BRKCRS 2112

BRKCRS-2112
Serviceability of SD-WAN
Chandrabalaji Rajaram & Ali Shaikh

Cisco Spark
Questions?
Use Cisco Spark to communicate
with the speaker after the session
How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
cs.co/ciscolivebot#BRKCRS-2112
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco SD-WAN learning Journey at Cisco Live
Monday Tuesday Wednesday Thursday Friday
BRKCRS-2110 BRKCRS-2111
Delivering Cisco Next Migration to Next-Gen
Generation SD-WAN SD-WAN
with Viptela
Deep Dive SP
Serviceability
orchestration
Architecture Migration
and solution and vQOE
TECCRS-20004 BRKRST-2557 BRKCRS-2112
Cisco SD-WAN SD-WAN and NFV Serviceability for
Technical Deep Dive BRKCRS-2113 BRKRST-2514 Orchestration for Next Generation
Managed Service SD-WAN
Cloud-Ready WAN for Next Gen SDWAN with
Providers
IAAS and SAAS with application
Cisco Next-Gen SD- acceleration/optimization
WAN
Agenda
• SDWAN Components overiew

• Day 0 – Deployment and troubleshooting
• Day N – Deployment and troubleshooting
• System Maintenance
• Tech Support
• Demo
SDWAN Components Overview
SDWAN Components overview
vManage
NMS
vSmart
vEdge
Controller
Cloud Router
SDWAN
Components
vBond
vEdge
Orchestrator
Router
BRKCRS-2112 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Orchestration Plane Orchestration Plane
vManage
Cisco vBond
APIs
3rd Party
vAnalytics  Orchestrates Connectivity
Automation
vBond  First point of authentication
vSmart Controllers (white-list model)
 Facilitates NAT traversal

MPLS 4G
INET
vEdge Routers
Cloud Data Center Campus Branch SOHO
Management Plane Management Plane
vManage
Cisco vManage
APIs
3rd Party  Single pane of glass

vAnalytics
Automation
 Policies and Templates
vBond
 Troubleshooting and
vSmart Controllers
Monitoring
MPLS 4G  Programmatic interfaces
INET
vEdge Routers
Control Plane Control Plane
vManage
Cisco vSmart
APIs
3rd Party
vAnalytics
Automation  Handles all the Overlay-network
routing
vBond
 Facilitates the DP encryption
vSmart Controllers
between vEdges
MPLS 4G  Propagates the policies for

INET handling DP traffic
vEdge Routers
SDWAN Components overview Data Plane
Physical/Virtual
Data Plane
vManage
vEdge vEdge Cloud
APIs
3rd Party  WAN edge router

vAnalytics
Automation
 Provides secure data plane with
vBond
remote vEdge routers
vSmart Controllers
 Implements data plane and
4G application aware routing

MPLS
INET policies
vEdge Routers
Cisco SD-WAN Cloud-Delivered Architecture
Multitenant, Cloud-Operated and Cloud-Delivered
Cloud
GUI
vSmart Data Center
Secure
REST API vManage Controllers
SD-WAN Fabric
Analytics
Private/Hosted/Managed
Cloud
Data Center
MPLS 4G
INET
Secure
Control Plane
Small Office
Home Office
vEdge Router Campus
Branch
Fabric Operation Walk-Through
OMP Update:
OMP
vSmart Reachability – IP Subnets, TLOCs
Security – Encryption Keys
DTLS/TLS Tunnel
Policy – Data/App-route Policies
IPSec Tunnel
OMP OMP
BFD Update Update
Policies
OMP OMP
Update Update
vEdge vEdge
Transport1
TLOCs TLOCs
VPN1 VPN2 Transport2 VPN1 VPN2

BGP, OSPF, BGP, OSPF,
Connected, Connected,
Static A B C D Static
Subnets Subnets
Secure Segmentation
 Security Zoning
Interface  Compliance
 Guest WiFi
VLAN  Multi-Tenancy
 Extranet
Per-VPN Topology
Full-Mesh Hub-and-Spoke Partial Mesh Point-to-Point
Day 0
Deployment and troubleshooting

