Professional Documents
Culture Documents
Private WAN connections like MPLS are reliable but also expensive. WAN connections are
usually a big chunk of the IT budget, so it’s understandable that organizations are interested in
replacing their private WAN connections with regular Internet connections to reduce costs.
To understand SD-WAN, we first have to talk about some “problems” with traditional WAN
connections. We can choose between private WAN connections or public Internet connections.
Let’s compare these two options:
• Cost: private WAN connections like MPLS are way more expensive than regular Internet
connections.
• Time to deploy: it takes longer to deploy a private WAN connection than a regular
Internet connection.
• SLA: Service providers offer SLAs for private WAN connections that we don’t have for
regular Internet connections. There are providers who offer SLAs for “business” class
Internet connections, but these are usually way more expensive than regular (consumer)
Internet connections.
• Packet loss: Internet connections have a higher packet loss rate compared to private
WAN connections like MPLS.
• QoS: Internet connections don’t offer any QoS. You can prioritize your outgoing traffic
but that’s it, the Internet itself is like the wild west. Private WAN connections often
support end-to-end QoS.
The way we use our WAN has also changed throughout the years. Most organizations had an
HQ, remote users, and perhaps some branch offices. Branch offices were connected to the HQ
with private WAN or VPNs over the Internet. Remote users used remote VPN over the Internet
to connect.
Nowadays, organizations also run their own applications in the cloud instead of on-premises, and
they use applications like Office 365 or Gsuite. Our traffic patterns look different now:
What about network management? Each router has its own control plane, and we use the CLI
to manually create our router configurations “box-by-box”. This is time-consuming and prone to
errors. We can use network automation tools to make our lives easier, but the control plane
remains decentralized.
SD-WAN promises to save money by using a combination of Internet and private WAN
connections and make network management much easier.
One problem with SD-WAN is that each vendor has a different idea about what SD-WAN is. I’ll
give you a basic overview of what SD-WAN is about. An SD-WAN solution has parts of the
control plane centralized and is built with network automation and orchestration in mind.
We create network policies globally and push them to all routers from a central location. You
could create a QoS policy and push it to all your 500 branch routers with a single mouse click.
We don’t use the CLI anymore. Instead, we have a GUI and use APIs to configure and manage
our WAN connections. Some vendors still support a CLI if you want to do some troubleshooting.
We use multiple WAN connections and active/active per-application load-balancing. Let’s say
we have a site with a fiber, cable, 4G, and DSL connection. SD-WAN monitors all these WAN
connections and keeps track of performance metrics like the throughput and delay. It selects the
WAN connection with the lowest latency and highest throughput.
When a certain link fails then it can fail over to the next best option. It can also do this on a per-
application level. You could use the fiber connection for traffic to the public cloud and the cable
connection for low-priority FTP traffic. It protectson traffic over public Internet connections with
IPSec.
SD-WAN could be an alternative to an expensive private WAN link with an SLA that promises
“five nines” of uptime (99.999%). The idea behind it is that multiple WAN connections are
always more reliable than a single WAN connection.
•
o Intelligent WAN (IWAN)
o Meraki SD-WAN
o Cisco SD-WAN (Viptela)
IWAN is Cisco’s first SD-WAN solution for the ISR platform and intended for hybrid WAN
(MPLS and Internet) or Internet-only connections.
Meraki SD-WAN is for existing Meraki customers that are interested in the advantages of SD-
WAN. Here are some features that it offers:
• Apply bandwidth, routing, and security policies from a central location to all WAN
connections (MPLS, Internet, 4G, etc.)
• Centralized network visibility and control.
• QoS and bandwidth management with Meraki traffic shaping
• Dynamic policy and performance-based path selection with automatic load balancing.
• Secure connectivity with cloud applications, remote offices, or datacenters.
Components
This solution consists of four main components and one optional analytics component:
• vManage (management)
• vSmart (controller)
• vEdge (routers)
• vBond (orchestrator)
• vAnalytics (analytics)
Let me explain these components.
vManage
vManage is the Network Management System (NMS) to configure and manage the entire SD-
WAN solution. You can use a GUI or REST API to access it. This is where you create device
configurations and network policies. vManage also alerts you when there are events or outages.
vSmart
vSmart is the control plane of the architecture. vSmart controllers advertise routes, security, and
policy information. Cisco SD-WAN uses the proprietary Overlay Management Protocol (OMP)
for this. vSmart implements the policies that you configure through vManage.
For example, imagine you create a policy through vManage where real-time voice traffic
requires a latency of less than 100 ms. The vSmart controller downloads the policy, converts it
into a format suitable for the vEdge routers and then implements it on all vEdge routers.
All vEdge routers peer with a vSmart controller, it’s a hub and spoke topology. It’s similar to a
BGP route reflector or a DMVPN NHRP server. The vSmart controller only lives in the control
plane and is never in the data plane.
vBond
vBond is the orchestrator. It authenticates vSmart controllers and vEdge routers and coordinates
connectivity between them. It tells vEdge routers where and how to connect to vManage and
vSmart controllers. vBond requires a public IP address so that all devices can connect to it. When
a vEdge router joins the SD-WAN, the first thing it talks to is the vBond orchestrator.
vAnalytics
vAnalytics is an optional analytics service. It gives you visibility of applications and your
infrastructure in the entire SD-WAN. You can use it for forecasting, and it gives you
recommendations about your traffic and WAN connections. This can be useful to figure out
whether you need to upgrade or downgrade certain WAN connections.
Cloud or on-premises
You can implement Cisco SD-WAN with a combination of cloud and on-premises options:
• The vEdge routers and vBond orchestrator are available as hardware or VMs.
• vManage and vSmart controllers are only available as VMs.
You can run the VMs on-premises on ESXi or KVM, or host them at cloud providers like
Amazon AWS or Microsoft Azure.
vEdge
vEdge is the software or hardware routers at your sites and responsible for the data plane. vEdge
routers connect to a vSmart controller through a Datagram Transport Layer Security (DTLS)
connection. If you want to use hardware, you have the following options:
If you want to use software, you have two options for VMs:
• vEdge Cloud
• Cisco Cloud Services Router (CSR)
Cloud onRamp
In the traditional model, you find all on-premises infrastructure and applications in a central HQ
site or data center. We connect our branch offices in a hub and spoke topology and route all
traffic from the branch offices to the HQ or datacenter.
Organizations nowadays often use cloud SaaS applications like Office 365, Gmail, or Salesforce.
Instead of running everything on-premises, we also use IaaS services in the public cloud.
The traditional hub and spoke model where we connect and route all branch traffic to the main
site or datacenter doesn’t work anymore. Cisco SD-WAN connects sites directly to these SaaS
applications or IaaS services using one or more WAN connections.
Cloud onRamp SaaS monitors the performance of all WAN connections from a branch office to
a SaaS application. Each path gets a “quality of experience” performance score from 0-10, 10
being the highest score. It makes real-time decisions to choose the best performing path between
the end users at the branch office and the SaaS application in the cloud. You can monitor this in
the vManage GUI.
Cloud onRamp IaaS extends the SD-WAN network into the public cloud. Through vManage,
you can automatically create vEdge cloud routers in the public cloud provider infrastructure.
This allows you to connect directly from your on-premises vEdge routers to the vEdge cloud
routers at the public cloud provider.
Cisco SD-WAN Lab Options
If you want to learn Cisco SD-WAN, you need to get some hands-on experience. In this lesson,
I’ll give you an overview of the different options.
Online
DevNet
Cisco calls DevNet their single resource for everything “developer”. You can find labs, tutorials,
sandboxes, and code examples here. DevNet also includes a couple of Cisco SD-WAN
sandboxes.
There is a sandbox you can access without making a reservation which is great if you want to
quickly look at a couple of things. You can also reserve a sandbox so you can work on it alone.
The only thing you need to access DevNet is a CCO account.
I think DevNet is great if you are already somewhat familiar with the basics of Cisco SD-WAN.
It’s great for testing things like templates or policies without having to worry about building a
lab. It’s also a great option if you want to play around with the Cisco SD-WAN API.
dCloud
Like DevNet, Cisco’s dCloud also offers labs, sandboxes, and demos. You only need a CCO
account to get access.
There used to be some Cisco SD-WAN sandboxes here but the last time I checked, they were all
gone except for the “SASE – Viptela Secure Edge v1” guided demo. It might be worth it to
check though.
en
You only need to run the vManage, vBond, and vSmart controllers once but those require 6
vCPUs and 19GB of RAM. You’ll need multiple vEdge routers. Also, you will need some other
devices like regular Cisco IOS routers, switches, and perhaps an ASA.
What do we use to run the images? Cisco offers three image types:
VMWare ESX
The first time I messed around with Cisco SD-WAN I tried the OVA images in VMWare ESX.
This works, but I think it’s too much of a hassle:
• You need to manually add a serial port if you want to telnet into a console.
• You need to create port-groups if you want to create “segments” between devices.
• If you want to change the port-group of a vNIC, you have to shut the VM first.
EVE-NG
EVE-NG is a good choice to build your own Cisco SD-WAN lab. They offer a how-to solution
where they explain how to add the KVM images. It doesn’t take much work and once you add
the images, you can quickly build a topology. I do recommend getting the professional version.
Otherwise, you can’t add links between devices that are already running. Here is our lesson on
how to build your own EVE-NG SD-WAN lab.
GNS3
I believe GNS3 would be a good option. I haven’t tried it, but there are examples out there of
how you can add Cisco SD-WAN KVM images to GNS3. Once that’s done, you should be able
to quickly build a topology.
Conclusion
Here’s what I would do:
• If you are new to Cisco SD-WAN, I would recommend building your own lab in EVE-
NG:
o Building things from scratch is a great way to learn how it works.
o It’s always available to you.
• If you are already familiar with Cisco SD-WAN and you just want to test some things,
DevNet is a great option.
Cisco SD-WAN EVE-NG Lab Installation
There are a number of options to build your own Cisco SD-WAN lab. I believe EVE-NG is your
best option at the moment. In this lesson, I’ll show you everything you need to do to install
EVE-NG and build your own Cisco SD-WAN lab. This includes:
Installation
You can run EVE-NG on physical hardware, or on a KVM or VMWare hypervisor. Details are
on the EVE-NG requirements page. I’m going to install it on VMWare ESXi 7.
Images
To get started, we need to download the Cisco SD-WAN and EVE-NG images.
