Sd-Wan Lab Guide

SDWAN Lab Guide &
Workbook
By Mr. Abhijit Bakale
Telegram Channel for Jobs - https://t.me/nwopenings

Telegram Group for Discussions - https://t.me/pynetlabs
LinkedIn for Latest Updates - https://www.linkedin.com/company/pynetlabs
Control Plane Bring up:
Here we are building lab on Cisco (former Viptela) SD WAN Lab.
Cisco SD-WAN Components are broken into 4 planes and dedicated components
are added into that, lets discuss about that:
Cisco SDWAN solutions have below controller in the solution:
1. vManage
2. vBond
3. vSmart
Edge device in cisco SD WAN are knows as WAN Edges
Cisco ISR 4K / ASR 1K can be deployed as WAN edge device along with native
viptela hardware.
The cluster of controllers are formed with the help of 3 controllers: vManage,
vSmart and vBond, in which the have their own different roles, let’s talk about
that:
1. vManage: This is the main component to SDWAN Management, this will give
the GUI for managing complete sdwan solution, all the other components are part
of it and will get integrated to it but all will be managed by it only.
2. vSmart:Thisisthemaincomponentforthecompletecontrolplaneoperationsof
SDWAN, this will be responsible to taking decisions for all the control plane and
policy plane for sdwan, all WAN edges will form OMP tunnels with vSmart which
will be used to exchange the routing updates between the WAN edges as well as
the policy exchange between them.
3. vBond:ThisplayaroleinSDWANorchestrationplane,whichisresponsiblefor
performing automation features like PnP (Plug n Play) or ZTP (Zero Touch
Provisioning) along with that vBond is also responsible for device onboarding.
All these controller will integrate with each other using Secure Channel of
DTLS/SSL. SD-WAN Lab setup:

ROOT-CA Setup
The following activity is to configure ROOT-CA Server which is going to be used

for providing common ROOT Certificates to all the devices who are willing to
become the part of the SD_WAN Fabric. All devices and controllers are required
to have a common root certificate installed in order to become the part of the
fabric.
Step 1: Configure RSA keys with label PKI to enable ssh

Step 2: Configure pki server parameters and enable interface on which the
certificate requests will be received

Step 3: Export the certificate in flash: and enable tftp-server for the same location
Post this, the ROOT-CA is ready to generate and grant all the SSL Certificate
Signing and authorization. All WAN Edges and controllers now require to install
the ROOT Certificate and get their device certificates (Local Certificates) signed
by the ROOT-CA.

vManage Bring Up
Step-1: Initializing HDD for vManage: vManage being the single pane of glass
requires dedicated storage for installing its GUI Software and hence asks for the
drive to be chosen for installing software at the first boot.
As your vManage boots up, use following credentials to login: admin/admin
Step-2: vManage System level configuration
We need to configure all the SDWAN component system level configuration in

which we will configure the below configurations:
1. Host-Name: Host Name of the controller.
2. Organisation Name: Should be same on all controllers.
3. System-IP–it’s a kind of loopback address which needs to be configured

uniquely one each device.
4. Site-ID: This is used to define the site domain and it should be same on all the
components of the same site.

5. vBond :IP Address of vBond. As WAN edge firstly communicate vBond address,
and this address should be reachable.
VPN in SDWAN components are the other name of VRF, unlike VRF they cannot
be configured with name.
VPN 0 is reserved for all the control connection as well as the management
traffic, whereas they also have VPN 512, which is just responsible for handling
management traffic.
Here we are using VPN 0 for both Management as well as Control Connection
traffic.
To enforce the inherent separation between services (such as prefixes that

belong to the enterprise) and transport (the network that connects the vEdge
routers), all the transport interfaces (that is, all the TLOCs) are kept in the
transport VPN, which is internally maintained as VPN 0. This ensures that the
transport network cannot reach the service network by default. Multiple
transport interfaces can belong to the same transport VPN, and packets can be
forwarded to and from transport interfaces.
Management ports are kept separate as well and maintain a separate VPN, which
is internally maintained as VPN 512
VPN 0 is the transport VPN. It carries control traffic over secure DTLS or TLS
connections between vSmart controllers and vEdge routers, and between vSmart
controllers and vBond orchestrators. Initially, VPN 0 contains all a device's
interfaces except for the management interface, and all the interfaces are

disabled. For the control plane to establish itself so that the overlay network can
function, you must configure WAN transport interfaces in VPN 0.
VPN 512 is the management VPN. It carries out-of-band network management

traffic among the Viptela devices in the overlay network. By default, VPN 512 is
configured and enabled. You can modify this configuration if desired.
On vEdge routers, the interfaces in VPN 0 connect to some type of transport

network or cloud, such as the Internet, MPLS, or Metro Ethernet. For each
interface in VPN 0, you must set an IP address, and you create a tunnel
connection that sets the color and encapsulation for the WAN transport
connection.
Step-3: vManage Interface Configuration:
In this step, we are configuring two interfaces of vManage. Eth0 will be the
member of VPN0 which is dedicated for all WAN facing interfaces being stated as
Transport VPN and Eth1 will be the member of VPN 512 which is dedicated for
Management being referred as OOB Management VPN.

