Monthly Archives: January 2024

SD-WAN – Control Components deployment (on-premise) and configuration

Posted on by
Reply

Introduction

Cisco SD-WAN has been rebranded to Cisco Catalyst SD-WAN. As part of this rebranding, the vManage name has been changed to SD-WAN Manager, the vSmart name has been changed to SD-WAN Controller, and the vBond name has been changed to SD-WAN Validator. Together, the vManage, vSmart, and vBond will be referred to as the SD-WAN control components or the SD-WAN control complex.

This article describes how to deploy and configure Cisco SD-WAN control components  in virtual environment. 

Components Used

Below are the components I used for this lab scenario.

  • Cisco UCS-C
  • VMware ESXi 7.0
  • VMware vCenter 7.0
  • viptela-edge-20.9.4 (Validator)
  • viptela-vmanage-20.9.4.1 (Manager)
  • viptela-smart-20.9.4 (Controller)

Network Diagram

Below is the logical network topology for this scenario. All control components are virtual form factor. We are using ESXi port’s group to connect each component.

Figure 1 Control components deployment placement
Figure 2 Control components logical topology

Configurations

This section covers any configuration related to this scenario. Some basic and common configuration steps may be skipped unless there are several adjustments/tunings on that step you may need to pay attention.

Virtual machine deployment for control components

  1. Navigate to your vSphere Client, Right click on the ESXi host and select “Deploy OVF Template” then click “Local File” radio button and select your OVA file from your local machine. Click “NEXT” once you finish.

    Figure 3 Control components VM deployment – Part-1
  2. Enter a name for your SD-WAN manager instance and select location for your virtual machine. Click “NEXT”.

    Figure 4 Control components VM deployment – Part-2
  3. Select your compute resource and click “NEXT”.

    Figure 5 Control components VM deployment – Part-3
  4. Review template detail for this VM deployment and click “NEXT”.

    Figure 6 Control components VM deployment – Part-4
  5. Select virtual disk format and storage location. Click “NEXT”.

    Figure 7 Control components VM deployment – Part-5
  6. Select virtual network for the SD-WAN manager VM and click “NEXT

    Figure 8 Control components VM deployment – Part-6
  7. Review your deployment configuration and click “FINISH”.

    Figure 9 Control components VM deployment – Part-7
  8. Before you power on the VM you need to increase existing HDD storage space and add additional HDD to the VM. Go to Edit Setting > ADD NEW DEVICE > HARD DISK and click “NEXT”.

    Figure 10 Control components VM deployment – Part-8

    Figure 11 Control components VM deployment – Part-9
  9. Repeat step 1-7 for VALIDATOR and CONTROLLER virtual machine

Control Components Initial Configuration

  1. Power on all VMs and access the virtual machine console for all control components.

    Figure 12 Control components VM deployment – Part-10
  2. On the SD-WAN-MANAGER VM console, Login using “admin/admin” change the default password. And put some configuration related to SD-WAN-MANAGER. Since we only have one SD-WAN MANAGER we select its persona for both COMPUTE and DATA.

    Figure 13 Control components VM deployment – Part-11

    Figure 14 Control components VM deployment – Part-12
    Once it finishes it will reboot. Login with the new password previously created
  3. Do step 2 for VALIDATOR and CONTROLLER but it is only to change the default password.
  4. Provide initial configurations for all control components VM like below.

    Figure 15 Control components VM deployment – Part-13
  5. Login to SD-WAN MANAGER using management IP in the following url https://100.10.2.1

    Figure 16 SD-WAN Manager GUI
  6. Click three horizontal bars on the up left side and Go to Monitor > Devices you will see one SD-WAN MANAGER (vManage) in the device list

    Figure 17 SD-WAN Device Monitor-1

    Figure 18 SD-WAN Device Monitor-2

Add VALIDATOR and CONTROLLER to MANAGER

Now we need to add the validator and the controller into the control components device list. Go to Configuration > Devices, select Controllers section on the middle of the pane.


Figure 19 SD-WAN Manager add other controller components – Part-1

Figure 20 SD-WAN Manager add other controller components – Part-2
Click Add Controller drop down and select each control components you want to add

Figure 21 SD-WAN Manager add other controller components – Part-3
Fill the information about the control component you want to add

Figure 22 SD-WAN Manager add other controller components – Part-4
Repeat same procedure for the other component until all devices listed on the device list for the controllers

Figure 23 SD-WAN Manager add other controller components – Part-5

Controller Certificate Installation

  1. If you notice, both controller(vSmart) and validator(vBond) config parameters are not populated yet. This is because we haven’t install any certificate for those controller components. Click three bars in the up left side and go to Configuration > Certificates, select  Controllers.

    Figure 24 SD-WAN certificate installation  – Part-1
    Before we generate CSR for those devices, we might need to check some setting parameters regarding Organization Name and Controller Certificate Authorization go to Administration > Setting. Make sure the Organization Name you put during initial config shows up in the GUI. If not put the value manually.