Cisco
To download the Cisco SD-WAN images, you need a CCO account with a contract. You can
find the images at Cisco’s Software Download.
You can run Cisco SD-WAN on multiple platforms, including VMWare ESXi, KVM, or
Microsoft Azure. We need the KVM images for EVE-NG.
EVE-NG
You can download EVE-NG from the download page. There are two options:
The professional version requires a license but it’s definitely worth the money. Copy the ISO
image to the datastore of your VMware ESXi server.
VMWare ESXi
Port Groups
Before we create the virtual machine, we need to create some additional port groups. Take a look
at the following picture:
I’m creating four port groups. The first port group (LAB) connects to the eth0 interface of the
EVE-NG virtual machine. We use this so we can access the EVE-NG GUI or access it with
SSH.
The other three port groups connect to different “cloud” networks that we can use within EVE-
NG. We can use these to bridge virtual devices to our physical network. Each of the port
groups uses a different VLAN. These cloud icons are useful for SD-WAN because we are going
to use them to simulate different WAN connections.
Make sure you change the security options to Accept on all port groups:
• Promiscuous mode
• MAC address changes
• Forged transmits
We need this because the EVE-NG virtual machine creates different MAC addresses for the
virtual devices. It’s also nice that we can use Wireshark if we ever want to look at our traffic.
Here’s what the end result looks like:
Virtual Machine
Now we can create the virtual machine. Go to Virtual Machines in the Navigator:
Click Create / Register VM and select Create a new virtual machine:
Now we need to configure some parameters:
Set the Guest OS family to Linux and the Guest OS version to Ubuntu Linux (64-bit). Choose a
data storage:
Now we have to customize our virtual machine hardware. Don’t be shy with resources, you’ll
need them. You need at least 19 GB of RAM and 6 vCPUs to run the Cisco SD-WAN
controllers. You need more than that because we need to run vEdge routers and some “regular”
IOS devices.
The vManage controller requires a 100 GB hard disk so make sure your EVE-NG virtual
machine has plenty of storage. You can set the hard disk as “thin provisioned” because it
probably won’t really use 100 GB of storage. Don’t forget to add network cards that map to your
port groups. Also, map the CD/DVD drive to the EVE-NG ISO image you uploaded to the
datastore:
Click on Next and Finish, then power on the virtual machine.
EVE-NG installation
All right, it’s time to install EVE-NG. The next few steps are probably familiar to you’ve if you
installed Ubuntu before. Most of the steps are self-explanatory but let’s go through them anyway.
Let’s select a language:
And select your location:
Now we need to select our network interface. This is what we’ll use to connect SSH into EVE-
NG or access the GUI. Make sure you select the eth0 interface:
We have to set a hostname:
Set the time zone:
Hit Enter if you don’t use a proxy:
Optionally, you can install security updates automatically. If you plan to use this virtual machine
for a long time then it might be a good idea to do so:
The installation will take a few minutes to complete.
Setup
Once the installation is complete, the virtual machine reboots and you see the following screen:
Log in and you are greeted with a setup screen. You need to set the hostname again:
And (optionally) a DNS domain name:
We can use DHCP or a static IP address. I’ll use a static IP address:
Enter the IP address you want to use:
With the subnet mask:
And a default gateway:
Enter the primary DNS server:
And the secondary DNS server:
If you have an NTP server, enter the address here:
If you have a proxy server, configure it here:
Once the setup completes, you’ll see the IP address on the CLI:
You can now access EVE-NG through the GUI or with SSH.
Add Images
With EVE-NG up and running, we can add the Cisco SD-WAN images.
Open a web browser and type in the IP address of your EVE-NG virtual machine. You’ll see this
screen:
If you use the HTML5 console, you can access the CLI of your virtual devices through the web
browser. I prefer the Native Console because it allows you to use your own applications like
Putty or SecureCRT.
Once you are logged in, click on the Add new lab button:
When we add new images, they will automatically show up here. This is how you can check
whether EVE-NG detected your installed images.
EVE-NG has an excellent tutorial that explains how to add the Cisco SD-WAN images. I’m
using these three images:
• viptela-vmanage-19.3.0-genericx86-64.qcow2
• viptela-smart-19.3.0-genericx86-64.qcow2
• viptela-edge-19.3.0-genericx86-64.qcow2
We need to copy these files and add them to the following folder:
/opt/unetlab/addons/qemu/
# mkdir /opt/unetlab/addons/qemu/vtbond-19.3.0
# mkdir /opt/unetlab/addons/qemu/vtedge-19.3.0
# mkdir /opt/unetlab/addons/qemu/vtsmart-19.3.0
# mkdir /opt/unetlab/addons/qemu/vtmgmt-19.3.0
The name before the dash (-) has to match. You can add the version number behind the dash.
Use an application like SecureCRT, WinSCP, or Filezilla to copy the image files to the above
folders. The vEdge image is also used for the vBond controller. Your folders and files should
look like this now:
# ls -lR /opt/unetlab/addons/qemu
/opt/unetlab/addons/qemu:
total 16
drwxr-xr-x 2 root root 4096 Jul 15 16:47 vtbond-19.3.0
drwxr-xr-x 2 root root 4096 Jul 15 16:46 vtedge-19.3.0
drwxr-xr-x 2 root root 4096 Jul 15 16:47 vtmgmt-19.3.0
drwxr-xr-x 2 root root 4096 Jul 15 16:47 vtsmart-19.3.0
/opt/unetlab/addons/qemu/vtbond-19.3.0:
total 241284
-rw-r--r-- 1 root root 247070720 Feb 20 2020 viptela-edge-19.3.0-genericx86-
64.qcow2
/opt/unetlab/addons/qemu/vtedge-19.3.0:
total 241284
-rw-r--r-- 1 root root 247070720 Feb 20 2020 viptela-edge-19.3.0-genericx86-
64.qcow2
/opt/unetlab/addons/qemu/vtmgmt-19.3.0:
total 1084676
-rw-r--r-- 1 root root 1110704128 Feb 20 2020 viptela-vmanage-19.3.0-
genericx86-64.qcow2
/opt/unetlab/addons/qemu/vtsmart-19.3.0:
total 241280
-rw-r--r-- 1 root root 247070720 Feb 20 2020 viptela-smart-19.3.0-
genericx86-64.qcow2
We have to rename the image file names to virtioa.qcow2. Let’s use the mv command for this.
Here’s the vBond image:
# cd /opt/unetlab/addons/qemu/vtbond-19.3.0/
# mv viptela-edge-19.3.0-genericx86-64.qcow2 virtioa.qcow2
# cd /opt/unetlab/addons/qemu/vtedge-19.3.0/
# mv viptela-edge-19.3.0-genericx86-64.qcow2 virtioa.qcow2
vSmart image:
# cd /opt/unetlab/addons/qemu/vtsmart-19.3.0/
# mv viptela-smart-19.3.0-genericx86-64.qcow2 virtioa.qcow2
# cd /opt/unetlab/addons/qemu/vtmgmt-19.3.0/
# mv viptela-vmanage-19.3.0-genericx86-64.qcow2 virtioa.qcow2
For the vManage image we have to do one more thing. This image requires a 100 GB hard disk.
You can create it with the following command:
# cd
# /opt/unetlab/wrappers/unl_wrapper -a fixpermissions
Let’s take another look at our folders so we can see the end result:
# ls -lR /opt/unetlab/addons/qemu
/opt/unetlab/addons/qemu:
total 16
drwxr-xr-x 2 root root 4096 Jul 15 16:49 vtbond-19.3.0
drwxr-xr-x 2 root root 4096 Jul 15 16:50 vtedge-19.3.0
drwxr-xr-x 2 root root 4096 Jul 15 16:52 vtmgmt-19.3.0
drwxr-xr-x 2 root root 4096 Jul 15 16:50 vtsmart-19.3.0
/opt/unetlab/addons/qemu/vtbond-19.3.0:
total 241284
-rw-r--r-- 1 root root 247070720 Feb 20 2020 virtioa.qcow2
/opt/unetlab/addons/qemu/vtedge-19.3.0:
total 241284
-rw-r--r-- 1 root root 247070720 Feb 20 2020 virtioa.qcow2
/opt/unetlab/addons/qemu/vtmgmt-19.3.0:
total 1084872
-rw-r--r-- 1 root root 1110704128 Feb 20 2020 virtioa.qcow2
-rw-r--r-- 1 root root 198656 Jul 15 16:52 virtiob.qcow2
/opt/unetlab/addons/qemu/vtsmart-19.3.0:
total 241280
-rw-r--r-- 1 root root 247070720 Feb 20 2020 virtioa.qcow2
In the output above, you can see the 100 GB hard disk (virtiob.qcow2) that we created. It’s
only using 198656 bytes at the moment.
That’s all we have to do on the CLI. When you go back to the GUI and try to add a new node,
you should see more options:
You can now add one of the Cisco SD-WAN nodes. For example:
The default settings should be OK. Click on Save and add the node to your topology.
IOS Images
Before we wrap up this lesson, we should add some more images. It can be useful to have Cisco
IOS routers and switches if you want to build a large topology.
I grabbed the following two vIOS images from my Cisco CML installation:
• vios_l2-adventerprisek9-m.ssa.high_iron_20190423.qcow2 virtioa.qcow2
• vios-adventerprisek9-m.spa.159-3.m2.qcow2
The first image is for a switch, the second one is a router. These images come with the “refplat”
ISO that you can download if you purchase Cisco CML. I have therefplat_p-20201110-
fcs.iso image.
Like the Cisco SD-WAN images, we have to add some folders in the
/opt/unetlab/addons/qemu folder. Let’s create those:
# mkdir /opt/unetlab/addons/qemu/vios-159-3
# mkdir /opt/unetlab/addons/qemu/viosl2-2019
Now I can copy the files with SCP into these folders and rename them:
# cd /opt/unetlab/addons/qemu/vios-159-3
# mv vios-adventerprisek9-m.spa.159-3.m2.qcow2 virtioa.qcow2
# cd /opt/unetlab/addons/qemu/viosl2-2019/
# mv vios_l2-adventerprisek9-m.ssa.high_iron_20190423.qcow2 virtioa.qcow2
That takes care of it. The images should now be in the node list:
That’s it! We are now ready to build a Cisco SD-WAN lab.
