Implementing Cisco

SD-WAN Bootcamp
Introduction
CCIEx4 #8593 & CCDE #2013::13
 Class Logistics

+ Class schedule
+ Start at 8am PDT / 11am EDT daily
+ Class runs about 3 hours per day
+ Using the online classroom
+ Q&A session
+ Class is recorded
+ Post-processing time is about 2 weeks
 Implementing Cisco
SD-WAN Bootcamp
SD-WAN Overview
 What is Software Defined Wide Area Networking (SD-WAN)?

+ SD-WAN is the decoupling of WAN Edge Routers from their control-

plane and management-plane
+ In Cisco’s Viptela solution, vManage, vSmart, and vBond run the control and
management planes, and vEdge/cEdge routers run the data plane
+ SD-WAN solutions are used to build programmable fabrics
+ In Cisco’s Viptela solution, an automated overlay network of IPsec tunnels
+ SD-WAN solutions lower Total Cost of Ownership (TCO)
+ Uses lower-cost and commercially available Internet access
+ Lowers a business’s reliance on private circuits, such as MPLS or Metro-E
 Why use Cisco SD-WAN?

+ Secure Connectivity
+ Automatically uses IPsec for encryption between sites
+ Resilient
+ Automatic failover between WAN circuits
+ Cost Savings
+ Can use commodity Internet circuits for connectivity instead of MPLS/VPLS
+ Simple Provisioning
+ Onboarding new sites is quick and easy with Zero Touch Provisioning (ZTP)
+ Single Pane of Glass Management
+ vManage controller allows centralized configuration and management
+ Cloud Friendly
+ Simplifies IaaS deployments, and optimizes SaaS access to the cloud
 How does Cisco’s SD-WAN Solution Work?

+ Cisco’s SD-WAN Solution can be broken down into two main

components
+ Controllers
+ Edge Routers
+ Controllers consist of three devices, each performing a different function
+ vManage NMS – GUI for managing the SD-WAN Solution
+ vBond Orchestrator – Automation engine used for onboarding new routers
+ vSmart Controller – Controls Routing & Policy decisions
+ Edge Routers consist of two categories of devices
+ vEdge Routers running Viptela software
+ cEdge Routers running Cisco IOS XE software
 Implementing Cisco SD-WAN

+ In this course, we will be implementing SD-WAN as follows

+ Gather necessary software
+ Build a virtual topology
+ Onboard the SD-WAN Controllers
+ Onboard the SD-WAN Edge Routers
+ Deploy vManage Templates
+ Deploy vManage Policies
 Implementing Cisco
SD-WAN Bootcamp
Building an SD-WAN Topology
 Building the SD-WAN Topology

+ Choose your Hypervisor

+ Download the Binaries
+ Import the software images into the hypervisor
+ Generate the Viptela licenses
+ Build the topology
 Choosing a Hypervisor

+ GNS3
+ https://www.gns3.com/
+ Used in our examples
+ EVE-NG
+ https://www.eve-ng.net/
+ CML
+ http://virl.cisco.com
 Downloading the Example Binaries

+ IOSv
+ vios-adventerprisek9-m.vmdk.SPA.156-2.T
+ CSR1000v (SD-WAN Image)
+ csr1000vng-ucmk9.16.11.1a-sdwan.qcow2
+ vManage
+ viptela-vmanage-19.2.4-genericx86-64.qcow2
+ vSmart
+ viptela-smart-19.2.4-genericx86-64.qcow2
+ vEdge/vBond
+ viptela-edge-18.4.4-genericx86-64.qcow2
+ vBond and vEdge use the same image
+ Check your MD5 hashes against cisco.com
 Importing Software Images into the Hypervisor

+ Many templates are pre created for you

+ You may have to modify them and update the md5 hash and filenames
 Generate the Viptela Licenses

+ https://software.cisco.com/
+ Network Plug and Play
+ https://software.cisco.com/#pnp-devices
+ Create a Controller Profile
+ Controller Type: VBOND
+ Org is important, it must match on the Certificates later
+ Add Software Devices
+ Controller Profiles > Download Provisioning File
+ We will need to upload this to the vManage Controller during
provisioning
 Build the Topology

+ What does the topology consist of?