Zero Touch Provisioning – vEdge Appliance
Control and Policy
Zero Touch Provisioning
Elements
Server
2 3
5
1 Full Registration and
Configuration
4
Assumption:
• DHCP on Transport Side (WAN)
• DNS to resolve ztp.viptela.com*
vEdge
* Factory default config  Delivered as-a-Service
Zero Touch Provisioning – vEdge Cloud
Control and Policy
vManage Elements
1
Cloud-Init
VM
Provisioning 3
5
Tool
2 Full Registration and
Configuration
4
Assumption:
• DHCP on Transport Side (WAN)
vEdge Cloud
* Factory default config
Building basic overlay network
1) Perform initial bring-up and do

basic configuration.
2) Enable host or service-side
interfaces and routing.
3) Enable overlay routing over OMP.
4) Check the automatic setup of the
IPsec data plane.
5) Enforce policies.
Checking Control connections
 Control Up: Total number of

devices with the required number
of operational control plane
connections to a vSmart controller.
 Partial: Total number of devices

with some, but not all, operational
control plane connections to
vSmart controllers.
 Control Down: Total number of

devices with no control plane
connection to a vSmart controller.
Checking Control connections for a single device
 If the device has multiple

interfaces, vManage NMS displays
a graphical topology of all control
connections for each color.
 Click the arrow to the left to view

the control connections for that
TLOC color.
 Click the checkbox to the left to

select and deselect control
connections.
Checking Data connections
 Down: Non-operational
connections with other vEdge
routers in the network.
 Init: Connections that are

reachable but not up yet.
 Up: Operational connections
Checking OMP Summary
OMP Summary of the vEdge router
Checking OMP Summary
OMP Summary of the vEdge router
Field Explanation
admin-state Administrative state of the OMP session. It can be UP or DOWN.
omp-uptime How long the OMP session has been up and operational.
oper-state Operational status of the OMP session. It can be UP or DOWN.
routes-installed Number of routes installed over the OMP session.
routes-received Number of routes received over the OMP session.
tlocs-installed Number of TLOCs installed that were learned over OMP sessions.
tlocs-received Number of TLOCs received over OMP sessions.
tlocs-sent Number of TLOCs advertised over OMP sessions.
Checking OMP Peers detail
OMP Peers of the vEdge router
Checking OMP Peers detail
OMP Peers of the vEdge router
Field Explanation
Peer IP address of the connected Edge device.
Type Type of SDWAN device
State  down—The connection is not functioning.

 init—The connection is initializing.
 up—The connection is operating.
Domain ID Identifier of the domain that the device is a member of.
Site ID Identifier of the administrative site where the connect Edge device is
located.
R/I/S Number of routes received, installed, and sent over the OMP session.
routes-installed Number of routes installed over the OMP session.
Checking Device bring-up
- Indicates control plane connections are successful
- Indicates ZTP is disabled. Seen during SW upgrade only
- Indicates control plane connection failure
- Indicates that the reason for device bring-up failure is

Unknown
Troubleshooting Control connections
Possible causes for control connection failure
Connectivity Issues Certificate Issues
 DTLS Connection Failure  Serial number(s) not present
 TLOC Disabled  Certificate revoked/invalidated
 Transient Conditions  Certificate Verification Failed
 Org. Name Mismatch
DTLS connection failure
Probable causes Debugging steps:
 NH not reachable PING Def-GW

 Def-GW not installed in RIB Ping vBond if ICMP is allowed on the
 DTLS port not open in the vBond
Controllers Traceroute to vBond DNS Address
TLOC disabled
Probable causes
 Clearing of Control Connections

 Changing the color on TLOC
 Change in System IP
 Change in any of the configs mentioned in the system block or in the tunnel properties
Transient Conditions
Following are some Transient conditions where the control connections flap.
System-IP change on the vEdge
Tear-down msg. to vBond [control connection to vBond is transient]
This can be verified using the “show control connections” output as shown below
This can be verified using the “show control connections” output as shown below Disconnect vBond after register
reply
System-IP Changed
Serial Number(s) NOT present
 If the serial number is not present on the controllers for a given vEdge, the control Challenge response rejected by peer
connections
will fail
 Verify this by “send to controllers” option from vManage and / or ‘show controllers [ valid-
vsmarts | valid-vedges ]’.
Peer Board ID Cert not verified
Serial Number(s) NOT present….Contd
Serial Number is NOT present
Challenge response rejected

by peer
Certificate revoked/Invalidated
 The certificate will be revoked in case of controllers or vEdge serial number is invalidated
vSmart Certificate
revoked
Certificate installation failed
 Certification verification failure is when certificate cannot be verified with the root cert installed.
Fail to verify Peer Certificate
Organization-name Mismatch
 For a given a overlay, the Org. Name has to match across all the controllers and vEdges so that
control connections can come up.
 If not, you will see “Certificate Org. name mismatch” as seen below in the “show control
connections” output.
Certificate Org name mismatch
Day ”N”
Monitoring and troubleshooting

