Cisco SD WAN€¦ · If using Enterprise CA server, install the enterprise root CA chain. •...

© 2019 NIL, Security Tag: PUBLIC 2

Aleš TravnikarSystems Engineer / Instructor

Cisco SD-WANOd besed k dejanjem


• What do you need?

• Step 1 - Deploying Controllers

• Step 2 – Bringing Up Secure Control Plane

• Step 3 – Bringing Up Secure Data Plane

• Additional Tools

Agenda


What do you need?


Architecture

vManage

4GMPLS

INET

Data Center CoLo Campus BranchCloud

WAN Edge

• Facilitates fabric discovery

• Disseminates control plane information

• Implements and distributes policies

Control Plane

• Single pane of glass

• Centralized provisioning

• Policies and Templates

Management PlaneOrchestrator

• Orchestrates control and management plane

• First point of authentication

• Facilitates NAT traversal

vSmart Controllers

vBond

Data Plane

• Physical or Virtual

• Zero Touch Provisioning


Step 1 – Deploying Controllers

vManage

vSmart vBond

Enterprise IT

PrivateCloud

Deploy

vManage

vSmart vBond

MSP Ops Team

MSPCloud

Deploy

Cisco Cloud Ops

vManage

vSmart vBond

CiscoCloud

Deploy


On-Premises Deployment

ESXi, KVM

vManage

vSmart vBond

PrivateCloud

Deploy


On-Premises Deployment - ESXi

1. Obtain documentation, software and verify system requirements.

2. Import OVA.

3. Perform installation and initial configuration:

4. If using Enterprise CA server, install the enterprise root CA chain.

• Connectivity (IP, GW, DNS)• System-IP• Site-ID

• Organization-Name• vBond address • NTP

Installation Overview

https://sdwan-docs.cisco.com/Product_Documentation/Getting_Started/Viptela_Overlay_Network_Bringup

https://software.cisco.com/download/home/286320995/type?catid=268437899


Initial Configuration Settings

• System-IP – Unique identifier of a SD-WAN component

• 32-Bit dot decimal notation (an IPv4 Address)

• Logically a VPN 0 Loopback Interface, referred to as “system”

• Site-ID – Identifies logical location of individual node

• Configured on every WAN Edge

• When not unique, same location is assumed

• Organization-Name – SD-WAN overlay identifier

• Must match on all components

• Example: "Cisco Connect – 2019"


Certificate Authority Options

vManage

vBondvSmart

Root

RootRoot

SignedSigned

Signed

EnterpriseEnterprise

EnterpriseEnterprise

Enterprise

Enterprise

vManage

vBondvSmart

Root

RootRoot

SignedSigned

Signed

• DigiCert certificates are the default option.

• Enterprise certificates can be used for On-Prem. deployment.

• Need to install root CA chain.


Deploying vManage on VMware ESXi


Verifying vManage System Requirements

• SSD required for normal vManage performance.

• Private lab setup for learning purposes will work with less resources.

• *vManage Cluster requires dedicated interface for message bus.

Devices vCPUs RAM OS Volume Database Volume

Bandwidth vNICs

1-250 16 32 GB 16 GB 500 GB,1500 IOPS

25 Mbps 2

251-1000 32 64 GB 16 GB 1 TB,3072 IOPS

100 Mbps 2

1001 or more 32 64 GB 16 GB 1 TB,3072 IOPS

150 Mbps 3*


vManage Interface Properties

• By default, vManage OVA is configured with a single interface (eth0).

• Adding additional interface remaps eth0 to vNIC 2.

Control Interface

Management Interface

vNIC 2 vNIC 1

ESXi, KVM, AWS, MS Azure

VPN512VPN0

vNIC Interface Default VPN DHCP enabled

State

2 eth0 0 Yes Enabled

1 eth1 Not set No Disabled


Deploying vManage OVA on VMware ESXi

• Primary disk for OS consumes 19 GB.


Deploying vManage OVA on VMware ESXi (Cont.)