Conclusion
You have now learned:
The sandboxes are great if you want to jump right into testing things like policies, templates, or
the REST API. You don’t have to worry about building a topology and setting everything up.
However, if you are new to SD-WAN then building everything from scratch is a good idea.
You’ll learn how everything works right from the beginning and once it’s up and running, it’s
always available to you. You will also be able to connect devices to your lab that the sandboxes
don’t provide. In this lesson, we’ll configure the required controllers:
•
o vManage
o vBond
o vSmart
You can learn more about what these controllers do in our introduction to SD-WAN lesson.
Once you finish this lesson, the controllers are up and running and you are ready to onboard
vEdge routers.
Configuration
Let me give you an overview of what we are going to do. When you boot the vManage, vBond,
or vSmart controllers for the first time, you will only have access to the CLI. On each controller,
we have to configure two items:
With a basic configuration, the controllers will have network reachability and can talk to each
other. The other thing we have to take care of are certificates. Cisco SD-WAN requires
certificates on each and every device. To create certificates, we’ll set up a new root CA and
sign certificates ourselves for all controllers (and vEdge routers once we finish the installation of
the controllers).
Setting everything up is not too difficult once you understand the steps but it is time-consuming.
• Site 1:
o This is where we add our controllers:
▪ vManage
▪ vBond
▪ vSmart
o System IPs:
▪ The addresses in purple are not IP addresses but system IPs.
▪ Each Cisco SD-WAN requires a unique system IP that is similar to a router ID like
you use in OSPF or BGP.
▪ You can’t use this address anywhere else, not even on a physical interface.
o DC1:
▪ This is an IOS switch I use to connect the controllers to the same VLAN (10).
▪ The switch connects to two different “clouds” to simulate two different ISPs.
• Internet connectivity:
o Clouds:
▪ biz-internet: This cloud simulates a “business class” Internet connection. In
reality, it connects to a VLAN on my office network which provides Internet
access.
▪ public-internet: This cloud simulates a “normal” Internet connection. In reality,
it connects to another VLAN on my office network which provides Internet
access.
• vEdges: the vEdge routers connect through one of the two Internet connections to reach our
controllers.
I’m using the Cisco SD-WAN Release 19.3.x images for this lab. Under the hood, I am using
Eve-NG.
vManage
Let’s start with vManage. This is our NMS (Network Management System) where we control
and monitor our SD-WAN network once everything is up and running.
Startup Configuration
The first time you log in you get a message that you have to select a storage device. I use the
100GB drive that I created when I built the entire topology in Eve-NG:
13:44:26.454 §Thu Jul 8 13:36:31 UTC 2021: The system is going down for
reboot NOW!
Once it’s done formatting the drive, the vManage controller reboots. This can take a few
minutes. Once you see the following message you can log in again:
System Ready
If you don’t see this message then you will be able to log in but it throws an authentication
failure:
viptela 19.3.0
Authentication failure
Once you are logged in you see the # symbol. This tells us we are in the CLI mode:
vmanage#
vmanage(config)# system
vmanage(config-system)# host-name vManage1
vmanage(config-system)# system-ip 172.16.1.101
vmanage(config-system)# site-id 1
vmanage(config-system)# organization-name nwl-lab-sdwan
vmanage(config-system)# vbond 10.1.0.2
vmanage(config-system)# exit
vmanage(config)# vpn 0
vmanage(config-interface-eth0)# ip route 0.0.0.0/0 10.1.0.254
vmanage(config-vpn-0)# interface eth0
vmanage(config-interface-eth0)# ip address 10.1.0.1/24
vmanage(config-interface-eth0)# no shutdown
vmanage(config-interface-eth0)# tunnel-interface
vmanage(config-tunnel-interface)# allow-service all
vmanage(config-tunnel-interface)# exit
vmanage(config-interface-eth0)# exit
vmanage(config-vpn-0)# exit
vmanage(config)#
vmanage(config)# commit
Commit complete.
Certificates
As I explained at the beginning of this lesson, Cisco SD-WAN requires certificates on all
devices. When you generate your own certificates you have different options. For example, some
different options are:
All Cisco SD-WAN controllers run Linux and come with some useful commands, including
OpenSSL. I’m going to use the openssl command on the vManage controller to generate every
certificate we need.
You can use the vshell command to access the Linux commands. For a detailed explanation of
how to build your own CA, you can always check the openssl ca server lesson.
Root CA Certificate
First, we need to create a root CA and the first step is to generate a private key. Let’s open
vshell:
vManage1# vshell
vManage1:~$
vManage1:~$ pwd
/home/admin
Use the following one-liner to create a root CA certificate using the private key we just created:
vManage1:~$ openssl req -x509 -new -nodes -key ROOT-CA.key -sha256 -days 3652
\
-subj "/C=NL/ST=NL/O=nwl-lab-sdwan/CN=vmanage1.lab.nwl.ai" \
-out ROOT-CA.pem
This root certificate is valid for 10 years. You can set the subject if you want. In the output above
I showed how you can do that but it’s not a requirement.
Let’s take a look at our certificate with the cat command:
Now it’s time to open the vManage GUI. This is where we need to install the certificate.
Open a web browser and enter the URL https://10.1.0.1:8443/. You’ll see the following screen:
Log in with username and password “admin” and you’ll end up at the main dashboard. Go to
Administration > Settings:
While we are here, we need to change two settings that don’t have anything to do with the root
CA certificate but that we do have to change. Look for the organization name:
Set the Organization name and click on Save. Now open the vBond settings:
Enter the IP address of the vBond orchestrator and click on Save. Now look for Controller
Certificate Authorization:
The default setting is Cisco Automated. If you use Cisco SD-WAN in a production network you
can have all your certificates signed automatically. We are not so lucky for our home lab so
change it to Enterprise Root Certificate and paste the contents of the ROOT-CA.pem file here:
Click Import & Save.
vManage Certificate
Now it’s time for the vManage certificate. Head over to Configuration > Certificates >
Controllers > vManage > Generate CSR:
You’ll see a pop-up which shows the CSR:
You don’t have to download or copy and paste to your clipboard because it’s saved locally
automatically. Let me show you. We’ll open vshell on our vManage controller:
vManage1# vshell
vManage1:~$ ls -lh
total 16K
-rw-r--r-- 1 admin admin 1.7K Jul 8 13:50 ROOT-CA.key
-rw-r--r-- 1 admin admin 1.3K Jul 8 13:51 ROOT-CA.pem
-rw-r--r-- 1 admin admin 394 Jul 8 13:40 archive_id_rsa.pub
-rw-r--r-- 1 root root 1.2K Jul 8 14:14 vmanage_csr
Let’s sign a certificate. You can use the following openssl command:
In the output above, you can see it uses a default subject because I didn’t specify one. That’s no
problem at all. We only care about a valid certificate.
Go back to the vManage GUI and click on Install Certificate. Paste the contents of the
vmanage1.crt file here:
Click on Install. It might take a few seconds to install the certificate but once it does, you’ll see
the Success message:
This completes the configuration of the vManage controller. Let me summarize what we just did:
One down, two to go. We have the vBond and vSmart controllers left!
vBond
Startup Configuration
viptela 19.3.0
vedge(config)# system
vedge(config-system)# host-name vBond1
vedge(config-system)# system-ip 172.16.1.102
vedge(config-system)# site-id 1
vedge(config-system)# organization-name nwl-lab-sdwan
vedge(config-system)# vbond 10.1.0.2 local
vedge(config-system)# exit
The configuration above is similar to the vManage controller configuration except for the vbond
command. We have to add the local parameter. This tells vBond that the local device is the
vBond orchestrator.
vedge(config)# vpn 0
vedge(config-vpn-0)# ip route 0.0.0.0/0 10.1.0.254
vedge(config-vpn-0)# interface ge0/0
vedge(config-interface-ge0/0)# ip address 10.1.0.2/24
vedge(config-interface-ge0/0)# tunnel-interface
vedge(config-tunnel-interface)# encapsulation ipsec
vedge(config-tunnel-interface)# allow-service all
vedge(config-tunnel-interface)# no shutdown
vedge(config-tunnel-interface)# exit
vedge(config-interface-ge0/0)# exit
vedge(config-vpn-0)# exit
vedge(config)# commit
Commit complete.
The VPN0 configuration is similar to the one on the vManage controller. One difference is that
we have to specify the encapsulation type (GRE or IPSec) with the encapsulation command.
With the above configuration, the vBond orchestrator should be able to reach the vManage
controller. Open the vManage GUI and go to Configuration > Devices > Controllers > Add
controller > Add vBond:
Enter the IP address, username, and password. Keep the “Generate CSR” checkbox marked:
Click on Add. The vManage controller will now add the vBond orchestrator.
Certificate
The vBond orchestrator has been added in vManage and the CSR is created. We still have to do
some “certificate work”:
Let’s do it.
We can download the root certificate from the vManage controller using the request command.
Here’s what it looks like:
admin@10.1.0.1's password:
ROOT-CA.pem 100% 1257 41.1KB/s 00:00
/usr/bin/download: line 33: /proc/sys/kernel/hung_task_timeout_secs:
Permission denied
It throws an error but it does work. With another request command we can install the root CA
certificate:
Our vBond orchestrator now trusts the certificates that our root CA signs.
When we added the vBond orchestrator a CSR was generated. This is stored in the home folder.
You can see it here:
vBond1# vshell
vBond1:~$ ls -lh
total 40K
-rw-r--r-- 1 admin admin 1.3K Jul 8 14:46 ROOT-CA.pem
-rw-r--r-- 1 admin admin 392 Jul 8 13:22 archive_id_rsa.pub
-rw-r--r-- 1 admin admin 24K Jul 8 14:44 master_root.crt
-rw-r--r-- 1 admin admin 43 Jul 8 14:44 root_ca_uuid_list
-rw-r--r-- 1 root root 1.2K Jul 8 14:45 vbond_csr
We need this CSR on the vManage controller so we can sign it there. You could use cat and
copy/paste it but copying is easier. From vshell, use the scp command like this:
vManage1# vshell
vManage1:~$ scp admin@10.1.0.2:/home/admin/vbond_csr .
The authenticity of host '10.1.0.2 (10.1.0.2)' can't be established.
ECDSA key fingerprint is SHA256:w5eOq3Q6ZVdXvnTLq9k3lO8aU2x2uUu6bJIhuGsfngo.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.1.0.2' (ECDSA) to the list of known hosts.
viptela 19.3.0
admin@10.1.0.2's password:
vbond_csr 100% 1220 40.5KB/s 00:00
Verification
The vBond and vManage controllers are now connected. You can verify this through the GUI or
the CLI.