+ Underlay Transport Network
+ One or more routers to act as the underlay transport “Clouds”
+ One cloud could be “Business Internet” one cloud could be “MPLS”
+ IOSv is a good lightweight VM for this
+ SD-WAN Controllers
+ At least one each of vBond, vSmart, and vManage
+ 2 NICs, one for OOB MGMT and one for WAN connectivity
+ SD-WAN Edge Routers
+ One or more routers to act as the edges for your remote sites
+ Viptela image is called “vEdge”
+ CSR1000v image is called “cEdge”
 Build the Topology (cont.)

+ What does the topology consist of?

+ Linux Virtual Machine
+ Acts as the Certificate Authority (CA)
+ Connects to the OOB MGMT network
+ Could be Windows Server if you prefer
+ Customer Internal Routers
+ Routers behind the vEdge/cEdge
+ Used to test routing protocols and connectivity
+ IOSv is good for this
 Example Simple SD-WAN Topology

OOB MGMT

CA

vBond-1 vSmart-1 vManage-1

Internet
Host2 vEdge-Site2 cEdge-Site3 Host3
 Implementing Cisco
SD-WAN Bootcamp
Onboarding Cisco SD-WAN Controllers
 Onboarding the SD-WAN Controllers

+ Onboarding Controllers starts with minimum CLI options

+ Host-name
+ System-ip
+ Site-id
+ Organization-name
+ Must match the ORG in serialFile.viptela previously generated
+ vBond IP Address
+ VPN 0
+ Called the “Transport VPN”
+ Interface and IP address facing towards the WAN
+ VPN 512
+ The “Management VPN”
+ Connects to the Out-of-Band Management Network
+ Default CLI credentials are admin/admin
 vBond Example Config

config
system
host-name vBond-1
system-ip 10.0.1.1
site-id 1
organization-name VIPTELA.local
vbond 100.0.1.1 local
vpn 0
interface ge0/0
ip address 100.0.1.1/24
no shutdown
no tunnel-interface
exit
ip route 0.0.0.0/0 100.0.1.254
vpn 512
interface eth0
ip dhcp-client
no shutdown
exit
commit and-quit
 vSmart Example Config

config vpn 512

vpn 0 interface eth0
no interface eth0 ip dhcp-client
system no shutdown
host-name vSmart-1 exit
system-ip 10.0.1.2 commit and-quit
site-id 1
organization-name VIPTELA.local
vbond 100.0.1.1
vpn 0
interface eth1
ip address 100.0.1.2/24
no shutdown
no tunnel-interface
ip route 0.0.0.0/0 100.0.1.254
exit
 vManage Example Config

config vpn 512

vpn 0 interface eth0
no interface eth0 ip dhcp-client
system no shutdown
host-name vManage-1 exit
system-ip 10.0.1.3 commit and-quit
site-id 1
organization-name VIPTELA.local
vbond 100.0.1.1
vpn 0
interface eth1
ip address 100.0.1.3/24
no shutdown
no tunnel-interface
ip route 0.0.0.0/0 100.0.1.254
exit
 Using the Linux Certificate Authority Server

+ Any Linux distro that supports OpenSSL can be used

+ E.g. sudo apt-get install openssl
+ Generate a Private and Public Keypair
+ openssl genrsa -out MyCA.key 2048
+ openssl req -new -x509 -days 1000 -key MyCA.key -out MyCA.crt
+ Upload the CA Certificate to vBond, vSmart, and vManage
+ scp MyCA.crt admin@<vBond-management-IP>:
+ scp MyCA.crt admin@<vSmart-management-IP>:
+ scp MyCA.crt admin@<vManage-management-IP>:
 Trusting the CA Certificate