    Figure 25 SD-WAN certificate installation  – Part-2
    Next thing is about the mechanism to sign your certificate. I choose manual process on this lab.

    Figure 26 SD-WAN certificate installation  – Part-3
  2. Now it is time to start the certificate installation process. Click three bars in the up-left side and go to Configuration > Certificates, select  Controllers. Click three dots in the right side on each component and select Generate CSR..

    Figure 27 SD-WAN certificate installation  – Part-4
  3. Copy the CSR information or download it to your local computer and click “Close”.

    Figure 28 SD-WAN certificate installation  – Part-5
  4. Go to software.cisco.com, make sure you have a smart account before you proceed with the next activity. Select Manage devices in the Network Plug and Play section.

    Figure 29 SD-WAN certificate installation  – Part-6
  5. Select Certificate tab and click Generate Certificate button.

    Figure 30 SD-WAN certificate installation  – Part-7
  6. Fill the information required in the Step 1 including the CSR info from the previous step. Click “Next”.

    Select Certificate tab and click Generate Certificate button.

    Figure 31 SD-WAN certificate installation  – Part-8
  7. On Step 2 review the information and click “Submit”.

    Figure 32 SD-WAN certificate installation  – Part-9
  8. Click “Done”, it will takes you to the certificate section.

    Figure 33 SD-WAN certificate installation  – Part-10
  9. Now the MANAGER certificate listed on the certificate section in the Plug and Play Connect page. Click on the download button in the far right in the certificate list and open it with any text editor file you have.

    Figure 33 SD-WAN certificate installation  – Part-11
  10. Click three bars in the up left side and go to Configuration > Certificates, click the Controllers section. Click Install Certificate.

    Figure 34 SD-WAN certificate installation  – Part-12
  11. In the Install Certificate box put the signed certificate info and click “Install”.

    Figure 35 SD-WAN certificate installation  – Part-13
  12. Wait for the installation process until it shows “Success”  status.

    Figure 36 SD-WAN certificate installation  – Part-15

    Figure 37 SD-WAN certificate installation  – Part-16
  13. Click three bars in the up-left side and go to Configuration > Certificates > Controllers. You will see Manager (vManage) has information about certificate expiration date.

    Figure 38 SD-WAN certificate installation  – Part-17
  14. Do step 2-13 for the VALIDATOR and CONTROLLER, ours is below once it completed.

    Figure 39 SD-WAN certificate installation  – Part-18
  15. Click three bars in the up-left side and go to Monitor > Devices > Devices you can see the device health and reachability status also the Site ID, System IP of the controller components.

    Figure 39 SD-WAN certificate installation  – Part-18

Verification

Control Plane Theory

This section will show you verification output from the control components we have deployed previously.  Before we go to the actual output, we want to take a short tour on how it works from the theoretical perspective based on the Cisco Catalyst SD-WAN design guide.

The Cisco Catalyst SD-WAN Manager and Controllers initially contact and authenticate to the SD-WAN Validator, forming persistent DTLS connections, and then subsequently establish and maintain persistent DTLS/TLS connections with each other.

The following diagram illustrates this:

Figure 39 SD-WAN control connections

Control connections to the SD-WAN Validator are always DTLS. By default, connections to the SD-WAN Manager and Controller are DTLS as well, but this can be changed on any device by configuring TLS for the security control protocol. If one device is configured for TLS and another device is configured for DTLS, TLS is chosen for the control connection between the two devices.

Each core (up to a maximum of 8) on the SD-WAN Manager and Controller initiates and maintains a control connection to each SD-WAN Validator (which has a single core), while a single connection is maintained between the SD-WAN Manager and each SD-WAN Controller. If an SD-WAN Controller has 2 vCPUs (which translates into 2 cores), for example, there will be 2 total control connections maintained from the SD-WAN Controller to each Validator, one from each core. If an SD-WAN Manager has 4 vCPUs (which translates to 4 cores), there will be 4 total control connections maintained from the SD-WAN Manager to each Validator, one from each core. Only one control connection is formed between Controllers, and only one connection is formed between SD-WAN Managers. No control connections are formed between redundant SD-WAN Validators.

Control component connections

Now let’s jump to the SD-WAN control components to verify its control connection’s.

From manager we can execute command “show control connections” to display information about active control plane connections (on vSmart controllers and vEdge routers only)

Figure 41 SD-WAN Manager control connections

Do the same command from the controller to see the output from it.

Figure 42 SD-WAN Controller control connections

From the validator you might need to use different command “show orchestrator connections” to List the Cisco SD-WAN devices that have active DTLS connections to the vBond orchestrator (on vBond orchestrators only).

Figure 43 SD-WAN Validator orchestration connections

You can use command “show control local-properties” Display the basic configuration parameters and local properties related to the control plane (on vEdge routers, vManage NMSs, and vSmart controllers only).

Figure 44 SD-WAN control local-properties

Happy labbing!!!