Using the GUI, go to Monitor > Network > WAN – Edge and click on vBond1. You’ll see this
screen:
In the output above, we see the connection between the two controllers. You can also verify this
from the CLI with the show control connections command on the vManage controller:
Or you can use the show orchestrator connections command on the vBond orchestrator:
PEER PEER
PEER PEER PEER SITE DOMAIN PEER
PRIVATE PEER PUBLIC
ORGANIZATION
INSTANCE TYPE PROTOCOL SYSTEM IP ID ID PRIVATE
IP PORT PUBLIC IP PORT REMOTE COLOR STATE
NAME UPTIME
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
-------------------------------------
0 vmanage dtls 172.16.1.101 1 0 10.1.0.1
12346 10.1.0.1 12346 default up nwl-sdwan-
lab 0:00:06:38
0 vmanage dtls 172.16.1.101 1 0 10.1.0.1
12446 10.1.0.1 12446 default up nwl-sdwan-
lab 0:00:06:38
0 vmanage dtls 172.16.1.101 1 0 10.1.0.1
12546 10.1.0.1 12546 default up nwl-sdwan-
lab 0:00:06:57
0 vmanage dtls 172.16.1.101 1 0 10.1.0.1
12646 10.1.0.1 12646 default up nwl-sdwan-
lab 0:00:06:57
vSmart
The vSmart controller authenticates vEdge routers and pushes policies to vEdge routers. We take
the same steps as we did on the vBond orchestrator.
Startup Configuration
viptela 19.3.0
vsmart(config)# system
vsmart(config-system)# host-name vSmart1
vsmart(config-system)# system-ip 172.16.1.103
vsmart(config-system)# site-id 1
vsmart(config-system)# organization-name nwl-lab-sdwan
vsmart(config-system)# vbond 10.1.0.2
vsmart(config-system)# exit
The configuration above is similar to what we did with the vManage controller. Let’s configure
the VPN0 interface:
vsmart(config)# vpn 0
vsmart(config-vpn-0)# ip route 0.0.0.0/0 10.1.0.254
vsmart(config-vpn-0)# interface eth0
vsmart(config-interface-eth0)# ip address 10.1.0.3/24
vsmart(config-interface-eth0)# tunnel-interface
vsmart(config-tunnel-interface)# allow-service all
vsmart(config-tunnel-interface)# no shutdown
vsmart(config-vpn-0)# commit
Commit complete.
Open the vManage GUI and go to Configuration > Devices > Controllers > Add Controller >
vSmart:
Certificate
Let’s fix our certificates. First, we copy the root CA certificate from the vManage controller:
admin@10.1.0.1's password:
ROOT-CA.pem 100% 1257 29.3KB/s 00:00
/usr/bin/download: line 33: /proc/sys/kernel/hung_task_timeout_secs:
Permission denied
Let’s sign a certificate for the vSmart controller. The CSR is in the home folder:
vSmart1# vshell
vSmart1:~$ ls -lh
total 36K
-rw-r--r-- 1 admin admin 1.3K Jul 8 15:21 ROOT-CA.pem
-rw-r--r-- 1 admin admin 393 Jul 8 13:21 archive_id_rsa.pub
-rw-r--r-- 1 admin admin 24K Jul 8 15:20 master_root.crt
-rw-r--r-- 1 root root 1.2K Jul 8 15:20 vsmart_csr
vManage1# vshell
vManage1:~$ scp admin@10.1.0.3:/home/admin/vsmart_csr .
The authenticity of host '10.1.0.3 (10.1.0.3)' can't be established.
ECDSA key fingerprint is SHA256:gv8oQ54VKEW4Kvivxf2btphPiRidY1kF+LncAJO3Ioc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.1.0.3' (ECDSA) to the list of known hosts.
viptela 19.3.0
admin@10.1.0.3's password:
vsmart_csr 100% 1220 208.8KB/s 00:00
Verification
Let’s verify our work. In the vManage GUI, go to Monitor > Network > WAN – Edge and
click on vSmart1. You’ll see this screen:
Above, you see the connection with the vSmart controller. You can also verify this from the CLI:
PEER PEER
PEER PEER PEER SITE DOMAIN PEER
PRIVATE PEER PUBLIC
ORGANIZATION
INSTANCE TYPE PROTOCOL SYSTEM IP ID ID PRIVATE
IP PORT PUBLIC IP PORT REMOTE COLOR STATE
NAME UPTIME
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
-------------------------------------
0 vsmart dtls 172.16.1.103 1 1 10.1.0.3
12346 10.1.0.3 12346 default up nwl-sdwan-
lab 0:00:16:15
0 vsmart dtls 172.16.1.103 1 1 10.1.0.3
12446 10.1.0.3 12446 default up nwl-sdwan-
lab 0:00:16:15
0 vmanage dtls 172.16.1.101 1 0 10.1.0.1
12346 10.1.0.1 12346 default up nwl-sdwan-
lab 0:00:11:30
0 vmanage dtls 172.16.1.101 1 0 10.1.0.1
12446 10.1.0.1 12446 default up nwl-sdwan-
lab 0:00:11:30
0 vmanage dtls 172.16.1.101 1 0 10.1.0.1
12546 10.1.0.1 12546 default up nwl-sdwan-
lab 0:00:11:35
0 vmanage dtls 172.16.1.101 1 0 10.1.0.1
12646 10.1.0.1 12646 default up nwl-sdwan-
lab 0:00:11:33
system
host-name vManage1
system-ip 172.16.1.101
site-id 1
organization-name nwl-sdwan-lab
vbond 10.1.0.2
!
vpn 0
interface eth0
ip address 10.1.0.1/24
tunnel-interface
allow-service all
!
no shutdown
!
ip route 0.0.0.0/0 10.1.0.254
system
host-name vBond1
system-ip 172.16.1.102
site-id 1
organization-name nwl-sdwan-lab
vbond 10.1.0.2 local
!
vpn 0
interface ge0/0
ip address 10.1.0.2/24
tunnel-interface
encapsulation ipsec
allow-service all
!
no shutdown
!
ip route 0.0.0.0/0 10.1.0.254
system
host-name vSmart1
system-ip 172.16.1.103
site-id 1
organization-name nwl-sdwan-lab
vbond 10.1.0.2
!
vpn 0
interface eth0
ip address 10.1.0.3/24
tunnel-interface
allow-service all
!
no shutdown
!
ip route 0.0.0.0/0 10.1.0.254
hostname DC1
!
ip cef
!
interface GigabitEthernet0/0
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet0/1
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet0/2
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0
no switchport
ip address 10.65.91.100 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.65.91.254
!
end
Conclusion
We did some important work. Our controllers are now up and running. If you go to
Configuration > Devices you’ll see the following overview:
We see that all controllers have a certificate and they are in sync. The mode is “CLI”. This is
because we did the original configuration through the CLI. This is something we’ll change in
another lesson when we look at our templates.
• Create a basic system and VPN0 configuration for the vManage, vBond, and vSmart
controllers.
• Create a root CA so you can create your own certificates.
• Sign certificates for each controller and import them into vManage.
• Verify the controller connections.
Cisco SD-WAN Plug and Play Connect
Device Licenses
If you want to add vEdge or cEdge licenses to your Cisco SD-WAN network, you’ll need some
device “licenses”. In Cisco SD-WAN versions before 20.x, it was possible to skip this as I did in
the vEdge onboarding lesson. In version 20.x and later, you need to create these licenses on the
Cisco.com website and import them on your vManage controller.
In this lesson, I’ll show you how to generate these device licenses and download the license file.
Virtual Account
If you want to separate your lab licenses from your other licenses, you should create a virtual
account. Let me show you how to do this. Under Download and manage, and Manage Smart
Account, click on Manage account:
Add a name, set the access level to “private“, and click on Next:
We don’t have to add extra users so click on Next:
Controller
We need to add our vBond controller that the device licenses will belong to. Head back to Cisco
Software Central and under Smart Licensing, look for Network Plug and Play, and click on
Manage devices:
Under settings, add a Profile Name, the Organization Name that you use in your lab, and the
IPv4 address of your vBond orchestrator:
Review the configuration and click on Submit:
Click on Done:
We’ll start with the vEdge devices. Enter VEDGE-CLOUD-DNA as the Base PID. I want 10
device licenses and the Controller Profile is the one we just created. Click on Save to continue:
You should be able to create 25 device licenses in total.
While we are at it, let’s add some licenses for the CSR1000V router as well. This can be useful if
you want to test the cEdge routers. Click on Add Software Device one more time to add licenses
for the CSR1000V router:
In the overview, you’ll see the device licenses that we want to create:
Click on Submit:
And you will see a message that a request has been recorded. Click on Done:
A short while later, you should receive an email that looks like this:
And the devices should show up as Provisioned in the overview:
Serial File
We can now download the file with the licenses. Go to Controller Profiles and click on
Provisioning File:
You can now add this file to the vManage controller and onboard a vEdge (or cEdge) router.
This is explained in the vEdge onboarding lesson.
Conclusion
You have now learned how to create device licenses for your vEdge or cEdge routers.
Cisco SD-WAN vEdge Onboarding
In the previous lesson, we configured site 1 with the vManage, vBond, and vSmart controllers.
This means we are now ready to onboard vEdge routers. That’s what we are going to do in this
lesson.
Configuration
Here is the topology we’ll use:
• On the left side, we have site 1 with the controllers we configured previously.
• On the right side, we have site 2 with two vEdge routers.
• These routers are connected to the “biz-internet” and “public-internet” clouds:
o I use these clouds to simulate two ISPs.
o In reality, these are two VLANs on my local network with Internet access.
We are going to use the “biz-internet” connection to onboard the vEdge1 router with the
controllers. We will prepare the configuration of the “public-internet” connection so that we can
use it in later lessons.
I’ll also only explain how to onboard the vEdge1 router. If you can onboard one router, you
can onboard as many as you like. If you want to follow along with me, see if you can onboard
the vEdge2 router. Later, we’ll build upon this topology and add even more devices to create a
larger SD-WAN network.
Let’s get started and open the console of the vEdge1 router:
viptela 19.3.0
The first time you log in, you have to set a password. I’m using “admin” everywhere in my lab.
