Professional Documents
Culture Documents
Enterprise Tenancy: The orchestration and management planes are operating in multi-tenancy mode, but the control plane requires dedicated,
per-tenant appliances. Because the control plane is dedicated, it can be deployed as a container or nested virtual machine to decrease scalability
concerns.
Deploying Controller Certificate Options
• Certificate Signing Request (CSR) is generated for each controller and it is automatically sent to the Symantec/Digicert server.
• A Cisco Technical Assistance Center (TAC) case needs to be opened to complete the signing process.
• After the certificate is signed, vManage automatically retrieves each signed certificate and installs it on the respective controller.
• Note that the root certificate is installed by default on each controller.
Option 2: Manual certificate signing using Symantec/Digicert
• This option requires vManage version 19.1 at a minimum and is very similar to the automated Symantec/Digicert option except that the certificates are signed by
the Cisco PKI certificate server and a Cisco TAC case does not need to be opened to complete the signing process.
• A CSR is generated for each controller and is automatically sent to the Cisco PKI certificate server.
• After the signing is complete, the vManage automatically retrieves each signed certificate and installs it on the respective controller.
Note that the root certificate is installed by default on each controller.
Option 4: Manual Cisco PKI certificate signin
• This option requires vManage version 19.1 and is very similar to the manual Symantec/Digicert option except that the certificates are signed by the Cisco PKI
certificate server and a Cisco TAC case does not need to be opened to complete the signing process.
• A CSR is generated for each controller and is copied or downloaded locally.
• A separate certificate request for each controller is made manually through the Plug and Play Connect > Certificates portal at https://software.cisco.com, using
the CSR generated in the previous step.
• After the signing is complete, the certificates can be downloaded by the administrator and each certificate is then uploaded to vManage. vManage installs each
certificate on the respective controller.
Note that the root certificate is installed by default on each controller
Option 5: Manual certificate signing using Enterprise CA
Tip: For WAN Edge devices using enterprise root-ca certificates, the device is installed with the root certificates manually before it initiates a connection with the
vBond orchestrator. In the bootstrap onboarding method, the enterprise root-certificate is copied along with the configuration to the WAN Edge device and installed
to successfully onboard the device.
Cisco IOS-XE SD-WAN onboarding – Bootstrap process
WAN Edge onboarding – Manual process
WAN Edge firewall ports
PNP Portal
PnP Portal: Adding Controller Profile
PnP Portal: Adding Controller Profile Settings
PnP Portal: Adding WAN Edge Devices
PnP Portal: Providing Device Details
Syncing with Smart Account
PnP Portal: Downloading vManage License File
show sdwan certificate root-ca-cert.