+ Install the CA Certificate on vBond, vSmart, and vManage

+ request root-cert-chain install /home/admin/MyCA.crt
+ Sync the certificate on the vManage
+ https://<vManage-ip-address>/dataservice/system/device/sync/rootcertchain
 Enable the Root CA on vManage

+ Administration > Settings

+ Set org to VIPTELA.local
+ Set vBond to 100.0.1.1
+ Set Controller Certificate Authorization to Enterprise Root Certificate
+ Copy and paste the CA certificate
 Generate Certificate Signing Requests (CSRs) on vManage

+ Configuration > Devices > Controllers > Add Controller

+ Add vBond IP address, credentials, and generate CSR
+ Add vSmart IP address, credentials, and generate CSR
+ Configuration > Certificates > Controllers
+ vManage > Generate CSR > View CSR
+ Copy and paste the 3 CSRs to the Linux CA Server
+ E.g. nano vManage.csr
 Sign the Certificates on the CA Server

openssl x509 -req -in vManage.csr -CA MyCA.crt -CAkey MyCA.key -

CAcreateserial -out vManage.crt -days 2500 -sha256

openssl x509 -req -in vSmart.csr -CA MyCA.crt -CAkey MyCA.key -

CAcreateserial -out vSmart.crt -days 2500 -sha256

openssl x509 -req -in vBond.csr -CA MyCA.crt -CAkey MyCA.key -

CAcreateserial -out vBond.crt -days 2500 -sha256
 Install the Signed Certificates on vManage

+ Configuration > Certificates > Controllers > Install Certificate

+ E.g. cat vManage.crt from CA server
+ Repeat for vManage, vSmart, and vBond Certificates
 Configure VPN 0 on vManage, vBond, vSmart

vManage:
vpn 0
interface eth1
tunnel-interface
commit and-quit

vSmart:
vpn 0
interface eth1
tunnel-interface
commit and-quit

vBond:
vpn 0
interface ge0/0
tunnel-interface
encapsulation ipsec
 Implementing Cisco
SD-WAN Bootcamp
Onboarding Cisco SD-WAN vEdge Routers
 Onboarding the vEdge Routers

+ Onboarding vEdge routers starts with minimum CLI options

+ Host-name
+ System-ip
+ Site-id
+ Organization-name
+ Must match the ORG in serialFile.viptela previously generated
+ vBond IP Address
+ VPN 0
+ Called the “Transport VPN”
+ Interface and IP address facing towards the WAN
+ Default CLI credentials are admin/admin
 vEdge Example Config

config
system
host-name vEdge-Site2
system-ip 10.0.2.1
site-id 2
organization-name VIPTELA.local
vbond 100.0.1.1
vpn 0
interface ge0/0
ip address 100.0.2.1/30
no shutdown
no tunnel-interface
exit
ip route 0.0.0.0/0 100.0.2.2
commit and-quit
 Install the Root CA Certificate on the vEdge

+ vEdge-Site2# vshell
+ vEdge-Site2:~$ vi MyCA.crt
+ “i” to insert in vi
+ Paste the CA Certificate
+ “<esc> :wq” to save and quit
+ vEdge-Site2# request root-cert-chain install
/home/admin/MyCA.crt
 Register the vEdge to vManage

+ This is where we need our serialFile.viptela license

+ In vManage, goto Configuration > Devices > Upload WAN Edge List and
upload the .viptela file
+ Choose any vEdge Cloud from the device models, and “Generate
Bootstrap Configuration” from the ellipses on the right
+ Select “Cloud-Init” and click OK
+ Copy the UUID and OTP fields to your text editor
+ Enter the following command on the vEdge:
+ request vedge-cloud activate chassis-number UUID token
OTP, where UUID and OTP are your strings from the Bootstrap Configuration
 Configuring the Tunnel Interface Parameters on the vEdge

vEdge-Site2# conf t
Entering configuration mode terminal
vEdge-Site2(config)# vpn 0
vEdge-Site2(config-vpn-0)# interface ge0/0
vEdge-Site2(config-interface-ge0/0)# tunnel-interface
vEdge-Site2(config-tunnel-interface)# color biz-internet
vEdge-Site2(config-tunnel-interface)# encapsulation ipsec
vEdge-Site2(config-tunnel-interface)# commit and-quit
Commit complete.
 vEdge Onboarding Verifications

+ Was the Certificate granted from vManage?