Basic Configuration
Before the vEdge router can join the controllers, we have to create a basic configuration. This is
similar to what we configured on the controllers.
System
vedge(config)# system
vedge(config-system)# host-name vEdge1
vedge(config-system)# system-ip 172.16.1.1
vedge(config-system)# site-id 2
vedge(config-system)# organization-name nwl-lab-sdwan
vedge(config-system)# vbond 10.1.0.2
vedge(config-system)# exit
The VPN0 configuration is slightly different. The main reason is that we have two physical
interfaces to configure:
The first part is the same as what we have seen before. There is a new command that we have to
add under the tunnel-interface though:
vedge(config-tunnel-interface)# color ?
Description: Set color for TLOC
Possible completions:
<3g biz-internet blue bronze custom1 custom2 custom3 default gold gre en
lte metro-ethernet mpls public-internet red silver private1 private2 pri
vate3 private4 private5 private6>[default]
The color command sets the “color” for the TLOC. This is required to differentiate the two
WAN connections.
The word “color” and the options like “bronze”, “silver”, or “gold” might imply that this has something
to do with QoS (Quality of Service). Color however is nothing more but something to differentiate the
two WAN connections. It doesn’t have anything to do with QoS.
The ge0/0 interface connects to my “biz-internet” ISP so let’s set the color:
The only difference is that the ge0/1 interface is connected to the “public-internet” ISP. Let’s
commit our configuration:
vedge(config-vpn-0)# commit
Commit complete.
This process is almost the same as what we did with the controllers except for the CSR. Let me
show you.
We’ll start with the root CA certificate. First, we download it from the vManage controller to our
vEdge router:
I’m not sure why it shows these errors. The file is copied anyway. Let’s install it:
vEdge Certificate
Time for our vEdge certificate. We create a CSR on the vEdge router:
vManage1# vshell
vManage1:~$ scp admin@10.65.91.1:/home/admin/vedge1_csr .
viptela 19.3.0
admin@10.65.91.1's password:
vedge1_csr 100% 1220 9.9KB/s 00:00
admin@10.1.0.1's password:
vedge1.crt 100% 1306 27.9KB/s 00:00
/usr/bin/download: line 33: /proc/sys/kernel/hung_task_timeout_secs:
Permission denied
We can now add the vEdge router to the vManage controller. There are two different ways to do
this. I’ll show you how to do this for Cisco SD-WAN versions below and higher than 20.x.
Before 20.x
The vEdge certificate is on the vEdge router but we need to import some of its details into the
vManage and vBond controllers. We need to grab the chassis number and serial number:
vEdge1# show certificate serial
Chassis number: 82ac8968-dd99-4ee7-a14c-d1c39dc49d56 serial number:
85B3AB796BC025AE
Copy these two values and paste them into the following command which we apply on the
vManage and vBond controllers:
You won’t see any output when you paste this command. Open the vManage GUI and log in:
Open Configuration > Certificates > WAN Edge List and click on Send to Controllers:
This pushes the list with serial numbers of our vEdge router(s) to the controllers. You can
see the progress below:
This only takes a few seconds. When it’s ready you’ll see “Success” under the Status column:
That’s all that we have to configure.
After 20.x
You can’t just add a vEdge router with the request vedge add command anymore. You need
to create device “licenses” on cisco.com and add a WAN edge list to the vManage controller.
To create the licenses, check out the Cisco SD-WAN Plug and Play Connect Device Licenses
lesson. Once you have done that, you can continue here.
You should see a message that the file is uploaded successfully. Click on OK:
Instead of uploading the WAN Edge List manually, you can also use the Sync Smart Account button to
automatically synchronize your licenses. I prefer doing this manually so you don’t have to enter your
Cisco.com credentials in a lab environment. Another reason is that your vManage lab controller might
not have Internet access.
You should now see a nice WAN Edge List with 10 vEdge Cloud licenses and 10 CSR1000v
licenses:
Go to Configuration > Certificates and make sure the licenses show up as Valid:
If you forgot to synchronize the WAN edge list with the controllers when you uploaded the file,
you can click on the Send to Controllers button here. The vBond orchestrator now has a list of
licenses that we can use. You can see it here:
Now we can add a vEdge router. Go to Configuration > Devices > WAN Edge List. Copy the
Chassis Number and Serial No./Token for one of the vEdge licenses:
Go to your vEdge router and use the following command where you specify the two values:
After a short while, you should see the state change in the WAN Edge List overview:
Verification
To verify whether the vEdge router has been onboarded successfully, we can check the
connections:
PEER PEER
CONTROLLER
PEER PEER PEER SITE DOMAIN PEER
PRIV PEER PUB
GROUP
TYPE PROT SYSTEM IP ID ID PRIVATE IP
PORT PUBLIC IP PORT LOCAL COLOR PROXY
STATE UPTIME ID
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
------------------------------
vsmart dtls 172.16.1.103 1 1 10.1.0.3
12446 10.1.0.3 12446 biz-internet No up
0:00:13:11 0
vbond dtls 0.0.0.0 0 0 10.1.0.2
12346 10.1.0.2 12346 biz-internet - up
0:00:13:11 0
vbond dtls 0.0.0.0 0 0 10.1.0.2
12346 10.1.0.2 12346 public-internet -
connect 0
vmanage dtls 172.16.1.101 1 0 10.1.0.1
12446 10.1.0.1 12446 biz-internet No up
0:00:13:11 0
The output above shows that we have a connection with all controllers.
In the output above, you can see that the state for the “public-internet” interface is “connect”. This is
because right now, we use the “biz-internet” connection to reach the controllers. Cisco SD-WAN will
attempt to reach the controller(s) using all WAN connections. This is something we’ll look into in
another lesson.
system
host-name vManage1
system-ip 172.16.1.101
site-id 1
organization-name nwl-sdwan-lab
vbond 10.1.0.2
!
vpn 0
interface eth0
ip address 10.1.0.1/24
tunnel-interface
allow-service all
!
no shutdown
!
ip route 0.0.0.0/0 10.1.0.254
system
host-name vBond1
system-ip 172.16.1.102
site-id 1
organization-name nwl-sdwan-lab
vbond 10.1.0.2 local
!
vpn 0
interface ge0/0
ip address 10.1.0.2/24
tunnel-interface
encapsulation ipsec
allow-service all
!
no shutdown
!
ip route 0.0.0.0/0 10.1.0.254
system
host-name vSmart1
system-ip 172.16.1.103
site-id 1
organization-name nwl-sdwan-lab
vbond 10.1.0.2
!
vpn 0
interface eth0
ip address 10.1.0.3/24
tunnel-interface
allow-service all
!
no shutdown
!
ip route 0.0.0.0/0 10.1.0.254
hostname DC1
!
ip cef
!
interface GigabitEthernet0/0
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet0/1
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet0/2
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0
no switchport
ip address 10.65.91.100 255.255.255.0
!
interface GigabitEthernet1/0
no switchport
ip address 10.65.92.100 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.65.91.254
!
end
system
host-name vEdge1
system-ip 172.16.1.1
site-id 2
organization-name nwl-lab-sdwan
vbond 10.1.0.2
!
vpn 0
interface ge0/0
ip address 10.65.91.1/24
ipv6 dhcp-client
tunnel-interface
encapsulation ipsec
color biz-internet
allow-service all
!
no shutdown
!
interface ge0/1
ip address 10.65.92.1/24
tunnel-interface
encapsulation ipsec
color public-internet
allow-service all
!
no shutdown
!
ip route 10.1.0.0/24 10.65.91.100
Conclusion
You have now learned how to onboard a vEdge router with the controllers:
A scalable alternate is templates. Everything that you can configure through the CLI, you
can also configure with templates. We create templates beforehand, and then you can apply
them to one or as many devices as you like. When you start with templates, there is a learning
curve, and it is time-consuming. However, once everything is set up, you will save time and
reduce the chance of configuration errors.
The controllers and vEdge routers which we configured are currently in CLI mode. We are
going to change this so that we can manage them with templates. When we create templates, we
have to convert the existing CLI configurations to templates. If you don’t do this, some
items in the configuration will be overwritten with default values.
Once the devices are managed through templates, you can’t configure them through the CLI
anymore. However, you can still use show commands.
In this lesson, I’ll show you how to create and attach templates to our vEdge routers.
CLI Mode
Go to Configuration > Devices and look at the WAN Edge List and Controllers tabs. You’ll
see that all devices are in CLI mode:
I’ll explain how to change the vEdge routers from CLI mode to vManage mode. When we finish
this lesson, you’ll have to manage them through templates from then on and you can’t make
any changes through the CLI anymore. But, of course, you can always detach templates from
a device and switch back to CLI mode.
Templates
There are two template types:
• Device template: For each device “type”, we create a device template. This is the template that
we attach to a device.
• Feature template: We create a feature template for each “feature” that you want to configure.
Some examples are the system configuration, VPN, VPN interface, OSPF, EIGRP, BGP, AAA, etc.
There is a “parent-child” relation between the device and feature templates. First, we create
feature templates and attach them to a device template. We then attach the device template
to a device, like a vEdge Cloud router.
Feature Templates
Let’s start with the feature templates. Below is the configuration of the vEdge routers which we
created in the vEdge onboarding lesson.
system
host-name vEdge1
system-ip 172.16.1.1
site-id 2
organization-name nwl-lab-sdwan
vbond 10.1.0.2
!
vpn 0
interface ge0/0
ip address 10.65.91.1/24
ipv6 dhcp-client
tunnel-interface
encapsulation ipsec
color biz-internet
allow-service all
!
no shutdown
!
interface ge0/1
ip address 10.65.92.1/24
tunnel-interface
encapsulation ipsec
color public-internet
allow-service all
!
no shutdown
!
ip route 10.1.0.0/24 10.65.91.100
We’ll convert the above configuration into multiple feature templates. Open Configuration >
Templates > Feature and click on Add Template.
On the left side, choose the device type. I’m using vEdge Cloud:
On the right side, choose System:
System
We can configure almost all the parameters that you find in the “system” part of the vEdge router
configuration in the next screen. But, first, we give the template a name:
Below, there is a bunch of items we can configure, divided into four main sections:
• Basic Configuration
• GPS
• Tracker
• Advanced
Device Specific
We can use a feature template for multiple devices but some configuration items are specific to
the device. For example:
• We want to use site ID 2 on two vEdge routers and site ID 3 on another vEdge router.