Singe Interface present by default.

Do not power on VM before adding additional disk for a DB installation.


Adding Additional Resources to the vManage VM

Additional Hard Disk will host vManagedatabase.


Specifying Capacity and Specifying Device Type

For Lab environment, a 100 GB disk size will be sufficient. For PoC/PoV or production environments, follow official requirements.

SCSI interface is not supported, make sure you select the IDE type.


Adding Additional Interface to vManage VM

Add additional interface for convenient OOB management.


Performing vManage Database Installation

• Default credentials: admin / admin


Configuring vManage Interface Settings

OOB management interface

Transport interface


vmanage(config)# systemvmanage(config-system)# system-ip 10.255.255.21vmanage(config-system)# site-id 1vmanage(config-system)# organization-name "Cisco Connect - 2019" vmanage(config-system)# vbond 10.0.0.22vmanage(config-system)# ntp server 203.0.113.1vmanage(config-system)# commitCommit complete.

Configuring vManage System Parameters

• Organizational-Name is case sensitive, always use quotes.

• vBond server can be specified as a domain name.

• System-IP must be unique on every component in the SD-WAN fabric.


Finalize vManage Initial System Configuration


Installing Enterprise Root Certificate

Paste CA certificate in PEM format.


Deploying vBond on VMware ESXi


Verifying vBond System Requirements

• Only SSD-based volumes are officially supported.

• vBond is installed using vEdgeCloud OVA.

• OVA is preconfigured with four vCPUs.

Devices vCPUs RAM OS Volume

Bandwidth vNICs

1-50 2 4 GB 8 GB 1 Mbps 2

51-250 2 4 GB 8 GB 2 Mbps 2

251-1000 2 4 GB 8 GB 5 Mbps 2

1001+ 4 8 GB 8 GB 10 Mbps 2


Configuring vBond System Parameters

• Keyword local in the vbond command defines the vBond role.

vedge(config)# systemvedge(config-system)# host-name vBondvedge(config-system)# system-ip 10.255.255.22vedge(config-system)# site-id 1vedge(config-system)# organization-name "Cisco Connect - 2019" vedge(config-system)# vbond 10.0.0.22 localvedge(config-system)# commitCommit complete.


vBond Interface Properties

• OVA is preconfigured with four vNICs, only two interfaces are supported.

Control Interface


vNIC 2 vNIC 1


VPN512VPN0

vNIC Interface DefaultVPN

DHCP enabled

State


2 ge0/0 0 Yes Enabled

3 ge0/1 No Disabled

4 ge0/2 No Disabled


Configuring vBond Interface Settings

• The VPN0 interface is preconfigured for WAN.

• The tunnel-interface configuration settings lock down the interface and also prevent incoming NETCONF connections.

• When vBond is integrated with vManage, vManage establishes the NETCONF connection.

• Recommendation: disable the tunnel-interface configuration while performing controller integration.

• Alternative: temporarily allow the netconf service.


Configuring vBond Interface Settings (Cont.)


Transport interface


Installing Local Root CA Chain

• Transfer the root certificate chain and perform import:


Deploying vSmart on VMware ESXi


Verifying vSmart System Requirements

• Only SSD-based volumes are officially supported

Devices vCPUs RAM OS Volume

Bandwidth vNICs

1-50 2 4 GB 16 GB 2 Mbps 2

51-250 4 6 GB 16 GB 5 Mbps 2

251-1000 4 16 GB 16 GB 7 Mbps 2

1001+ 8 16 GB 16 GB 10 Mbps 2


vSmart Interface Settings

Control Interface


vNIC 2 vNIC 1


VPN512VPN0

vNIC Interface Default VPN DHCP enabled

State

2 Eth0 0 Yes Enabled

1 Eth1 Not set No Disabled

• By default, vSmart OVA is configured with a single interface.

• Adding an additional interface remaps eth0 to vNIC 2.