+ show control local-properties
+ Token should show “Invalid”
+ If not, what error code was generated?
+ show control connections-history
+ Did the vEdge connect to vSmart/vManage/vBond?
+ show control connections
+ Have IPsec tunnels formed to the other sites?
+ show bfd sessions
 vManage Verifications

+ vManage > Dashboard > Main Dashboard

 vManage Verifications (cont.)

+ vManage > Monitor > Network > Real Time

+ Search with the Device Options field, e.g. BFD Sessions:
 Implementing Cisco
SD-WAN Bootcamp
Onboarding Cisco SD-WAN cEdge Routers
 What is a cEdge Router?

+ cEdge is another name for the Cisco Cloud Services Router 1000v
(CSR1000v), running the special SD-WAN components
+ cEdge can be configured through the CLI or centrally through vManage
+ More on this later
+ cEdge CLI configuration uses config-transaction and commit to
make changes
 Onboarding the cEdge Routers

+ Onboarding cEdge routers starts with minimum CLI options

+ Host-name
+ System-ip
+ Site-id
+ Organization-name
+ Must match the ORG in serialFile.viptela previously generated
+ vBond IP Address
+ IP Addressing
+ Routing
+ Default CLI credentials are admin/admin
 Example cEdge Configuration

config-transaction interface GigabitEthernet 3

! description TO OOB MGMT NETWORK
hostname cEdge-Site3 no shut
system ip address dhcp
system-ip 10.0.3.1 !
site-id 3 ip route 0.0.0.0 0.0.0.0 100.0.3.2
organization-name VIPTELA.local vbond !
100.0.1.1 commit
!
interface GigabitEthernet 1
no shut
ip address 100.0.3.1 255.255.255.252
!
interface GigabitEthernet 2
no shut
ip address 192.168.3.254 255.255.255.0
!
 Copy the Root CA Certificate to the cEdge Router

cEdge-Site3#show ip int brief

Interface IP-Address OK? Method Status Protocol
GigabitEthernet1 100.0.3.1 YES other up up
GigabitEthernet2 192.168.3.254 YES other up up
GigabitEthernet3 192.168.223.236 YES DHCP up up
GigabitEthernet4 unassigned YES unset down down
Loopback65528 192.168.1.1 YES other up up
cEdge-Site3#

cEdge-Site3#copy tftp://192.168.223.127/MyCA.crt bootflash:

Destination filename [MyCA.crt]?
Accessing tftp://192.168.223.127/MyCA.crt...
Loading MyCA.crt from 192.168.223.127 (via GigabitEthernet3): !
[OK - 1245 bytes]

1245 bytes copied in 0.100 secs (12450 bytes/sec)

cEdge-Site3#
 Install the Root CA Certificate on the cEdge

cEdge-Site3#request platform software sdwan root-cert-chain install

bootflash:MyCA.crt
Uploading root-ca-cert-chain via VPN 0
Copying ... /bootflash/MyCA.crt via VPN 0
Updating the root certificate chain..
Successfully installed the root certificate chain
cEdge-Site3#
 Register the cEdge to vManage

+ Go to vManage, open the Wan Edge List and Generate Bootstrap

Configuration for a CSR1000v using Cloud-Init
+ Copy the UUID and OTP fields to your text editor, and run the following
command on the cEdge:
+ request platform software sdwan vedge_cloud activate
chassis-number UUID token OTP, where UUID and OTP are the fields
you copied from the bootstrap config
 Configure the Tunnel Interface on the cEdge

cEdge:
config-transaction
interface Tunnel0
no shut
ip unnumbered GigabitEthernet1
tunnel source GigabitEthernet1
tunnel mode sdwan
sdwan
interface GigabitEthernet1
tunnel-interface
encapsulation ipsec
color biz-internet
commit
 cEdge Onboarding Verifications

+ Was the Certificate granted from vManage?