• The system IP is unique on every device.
• [system_site_id]
• [system_system_ip]
These two are variables but are called “keys” in the template. Later, when we apply the
template, you’ll see that we have to manually fill these fields. If you want, you can change the
variable name:
Default
The default setting has some fields filled with default values. For example, the overlay ID or
Timezone. Other fields are empty by default.
Global
The global values apply to all devices that you use this feature template for. One example is
the Console Baud Rate:
If I use a global value for the Console Baud Rate, all devices using this feature template will
have their baud rate set to 115200.
Let’s save this system feature template as it is. The default settings look good to me.
VPN0
Let’s configure the VPN0 interface. Create another feature template and select VPN:
There are not many items that we have to configure here. I set the template name to “template-
vedge-vpn0” and the default VPN is already set to 0:
I do need to add a static route. The default is global, which is fine because all my vEdge routes
need this static route:
Click on + Add Next Hop and then once more on Add Next Hop:
The next hop is also a global value. That’s fine by me because the next hop is also the same for
all my vEdge routers. Click on Add to continue. You’ll see this overview:
Click one Add one more time, and the static route shows up like this:
I don’t have to configure anything else here for VPN0. Click on Save to save this feature
template.
Interfaces
We created the VPN0 template, but we also need the feature templates for the ge0/0 and ge0/1
interfaces.
Ge0/0 Interface
Most of the configuration items are the same for all my vEdge routers. However, the IPv4
address is device-specific. I’ll use the “vpn_if_ge_0_0_ipv4_address” key here. Here’s the
tunnel configuration:
I enable the tunnel-interface option and set the correct color (biz-internet). I also allow all
services. Click on Save to store the template.
Ge0/1 Interface
The Ge0/1 interface is almost the same as the Ge0/0 interface. So, instead of creating this feature
template from scratch, I’ll copy our Ge0/0 template. Click on the three dots next to the template
we just created:
And click on Copy:
Give the template a new name:
And click on the Copy button. Now click on the three dots next to the new template and click on
Edit. Under the basic configuration, I change these items:
We need to change the interface name to ge0/1, and I use another key for the IPv4 address. Then,
under the tunnel settings, I change the color to “public-internet”:
VPN 512
We are almost ready. The only thing left is a template for VPN 512. I’m not using this
management VPN, but if you don’t create a feature template for it, you will get an error when
you attach the device template to one of your devices. Because there is no configuration for VPN
512, the deployment tries to remove the eth0 interface from the vEdge router, which is not
permitted. If you want to see this for yourself, feel free to skip this part so you can see the error
when you attempt to attach the device template.
Eth0 Interface
Create another feature template. This time it’s for the eth0 interface:
This is the only thing we configure here:
Click Save and store the template.
Banner MOTD
Let’s do one more thing. Thus far I’ve only recreated the system configuration and the VPNs.
Let’s add something new, perhaps a MOTD banner. Create another template and select Banner:
Device Template
All right, it’s time to pull everything together. Go to Configuration > Templates > Device >
Create Template > From Feature Template.
There is also the “CLI Template” option. This lets you paste CLI commands and use that as the device
template. You can even replace things like an IP address with variables.
Under Transport & Management VPN, add the VPN and VPN interface templates we created.
Make sure it looks like this:
You can click on the VPN Interface link on the right side to add the extra ge0/1 interface for
VPN0 and the eth0 interface for VPN 512.
In the templates overview, click on the three dots next to the device template and choose Attach
Devices:
In the Attach Devices screen, I suggest starting with a single vEdge router. If you mess
something up, you don’t have to fix all your vEdge routers. Select vEdge1, so it shows up on the
right side:
The vBond controller uses the vEdge cloud image, which is why it shows up in this list.
Click on Attach. In the next screen, you have to enter the variables that we created in the
feature templates:
Click Next to continue. In the next screen, we can see the actual configuration that our device
template generates:
Click on the device you want to see (vEdge1 in my example). Then, under Config Preview, we
see the new configuration. You can also see the difference between this configuration and the
running configuration under Config Diff. Here’s an example:
Excellent. We now have a vEdge router which we manage through vManage. If you go to
Configuration > Devices > WAN Edge List, you can see this:
The output above shows that vEdge1 is now managed by vManage and the assigned template is
“template-vedge”. This is how you create and attach templates.
Conclusion
You have now learned how to manage your devices with device and feature templates.
If you haven’t seen centralized policies before, you can skip this lesson if you want to. I’ll add a
link from the centralized policy lesson to this lesson in case you need it. If you want to see what
a CLI template looks like, please continue.
Go to Configuration > Policies > Centralized Policy and try to Activate any of your policies:
This happens because the vSmart controller is in CLI mode. It has to be in vManage mode.
Let’s fix this.
Configuration
Go to Configuration > Devices > Controllers, and you can see the current Mode:
The best option is to create a device template with the required feature templates because this is a
scalable solution. However, in a lab, with only a single vSmart controller, the quickest way is to
use the CLI mode. I haven’t shown the CLI mode yet in any of our lessons, so this will be a good
exercise.
Click on Configuration > Templates > Create Template > CLI Template. Select vSmart as
the Device Model, give the template a name, and paste in the configuration of your vSmart
controller:
Click on Add to continue.
In the Template screen, select the device template, click on the three dots, and select Attach
Devices:
Select the vSmart controller and click on Attach:
Verification
Go to Configuration > Devices > Controllers, and you’ll see that the vSmart controller is now
in vManage mode:
Go back to Configuration > Policies > Centralized Policy and try to activate one of your
policies again:
This time, you don’t get an error, and you can click on the Activate button.
Conclusion
You have now learned how to create a CLI template to move your vSmart controller from CLI
mode to vManage mode. This solves the “vSmarts are not in vManage mode” error.
Cisco SD-WAN Service VPN
We have installed Cisco SD-WAN controllers, onboarded vEdge routers, and learned how to use
templates.
It’s about time we send traffic between sites. That’s what we can do with a service VPN. We can
configure service VPNs from the CLI or with templates. I’ll show you both options in this
lesson.
Configuration
This is the topology we have:
I have two vEdge devices, each on its own site. Behind each vEdge router is a switch. I’ll use
these switches to ping from one site to another.
system
host-name vEdge2
system-ip 172.16.1.2
site-id 2
organization-name nwl-lab-sdwan
vbond 10.1.0.2
!
vpn 0
interface ge0/0
ip address 10.65.91.2/24
ipv6 dhcp-client
tunnel-interface
encapsulation ipsec
color biz-internet
allow-service all
!
no shutdown
!
interface ge0/1
ip address 10.65.92.2/24
tunnel-interface
encapsulation ipsec
color public-internet
allow-service all
!
no shutdown
!
ip route 10.1.0.0/24 10.65.91.100
system
host-name vEdge3
system-ip 172.16.1.3
site-id 3
organization-name nwl-lab-sdwan
vbond 10.1.0.2
!
vpn 0
interface ge0/0
ip address 10.65.91.3/24
ipv6 dhcp-client
tunnel-interface
encapsulation ipsec
color biz-internet
allow-service all
!
no shutdown
!
interface ge0/1
ip address 10.65.92.3/24
tunnel-interface
encapsulation ipsec
color public-internet
allow-service all
!
no shutdown
!
ip route 10.1.0.0/24 10.65.91.100
hostname SW2
!
no ip routing
!
interface GigabitEthernet0/0
no switchport
ip address 10.2.0.102 255.255.255.0
!
ip default-gateway 10.2.0.254
hostname SW3
!
no ip routing
!
interface GigabitEthernet0/0
no switchport
ip address 10.3.0.103 255.255.255.0
!
ip default-gateway 10.3.0.254
CLI
Create a new VPN, assign the ge0/3 interface to it and configure an IP address:
vEdge2(config)# vpn 10
vEdge2(config-vpn-10)# interface ge0/3
vEdge2(config-interface-ge0/3)# ip address 10.2.0.254/24
vEdge2(config-interface-ge0/3)# no shutdown
vEdge2(config-interface-ge0/3)# commit
vEdge3(config)# vpn 10
vEdge3(config-vpn-10)# interface ge0/3
vEdge3(config-interface-ge0/3)# ip address 10.3.0.254/24
vEdge3(config-interface-ge0/3)# no shutdown
vEdge3(config-interface-ge0/3)# commit
That’s all you have to configure. There aren’t any commands that you haven’t seen before. You
can pick any VPN number except 0 or 512.
Templates
Now let’s see how we can configure a service VPN with templates.
Feature Templates
This takes some more work. Go to Configuration > Templates > Feature and click on Add
Template.
VPN10
Ge0/3 Interface
We need another feature template for the interface that connects to the switch. Click on Add
Template and select VPN Interface Ethernet:
• Shutdown: No
• Interface Name: ge0/3
• IPv4 Address: we use the variable “vpn_if_ge_0_3_ipv4_address”
Device Template
We can now attach a device template with these new feature templates to our vEdge routers. We
have two options:
• Add these feature templates to the device template I already created in the templates lesson.
• Copy my existing device templates and edit the new device template.
Both will get the job done, but we have to think about our template design for a minute. If I add
these feature templates to my existing device template, then every device that uses this device
template will have service VPN 10. It might be better to copy the device template and attach the
new device template only to devices that require service VPN 10. Let’s do that. Click on the
three dots next to the template and select Copy:
Give the template a name:
Edit this template and scroll down to the Service VPN section. Add the VPN and VPN Interface
feature templates here:
Click on Update. Now click on the three dots next to our new template and select Attach
Devices:
Select the vEdge2 and vEdge3 routers and click on Attach. In the next screen, you have to fill in
the variables:
Click on Next, and you can look at the configuration preview or difference:
Click on Configure Devices if everything looks OK to you. You’ll see a warning that this will
affect two devices:
Mark the checkbox and click on OK. The templates are now pushed to the vEdges:
This takes a short while. When it’s ready, you’ll see the status “Success”.
Verification
Whether you used the CLI or templates to configure the service VPN, verification is the same.