Step 4: vManage Certificate Download from Root-CA using tftp:
Here we will be downloading the ROOT Certificate from ROOT-CA Server that we
configured above via TFTP and install the root certificate.
vManage GUI Initialization & Component Integration:
After configuring your vManage Interface, you can open your web browser and
login into the vManage GUI by using VPN 512 interface Eth1 ip address in the
browser on https://10.255.1.110.
A login prompt will pop up and you can login into the GUI using the credentials of
vManage admin/admin.
Afrer logging in, you will have to configure basic administration settings to let the
vManage GUI know about the organization name, vBond IP address and ROOT
Certificate details.
Step-1: Login to vManage using https://10.255.1.110
Step-2: Dashboard Screen
Step-3: Configure Organisation Name and vBond IP in vManage:
Dashboard > Administration > Settings:

Step-4: Configure Controller Certificate Authorization:
Dashboard > Administration > Settings > Controller Certificate Authorization >
Select Enterprise Root Certificate (In Lab Enviroment):
Note: You need to paste the root certificate here in the box which you can copy by
running the following command on your ROOT-CA Router:
ROOT-CA(config)#crypto pki export PKI pem terminal

Step-5: Configure CSR Properties:
Dashboard > Administration > Settings > Controller Certificate Authorization >
Set CSR Properties:

Step-6: Generate Certificate Signing Request CSR:
Dashboard > Configuration > Certificates > Options > Generate CSR >
Step 7: Copy the Certificate Key and Submit the CSR for signing on Root CA:

You need to copy the certificate signing request (CSR) key highlighted above in
blue and get the CSR signed from ROOT-CA Router. Use the below command and
paste the CSR upon being prompted. In exchange, ROOT-CA will give you a
granted certificate which you need to copy and install in the respected
vEdge/Controller.
ROOT-CA#crypto pki server PKI request pkcs10 terminal

Paste the Certificate > Enter
Copy the Granted Certificate from the terminal on Root-CA

Step 8: Install the Granted Certificate in the vManage GUI:
Dashboard > Configuration > Certificates > Select vManage > Install Certificate
(Right Upper Corner) > Paste the Granted Certificate Copied from the terminal of
Root-CA > Install
Status should come as Success:
Post this, your device certificate installation is complete and vManage is

onboarded.
Please verify the same using following command on vManage CLI:

vManage#show control local-properties
vBond & vSmart Bring Up
Step-1: vBond System Configuration: Login into the vBond and vSmar using same
default credentials: admin/admin and configure system and interface parameters
given below.
Note: When we configure vBond IP address on vBond itself we need use its local
address and specify local keyword there.
Step-2: vBond Interface Configuration:
If you can see here, we are using ge0/0 instead of eth0, this is because vBond is
the same image as vEdge, the only difference is we enable vBond features in it.

vBond interface is configured default as tunnel-interface just like all the WAN
edges, so that it can accept all the type of traffic and able to terminate and initiate
the IPSEC as well as Control connections on it.
Step 3: vSmart System Configuration
Step-4: vSmart Interface Configuration:
Main Dashboard View:

Step 5: Adding vBond and vSmart Controllers:
Once vManage is configured, we have to configure IP configuration on the CLI of

vBond and vSmart and change the interface types of the controller to tunnel
mode so that they can terminate/initiate the control connection with each
other’s.
Along with changing the interface type we are also allowing all the services in
here so that we can communicate with all other components without any service
limitations:
Step 6: Add vBond Controller in vManage:

Configuration > Devices > Controller > Add Controller > vBond

Step 7: After adding vBond as a controller, download PKI.ca from ROOT-CA and
install root certificate chain on vBond:
Step 8: After downloading, we need to do the certificate signing just like we did
for vManage.
go to certificates tab from the dashboard:

