 NIL, Security Tag: PUBLIC 57
Generating Chassis UUID and OTP Token
• Generate bootstrap configuration to extract the UUID number and OTP token for the vEdgeCloud activation.
© 2019 NIL, Security Tag: PUBLIC 58
Activating vEdgeCloud
© 2019 NIL, Security Tag: PUBLIC 59
Activating vEdgeCloud (Cont.)
• Verification
© 2019 NIL, Security Tag: PUBLIC 60
Additional Lab Tools
© 2019 NIL, Security Tag: PUBLIC 61
Useful Link and Traffic Manipulators
• WANem – WAN Emulator
• Transparent bridge with easy to use GUI.
• Can introduce delay, loss, corruption, reordering, limited bandwidth.
• Ideal tool for virtual environment, when testing Application Aware Routing policies.
• wanem.sourceforge.net, releases with GNU GPL license.
• TRex – Realistic Traffic Generator
• Generates realistic traffic with stateful flow support.
• trex-tgn.cisco.com, developed by Cisco, released under Apache 2.0 license.
© 2019 NIL, Security Tag: PUBLIC 62
Next Steps
•Documentation:
https://sdwan-docs.cisco.com
• SD-WAN Guides (CVDs):
https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/SDWAN/CVD-SD-WAN-Design-2018OCT.pdf
https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/SDWAN/CVD-SD-WAN-Deployment-2018OCT.pdf
© 2019 NIL, Security Tag: PUBLIC 63nil.com
ENABLING IT FOR BUSINESS