Health Status Check on vEdge
Checking System Status
Checking System status….contd
Checking the Circuit-Utilization
Checking the Circuit-Utilization
Checking Transport Quality
WAN > TLOC status
Checking Transport Quality
WAN > TLOC status
Checking Tunnel Quality
WAN > Tunnel status
Checking DPI stats
Checking DPI stats
Checking DPI stats
Checking DPI stats
Checking DPI stats
Checking App flows
Checking Events
Service-side to Service-side Troubleshooting
App route visualization
Simulate Flows
Simulate Flows
Debug Logs
System Maintenance
Configuration roll-back
Configuration roll-back using vManage
Software Upgrade
Software Upgrade
Upgrade software version of the vEdge router
NOTE: If the software upgrade is NOT successful and the device loses its connectivity after upgrade, it
will automatically roll-back to the previous Software version
Device Reboot
Device Reboot
Generic Alarms/Notifications
System Alarm - Types
Major Alarm - RED
 One or more hardware components on the router has failed.

 One or more hardware components on the router has exceeded the
temperature threshold.
Minor Alarm - YELLOW

 Indicates a warning on the router that, if left unattended, might result in
an interruption in router operation or degradation in router performance.
Checking Alarms
Tech-Support
Collecting Show Admin Tech Generate Show-admin Tech
Demo
Cisco Spark
Questions?
Use Cisco Spark to communicate
with the speaker after the session
How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
cs.co/ciscolivebot#BRKCRS-2112
• Please complete your Online Complete Your Online
Session Evaluations after each
session
Session Evaluation
• Complete 4 Session Evaluations
& the Overall Conference
Evaluation (available from
Thursday) to receive your Cisco
Live T-shirt
• All surveys can be completed via
the Cisco Live Mobile App or the
Communication Stations
Don’t forget: Cisco Live sessions will be available
for viewing on-demand after the event at
www.ciscolive.com/global/on-demand-library/.
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Tech Circle
• Meet the Engineer 1:1 meetings
• Related sessions
Thank you

BRKCRS 2112

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BRKCRS 2112

Uploaded by

Copyright:

Available Formats

BRKCRS-2112

Chandrabalaji Rajaram & Ali Shaikh

• SDWAN Components overiew

vBond  First point of authentication

vSmart Controllers (white-list model)

 Facilitates NAT traversal

Cloud Data Center Campus Branch SOHO

3rd Party  Single pane of glass

Cloud Data Center Campus Branch SOHO

MPLS 4G  Propagates the policies for

Cloud Data Center Campus Branch SOHO

3rd Party  WAN edge router

4G application aware routing

Cloud Data Center Campus Branch SOHO

VPN1 VPN2 Transport2 VPN1 VPN2

Full-Mesh Hub-and-Spoke Partial Mesh Point-to-Point

Deployment and troubleshooting

1) Perform initial bring-up and do

 Control Up: Total number of

 Partial: Total number of devices

 Control Down: Total number of

 If the device has multiple

 Click the arrow to the left to view

 Click the checkbox to the left to

 Init: Connections that are

 Up: Operational connections

oper-state Operational status of the OMP session. It can be UP or DOWN.

routes-installed Number of routes installed over the OMP session.

routes-received Number of routes received over the OMP session.

tlocs-received Number of TLOCs received over OMP sessions.

tlocs-sent Number of TLOCs advertised over OMP sessions.

Type Type of SDWAN device

State  down—The connection is not functioning.

routes-installed Number of routes installed over the OMP session.

- Indicates control plane connections are successful

- Indicates ZTP is disabled. Seen during SW upgrade only

- Indicates control plane connection failure

- Indicates that the reason for device bring-up failure is

Connectivity Issues Certificate Issues

 DTLS Connection Failure  Serial number(s) not present

 TLOC Disabled  Certificate revoked/invalidated

 Transient Conditions  Certificate Verification Failed

 Org. Name Mismatch

Probable causes Debugging steps:

 NH not reachable PING Def-GW

 Clearing of Control Connections

Peer Board ID Cert not verified

Serial Number is NOT present

Challenge response rejected

Fail to verify Peer Certificate

Certificate Org name mismatch

Monitoring and troubleshooting

Major Alarm - RED

 One or more hardware components on the router has failed.

Minor Alarm - YELLOW

You might also like