Let’s take a closer look. Here’s our configuration:
When I configured the service VPN through the CLI, I didn’t specify the advertise connected
command under omp. This is a default setting. We did have to include this in our feature
template. This setting advertises the directly connected routes through OMP. We can see it here:
In the output above, you can see that vEdge2 learned prefix 10.3.0.0/24 through OMP. We see a
similar output on the vEdge3 router:
vEdge3 learned 10.2.0.0/24 through OMP. We can also verify this from the vSmart controller:
vSmart1# show omp peers
R -> routes received
I -> routes installed
S -> routes sent
Above, you see that both vEdge2 (172.16.1.2) and vEdge3 (172.16.1.3) have received and sent a
route. Another useful command is show ipsec. You can use this to look at inbound and
outbound IPSec connections:
In the two outputs above, you can see that there is an IPSec connection between vEdge2 and
vEdge3. Last but not least, let’s try to ping from SW2 to SW3:
SW2#ping 10.3.0.103
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.3.0.103, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/64/71 ms
system
host-name vEdge2
system-ip 172.16.1.2
site-id 2
organization-name nwl-lab-sdwan
vbond 10.1.0.2
!
vpn 0
interface ge0/0
ip address 10.65.91.2/24
ipv6 dhcp-client
tunnel-interface
encapsulation ipsec
color biz-internet
allow-service all
!
no shutdown
!
interface ge0/1
ip address 10.65.92.2/24
tunnel-interface
encapsulation ipsec
color public-internet
allow-service all
!
no shutdown
!
ip route 10.1.0.0/24 10.65.91.100
!
vpn 10
interface ge0/3
ip address 10.2.0.254/24
no shutdown
!
omp
advertise connected
!
vpn 512
interface eth0
shutdown
system
host-name vEdge3
system-ip 172.16.1.3
site-id 3
organization-name nwl-lab-sdwan
vbond 10.1.0.2
!
vpn 0
interface ge0/0
ip address 10.65.91.3/24
ipv6 dhcp-client
tunnel-interface
encapsulation ipsec
color biz-internet
allow-service all
!
no shutdown
!
interface ge0/1
ip address 10.65.92.3/24
tunnel-interface
encapsulation ipsec
color public-internet
allow-service all
!
no shutdown
!
ip route 10.1.0.0/24 10.65.91.100
!
vpn 10
interface ge0/3
ip address 10.3.0.254/24
no shutdown
!
omp
advertise connected
!
vpn 512
interface eth0
shutdown
hostname SW2
!
no ip routing
!
interface GigabitEthernet0/0
no switchport
ip address 10.2.0.102 255.255.255.0
!
ip default-gateway 10.2.0.254
hostname SW3
!
no ip routing
!
interface GigabitEthernet0/0
no switchport
ip address 10.3.0.103 255.255.255.0
!
ip default-gateway 10.3.0.254
Conclusion
You have now learned how to configure and verify a service VPN using the CLI or with
templates.
Cisco SD-WAN OSPF Configuration
Cisco SD-WAN uses OMP in the overlay network for routing information, but within a site, it’s
possible that you need OSPF (or BGP) to advertise routes with non-SD-WAN devices. In this
lesson, I’ll explain how to configure OSPF on a vEdge router.
Configuration
This is the topology:
The two switches and the vEdge router are within a single site. SW1 and SW2 are Cisco IOS
switches. I preconfigured these two with OSPF. Next, we’ll configure the vEdge1 router using
device and feature templates. I’m using Cisco SD-WAN version 19.3.0.
system
host-name vEdge1
system-ip 172.16.1.1
site-id 2
sp-organization-name nwl-lab-sdwan
organization-name nwl-lab-sdwan
vbond 10.1.0.2
!
omp
no shutdown
graceful-restart
advertise connected
advertise static
!
vpn 0
interface ge0/0
ip address 10.65.91.1/24
tunnel-interface
encapsulation ipsec
color biz-internet
allow-service all
!
no shutdown
!
interface ge0/1
ip address 10.65.92.1/24
tunnel-interface
encapsulation ipsec
color public-internet
allow-service all
!
no shutdown
!
ip route 10.1.0.0/24 10.65.91.100
!
vpn 10
interface ge0/3
ip address 10.2.1.1/24
no shutdown
!
interface ge0/4
ip address 10.2.2.1/24
no shutdown
!
omp
advertise connected
!
!
vpn 512
interface eth0
shutdown
hostname SW1
!
ip cef
!
interface Loopback0
ip address 11.11.11.11 255.255.255.255
!
interface GigabitEthernet0/0
no switchport
ip address 10.2.1.101 255.255.255.0
!
router ospf 1
network 10.2.1.0 0.0.0.255 area 0
network 11.11.11.11 0.0.0.0 area 0
!
end
hostname SW2
!
ip cef
!
interface Loopback0
ip address 22.22.22.22 255.255.255.255
!
interface GigabitEthernet0/1
no switchport
ip address 10.2.2.102 255.255.255.0
!
router ospf 1
network 10.2.2.0 0.0.0.255 area 1
network 22.22.22.22 0.0.0.0 area 1
!
end
Go to Configuration > Templates > Feature > Add Template and select OSPF:
I’ll make a couple of changes here. First, we make the router ID device-specific:
Next, we’ll configure the areas. Click on New Area:
We’ll start with area 0. Set the number and click on Add Interface:
For this example, I could have picked a global value. When you are doing labs, it’s tempting to create
new templates all the time and only use global values. This gets the job done, but if you think about
using device-specific variables, you’ll have a valuable exercise of how you can use templates in a
production network.
Click on Add to continue. In the Area overview, you see that we now have one interface
attached to area 0. Click on Add:
Click again on New Area to create area 1. Specify the area number and click on Add Interface:
Once again, click on Add Interface:
Good. We now have two areas, each with an interface. That’s all we’ll configure for now. Click
on Save to store the template.
Device Template
We can now attach the OSPF feature template to a device template. Go to Configuration >
Templates > Device and edit the device template, which is attached to vEdge1:
Scroll down to Service VPN and select OSPF under Additional VPN Templates:
In the next screen, we can check the Config Diff to see what OSPF commands will be added:
Click on Configure Devices and push the template to the vEdge1 router. This completes the
configuration.
Verification
Let’s verify our work. The CLI commands for OSPF are similar to what you know from Cisco
IOS. First, let’s check the neighbor adjacency:
And there is a command that gives an overview of the entire OSPF process:
As you can see, there are plenty of show commands to verify OSPF.
system
host-name vEdge1
system-ip 172.16.1.1
site-id 2
admin-tech-on-failure
no route-consistency-check
sp-organization-name nwl-lab-sdwan
organization-name nwl-lab-sdwan
vbond 10.1.0.2
!
omp
no shutdown
graceful-restart
advertise connected
advertise static
!
vpn 0
interface ge0/0
ip address 10.65.91.1/24
tunnel-interface
encapsulation ipsec
color biz-internet
allow-service all
!
no shutdown
!
interface ge0/1
ip address 10.65.92.1/24
tunnel-interface
encapsulation ipsec
color public-internet
allow-service all
!
no shutdown
!
ip route 10.1.0.0/24 10.65.91.100
!
vpn 10
router
ospf
router-id 1.1.1.1
timers spf 200 1000 10000
area 0
interface ge0/3
exit
exit
area 1
interface ge0/4
exit
exit
!
interface ge0/3
ip address 10.2.1.1/24
no shutdown
!
interface ge0/4
ip address 10.2.2.1/24
no shutdown
!
omp
advertise connected
!
vpn 512
interface eth0
shutdown
hostname SW1
!
ip cef
!
interface Loopback0
ip address 11.11.11.11 255.255.255.255
!
interface GigabitEthernet0/0
no switchport
ip address 10.2.1.101 255.255.255.0
!
router ospf 1
network 10.2.1.0 0.0.0.255 area 0
network 11.11.11.11 0.0.0.0 area 0
!
end
hostname SW2
!
ip cef
!
interface Loopback0
ip address 22.22.22.22 255.255.255.255
!
interface GigabitEthernet0/1
no switchport
ip address 10.2.2.102 255.255.255.0
!
router ospf 1
network 10.2.2.0 0.0.0.255 area 1
network 22.22.22.22 0.0.0.0 area 1
!
end
Conclusion
You have now learned how to configure OSPF on a Cisco SD-WAN vEdge router.
Cisco SD-WAN BGP Configuration
Cisco SD-WAN routers use OMP for routing information on the overlay network. Within a site,
sometimes you need an IGP like OSPF or perhaps BGP.
This lesson will explain how to configure BGP between a Cisco IOS device and a Cisco SD-
WAN vEdge router. We’ll use feature and device templates to accomplish this.
Configuration
Here is the topology we’ll use:
Nothing fancy. We only have our vEdge1 router and SW1. I pre-configured SW1 with BGP. I’m
using Cisco SD-WAN version 19.3.0.
system
host-name vEdge1
system-ip 172.16.1.1
site-id 2
sp-organization-name nwl-lab-sdwan
organization-name nwl-lab-sdwan
vbond 10.1.0.2
!
omp
no shutdown
graceful-restart
advertise connected
advertise static
!
vpn 0
interface ge0/0
ip address 10.65.91.1/24
tunnel-interface
encapsulation ipsec
color biz-internet
allow-service all
!
no shutdown
!
interface ge0/1
ip address 10.65.92.1/24
tunnel-interface
encapsulation ipsec
color public-internet
allow-service all
!
no shutdown
!
ip route 10.1.0.0/24 10.65.91.100
!
vpn 10
interface ge0/3
ip address 10.2.1.1/24
no shutdown
!
omp
advertise connected
!
!
vpn 512
interface eth0
shutdown
hostname SW1
!
ip cef
!
interface Loopback0
ip address 11.11.11.11 255.255.255.255
!
interface GigabitEthernet0/0
no switchport
ip address 10.2.1.101 255.255.255.0
!
router bgp 1
bgp log-neighbor-changes
network 11.11.11.11 mask 255.255.255.255
neighbor 10.2.1.1 remote-as 1
!
end
hostname SW2
!
ip cef
!
interface Loopback0
ip address 22.22.22.22 255.255.255.255
!
interface GigabitEthernet0/1
no switchport
ip address 10.2.2.102 255.255.255.0
!
router ospf 1
network 10.2.2.0 0.0.0.255 area 1
network 22.22.22.22 0.0.0.0 area 1
!
end
Specify a name:
Scroll down to NEIGHBOR and click on New Neighbor:
All the other settings are OK. Scroll down and click on Save.