Configuring vSmart Interface Settings

34


Transport interface


Configuring vSmart System Settings

vsmart(config)# systemvsmart(config-system)# system-ip 10.255.255.23vsmart(config-system)# site-id 1vsmart(config-system)# organization-name "Cisco Connect - 2019" vsmart(config-system)# vbond 10.0.0.22vsmart(config-system)# ntp server 203.0.113.1vsmart(config-system)# commitCommit complete.


Installing Local Root CA Chain

• Transfer the root certificate chain and perform import:


Step 2 – Bringing Up Secure Control Plane


Integrating Controllers

1. Add vBond and vSmart controllers into the vManage.

2. Generate CSRs.

3. Sign CSRs and upload certificates.

4. Configure tunnel interfaces and establish control connections.

5. Install the license file.


Adding Controllers to vManage

• vSmart is added using the same procedure.

Specify controller‘s IP address that is reachable from vManage VPN0 interface via NETCONF protocol (TCP 830).


Generating the CSR


Viewing and Transferring the CSR


Installing Signed Certificate


Configuring Interfaces for Control Connections

• Enable the tunnel-interface configuration on the VPN 0 interface on all controllers.

• On vBond, also specify the tunnel-interface encapsulation type.


Verifying Control Connections


Troubleshooting Control Connections

• # show control connections-history


Step 3 – Bringing Up Secure Data Plane


Plug and Play Connect (PnP) Portal

https://software.cisco.com

Smart Account is required

Smart Account

Virtual Account

https://software.cisco.com/


PnP – Adding Controller Profile


PnP - Adding Controller Profile Settings


PnP - Adding WAN Edge Devices


PnP - Providing Device Details


PnP – Downloading vManage License File


Importing WAN Edge List

• If devices are not validated when importing the license file, you need to manually enable each device under Configuration > Licensing.

53


Deploying vEdge Cloud Routers


Overview of Installation Steps:vEdge Cloud

1. Obtain software and verify system requirements.

2. Deploy OVA Template.

3. Perform initial configuration (connectivity, system-ip, site-id, org-name, vbond address).

4. If using enterprise CA, install local root CA chain.

5. Activate vEdgeCloud by enrolling it into vManage.


Deploying vEdgeCloud on VMware ESXi

vNIC Interface DefaultVPN

DHCP enabled

State


2 ge0/0 0 Yes Enabled

3 ge0/1 No Disabled

4 ge0/2 No Disabled

• Up to 8 vNICs are supported.


Generating Chassis UUID and OTP Token

• Generate bootstrap configuration to extract the UUID number and OTP token for the vEdgeCloud activation.


Activating vEdgeCloud


Activating vEdgeCloud (Cont.)

• Verification


Additional Lab Tools


Useful Link and Traffic Manipulators

• WANem – WAN Emulator

• Transparent bridge with easy to use GUI.

• Can introduce delay, loss, corruption, reordering, limited bandwidth.

• Ideal tool for virtual environment, when testing Application Aware Routing policies.

• wanem.sourceforge.net, releases with GNU GPL license.

• TRex – Realistic Traffic Generator

• Generates realistic traffic with stateful flow support.

• trex-tgn.cisco.com, developed by Cisco, released under Apache 2.0 license.

http://wanem.sourceforge.net/

https://trex-tgn.cisco.com/


Next Steps

•Documentation:

https://sdwan-docs.cisco.com

• SD-WAN Guides (CVDs):

https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/SDWAN/CVD-SD-WAN-Design-2018OCT.pdf

https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/SDWAN/CVD-SD-WAN-Deployment-2018OCT.pdf

https://sdwan-docs.cisco.com/

https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/SDWAN/CVD-SD-WAN-Design-2018OCT.pdf

https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/SDWAN/CVD-SD-WAN-Deployment-2018OCT.pdf

Cisco SD WAN€¦ · If using Enterprise CA server, install the enterprise root CA chain. •...

Documents

Transcript of Cisco SD WAN€¦ · If using Enterprise CA server, install the enterprise root CA chain. •...