Dashboard > Certificates > Controllers > vBond > Options > View CSR

Copy the certificate prompted and paste it in the terminal of Root-CA by
executing following command like you did on vManage:
Root-CA#crypto pki server PKI request pkcs10 terminal
You should get the granted certificate in the CLI of root-ca. Copy that certificate
and paste it in the vManage GUI for installing that certificate like we did for
vManage:
Dashboard > Configuration > Certificates > Controllers > Install Certificates
(Right Upper Corner with vBond highlighted) > Paste > Install
Status should come as Success.

vSmart Bring UP
After Adding vBond, proceed for adding vSmart

Step 1: Configuration > Devices > Controller > Add Controller > vSmart

Step 2: After adding vSmart as a controller, download PKI.ca from ROOT-CA and
install root certificate chain on vSmart:
Step 3: Copy the certificate prompted and paste it in the terminal of Root-CA by
executing following command:
Root-CA#crypto pki server PKI request pkcs10 terminal

You should get the granted certificate in the CLI of root-ca. Copy that certificate
and paste it in the vManage GUI for installing that certificate like we did for Bond:
After this, the controllers vManage, vSmart and vBond are up and running.
You can use the verification commands to check about the control connections on
the controllers:
vManage: show control connections
vBond: show orchestrator connections
vSmart: show control connections


Sd-Wan Lab Guide

Uploaded by

Copyright:

Available Formats

You might also like

Sd-Wan Lab Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sd-Wan Lab Guide

Uploaded by

Copyright:

Available Formats

SDWAN Lab Guide &

Telegram Channel for Jobs - https://t.me/nwopenings

Here we are building lab on Cisco (former Viptela) SD WAN Lab.

Cisco SDWAN solutions have below controller in the solution:

Telegram Channel for Jobs - https://t.me/nwopenings

The following activity is to configure ROOT-CA Server which is going to be used

Step 1: Configure RSA keys with label PKI to enable ssh

Telegram Channel for Jobs - https://t.me/nwopenings

Telegram Channel for Jobs - https://t.me/nwopenings

Telegram Channel for Jobs - https://t.me/nwopenings

As your vManage boots up, use following credentials to login: admin/admin

Step-2: vManage System level configuration

We need to configure all the SDWAN component system level configuration in

1. Host-Name: Host Name of the controller.

2. Organisation Name: Should be same on all controllers.

3. System-IP–it’s a kind of loopback address which needs to be configured

Telegram Channel for Jobs - https://t.me/nwopenings

To enforce the inherent separation between services (such as prefixes that

Telegram Channel for Jobs - https://t.me/nwopenings

VPN 512 is the management VPN. It carries out-of-band network management

On vEdge routers, the interfaces in VPN 0 connect to some type of transport

Step-3: vManage Interface Configuration:

Telegram Channel for Jobs - https://t.me/nwopenings

vManage GUI Initialization & Component Integration:

Step-1: Login to vManage using https://10.255.1.110

Step-2: Dashboard Screen

Step-3: Configure Organisation Name and vBond IP in vManage:

Dashboard > Administration > Settings:

Telegram Channel for Jobs - https://t.me/nwopenings

ROOT-CA(config)#crypto pki export PKI pem terminal

Telegram Channel for Jobs - https://t.me/nwopenings

Telegram Channel for Jobs - https://t.me/nwopenings

Telegram Channel for Jobs - https://t.me/nwopenings

ROOT-CA#crypto pki server PKI request pkcs10 terminal

Telegram Channel for Jobs - https://t.me/nwopenings

Copy the Granted Certificate from the terminal on Root-CA

Telegram Channel for Jobs - https://t.me/nwopenings

Status should come as Success:

Post this, your device certificate installation is complete and vManage is

Please verify the same using following command on vManage CLI:

Telegram Channel for Jobs - https://t.me/nwopenings

vBond & vSmart Bring Up

Step-2: vBond Interface Configuration:

Telegram Channel for Jobs - https://t.me/nwopenings

Step 3: vSmart System Configuration

Step-4: vSmart Interface Configuration:

Main Dashboard View:

Telegram Channel for Jobs - https://t.me/nwopenings

Once vManage is configured, we have to configure IP configuration on the CLI of

Step 6: Add vBond Controller in vManage:

Telegram Channel for Jobs - https://t.me/nwopenings

go to certificates tab from the dashboard:

Telegram Channel for Jobs - https://t.me/nwopenings

Root-CA#crypto pki server PKI request pkcs10 terminal

Telegram Channel for Jobs - https://t.me/nwopenings

After Adding vBond, proceed for adding vSmart

Telegram Channel for Jobs - https://t.me/nwopenings

Telegram Channel for Jobs - https://t.me/nwopenings