+ show sdwan control local-properties
+ Should show certificate-status as “Installed”
+ If not, what error code was generated?
+ show sdwan control connection-history
+ Did the vEdge connect to vSmart/vManage/vBond?
+ show sdwan control connections
+ Have IPsec tunnels formed to the other sites?
+ show sdwan bfd sessions
 Implementing Cisco
SD-WAN Bootcamp
Configuring Service VPNs
 Cisco SD-WAN VPNs

+ vEdge Routers maintain two VPNs by default

+ VPN 0 – the “Transport VPN”
+ VPN 512 – the “Management VPN”
+ User defined VPNs are considered “Service VPNs”
+ I.e. any VPN number except 0 or 512
+ Service VPNs form a full-mesh of connectivity by default
+ VPN 1 can talk to other VPN 1 sites, but not VPN 2
+ VPN 2 can talk to other VPN 2 sites, but not VPN 1
 Configuring a Service VPN via the vEdge/cEdge CLI

vEdge: cEdge:
vpn 1 vrf definition 1
interface ge0/1 rd 1:1
ip address 192.168.2.254/24 !
no shutdown address-family ipv4
route-target export 1:1
route-target import 1:1
exit-address-family
!
!
interface GigabitEthernet2
vrf forwarding 1
ip address 192.168.3.254 255.255.255.0
 vEdge/cEdge CLI Verifications

+ Is the Transport VPN up to the other sites?

+ vEdge: show bfd sessions
+ cEdge: show sdwan bfd sessions
+ Are we learning OMP routes from vSmart?
+ vEdge: show ip route omp
+ cEdge: show ip route vrf 1 omp
+ vEdge: show omp route
+ cEdge: show sdwan omp route
+ Do we have IP connectivity to the other sites?
+ vEdge: ping vpn 1 1.2.3.4 / traceroute vpn 1 1.2.3.4
+ cEdge: ping vrf 1 1.2.3.4 / traceroute vrf 1 1.2.3.4
 Implementing Cisco
SD-WAN Bootcamp
Configuring Device Templates
 What are Device Templates?

+ Device Templates are the way you create and store device
configurations on the vManage NMS
+ Each device type gets its own template
+ I.e. vEdge and cEdge routers would use separate templates
+ Multiple devices can be attached to the same template
+ E.g. all vEdge routers with 1 WAN and 1 LAN interface
+ Device Templates are made up of Feature Templates
+ Feature templates are specific to device models
+ E.g. vEdge Cloud OSPF template has different syntax than CSR1000v
OSPF template
 Configuring Device Templates

+ vManage > Configuration > Templates > Create Template

 Defining Template Variables

+ Some values, e.g. WAN IP Address, will be different between devices

+ Device Specific variables can be defined in a template that will be filled
in when the template is applied to the device
 Attaching a Device Template

+ Next we attach the device to the template by clicking the 3 ellipsis on the
right > Attach Devices
 Populating Template Variables

+ Next we populate the device template variables by clicking the 3 ellipsis

on the right > Edit Device Template
 Viewing the Template Resulting Configuration

+ Next screen shows Config Preview and Config Diff

 Applying the Device Template

+ Click Configure Devices and the changes will be pushed to devices

attached to the template

+ If the configuration fails, it will auto-rollback

+ If the configuration completes, but IP connectivity to vManage is lost, it
will auto-rollback in 5 minutes
+ E.g. we configured the wrong default gateway IP address