Device Template
Go to Configuration > Templates > Device and edit the device template, which is attached to
vEdge1:
Scroll down to Service VPN and select BGP under the Additional VPN Templates:
Click on Update to continue. In the next screen, we have to fill in the variables about the AS
numbers:
Click on Next, and we can check Config Preview or Config Diff. Below you can see what
configuration will be added to vEdge1:
Click on Configure Devices to push the device template to the router.
Verification
We can use a couple of show commands to check whether or not BGP is up and running. Let’s
check the neighbor adjacency:
Above, we see that we have a neighbor adjacency. If you want to take a closer look, use this
command:
vEdge1# show bgp neighbor
bgp bgp-neighbor vpn 10 10.2.1.101
as 1
msg-rcvd 11
msg-sent 10
outQ 0
uptime 0:00:07:13
state established
last-uptime "Fri Jul 30 12:48:52 2021"
address-family 0
afi ipv4-unicast
system
host-name vEdge1
system-ip 172.16.1.1
site-id 2
sp-organization-name nwl-lab-sdwan
organization-name nwl-lab-sdwan
vbond 10.1.0.2
!
omp
no shutdown
graceful-restart
advertise connected
advertise static
!
vpn 0
interface ge0/0
ip address 10.65.91.1/24
tunnel-interface
encapsulation ipsec
color biz-internet
allow-service all
!
no shutdown
!
interface ge0/1
ip address 10.65.92.1/24
tunnel-interface
encapsulation ipsec
color public-internet
allow-service all
!
no shutdown
!
ip route 10.1.0.0/24 10.65.91.100
!
vpn 10
router
bgp 1
neighbor 10.2.1.101
no shutdown
remote-as 1
!
interface ge0/3
ip address 10.2.1.1/24
no shutdown
!
omp
advertise connected
!
!
vpn 512
interface eth0
shutdown
hostname SW1
!
ip cef
!
interface Loopback0
ip address 11.11.11.11 255.255.255.255
!
interface GigabitEthernet0/0
no switchport
ip address 10.2.1.101 255.255.255.0
!
router bgp 1
bgp log-neighbor-changes
network 11.11.11.11 mask 255.255.255.255
neighbor 10.2.1.1 remote-as 1
!
end
hostname SW2
!
ip cef
!
interface Loopback0
ip address 22.22.22.22 255.255.255.255
!
interface GigabitEthernet0/1
no switchport
ip address 10.2.2.102 255.255.255.0
!
router ospf 1
network 10.2.2.0 0.0.0.255 area 1
network 22.22.22.22 0.0.0.0 area 1
!
end
Conclusion
That’s it. You have now learned how to configure and verify BGP on Cisco SD-WAN using
templates and the CLI.
Cisco SD-WAN Localized Data Policy Policer
Cisco SD-WAN offers a centralized policy (network-wide scope) and the localized policy
(single-device scope). There are two localized policy types:
The localized control policy affects the control plane. The vEdge routers have an overlay
network and use OMP to advertise routes, but you can also use “regular” routing protocols like
OSPF or BGP. With the localized control policy, you can affect routing.
The localized data policy controls the flow and data going in and out of interfaces and
interface queues. You can set DSCP or CoS values, and do things like policing, shaping, and
queueing.
In this lesson, I’ll explain how to configure policing with a localized data policy. We are going to
configure this in vManage with templates.
If you are familiar with configuring policing in Cisco IOS and new to Cisco SD-WAN policies,
this will be confusing. I’ll make sure to keep it as easy as possible. In Cisco IOS, we configure a
simple policer like this:
In a nutshell, here’s how it works:
In Cisco SD-WAN, it’s different. The confusing part is that there is new terminology, and some
terminology has a different meaning than what you know from Cisco IOS. The
configuration is also different. Here is a visualization to help you through this:
This requires a lot of explanation. I explained the device and feature templates in this lesson, so
make sure you are familiar with those.
• Groups of Interest are things we can use in our policy. For example:
o Data Prefix-lists
o Policers
o Port mirrors
o And some other items.
• The access control list is not an access-list, as you know it. This is more like a route-map or
policy-map with sequence numbers where you configure:
o Match statements:
▪ DSCP value
▪ Packet length
▪ PLP
▪ Protocol
▪ Source or destination Data Prefix
▪ Source or destination port numbers
▪ TCP SYN
▪ Class (this is a queue)
o Action statements:
▪ Counter
▪ DSCP (change value)
▪ Log
▪ Next Hop (change the next-hop like we do with policy-based routing).
▪ Mirror List
▪ Class
▪ Policer
• The localized policy is where we configure items like:
o QoS Maps (queues)
o Access Control Lists
o Route Policy
o And some other items.
We have to attach the items we created above to each other. This is what it looks like:
Don’t worry, I will show you how to configure all of this step by step. The visualization might
help to understand the steps when we go through all of this. Let’s do this!
Configuration
Here is the topology we’ll use:
This is the exact same topology I used in the service VPN lesson and the templates lesson. I’m
using the same device and feature templates I created before. Service VPN 10 is configured on
the Gi0/3 interfaces of vEdge2 and vEdge3 so that I can send traffic between SW2 and SW3.
Our goal is to configure an inbound policer on the ge0/3 interface of vEdge2. Make sure you
understand how device and feature templates work before you continue with this lesson. We
build upon the knowledge from our previous lessons.
system
host-name vEdge2
system-ip 172.16.1.2
site-id 2
organization-name nwl-lab-sdwan
vbond 10.1.0.2
!
vpn 0
interface ge0/0
ip address 10.65.91.2/24
ipv6 dhcp-client
tunnel-interface
encapsulation ipsec
color biz-internet
allow-service all
!
no shutdown
!
interface ge0/1
ip address 10.65.92.2/24
tunnel-interface
encapsulation ipsec
color public-internet
allow-service all
!
no shutdown
!
ip route 10.1.0.0/24 10.65.91.100
!
vpn 10
interface ge0/3
ip address 10.2.0.254/24
no shutdown
!
omp
advertise connected
!
vpn 512
interface eth0
shutdown
system
host-name vEdge3
system-ip 172.16.1.3
site-id 3
organization-name nwl-lab-sdwan
vbond 10.1.0.2
!
vpn 0
interface ge0/0
ip address 10.65.91.3/24
ipv6 dhcp-client
tunnel-interface
encapsulation ipsec
color biz-internet
allow-service all
!
no shutdown
!
interface ge0/1
ip address 10.65.92.3/24
tunnel-interface
encapsulation ipsec
color public-internet
allow-service all
!
no shutdown
!
ip route 10.1.0.0/24 10.65.91.100
!
vpn 10
interface ge0/3
ip address 10.3.0.254/24
no shutdown
!
omp
advertise connected
!
vpn 512
interface eth0
shutdown
hostname SW2
!
no ip routing
!
interface GigabitEthernet0/0
no switchport
ip address 10.2.0.102 255.255.255.0
!
ip default-gateway 10.2.0.254
hostname SW3
!
no ip routing
!
interface GigabitEthernet0/0
no switchport
ip address 10.3.0.103 255.255.255.0
!
ip default-gateway 10.3.0.254
Go to Configuration > Policies > Localized Policy and click on Add Policy:
Groups of Interest
On the left side, you find the groups of interest. This is where you configure the items that you
can call in other items of the policy, like the access control lists.
Policer
Let’s create a policer. Select Policer and click on New Policer List:
We choose a name and configure the settings for our policer. It doesn’t matter too much what
you pick for a lab:
Click on Add, and you will see the new policer in the overview:
Data Prefix List
Let’s make sure that the policer only works for traffic sourced from 10.2.0.0/24 (site 2). We need
the Data Prefix group of interest for this:
Enter a name and add the correct prefix. Click on Add, and the prefix-list shows up in the
overview:
We now have all the required groups of interest. Click on Next to continue so we can create the
actual policy.
Access Control List
Click on Add Access Control List Policy and select Add IPv4 ACL Policy:
On the left side, we have two options:
By default, there are no sequences, so all traffic matches the default action. The default action
is set to drop. Let’s make some changes here. Click on Add ACL Sequence on the left side,
then click on Sequence Rule on the right.
Select Source Data Prefix and select the data prefix-list we just created:
Now click on Action and select our policer:
I also like to add a counter which should make it easier to see whether we get matches on this
policy. Add the counter, give it a name, and click on Save Match and Actions:
Click on Save Access Control List Policy to continue. The access control list policy shows up
in the overview:
Click Next to continue. We don’t need a Route Policy, so click Next one more time:
In the final screen, give your policy a name. I also like to check the Netflow and Application
checkboxes:
Netflow gives cflowd visibility, and Application allows the vEdge router to monitor the
applications. This doesn’t affect our policer and can be interesting to look at.
The localized policy is ready, and I’d like to attach the access control list to an interface. Before I
can do that, the vEdge router requires the policy in its configuration.
I currently have a device template that is attached to vEdge2 and vEdge3. I could add the policy
here, but that means that vEdge3 also receives the policy. I only want to use my policer policy on
vEdge2. I’ll copy our current device template so that we can use a new template for vEdge2.
Go to Configuration > Templates, click on the three dots and click on Copy:
Give the new template a name and click on Copy:
Click on the three dots and select Edit. Scroll down to Additional Templates and select our
policy:
Click on Update to save the device template. Let’s attach this template to vEdge2. Click on the
three dots next to our template and click on Attach Devices:
The Config Preview and Config Diff screens are interesting. This shows the actual CLI
configuration:
Click on Configure Devices and wait until the configuration is pushed to vEdge2.
We now have the localized policy on vEdge2. It’s there, but not doing anything at the moment.
The policy has been added to vEdge2. We can now add the access control list to an interface.
Head over to Configuration > Templates > Feature Templates.
I have a template for the ge0/3 interface in VPN 10, but it’s attached to multiple vEdge routers. I
only want to attach the policer policy to vEdge2, so we’ll copy the feature template. Click on
Copy:
Give the new template a name and click on Copy:
Click on the three dots next to the new template and select Edit:
Scroll down to ACL/QoS, enable the Ingress ACL, and set the access-list name:
Click on Update. Now we can attach the updated feature template to the device template.
Update Feature Template in Device Template
Go to Configuration > Templates > Device and edit our template-vedge2-vpn10 template once
more:
Scroll down to Service VPN and change the VPN Interface to use our new feature template:
Click on Update to continue. In the next screen where we can change variables, click Next as
well.
In Config Preview or Config Diff, we can see our access-list which will be attached to the ge0/3
interface under VPN 10:
Click on Configure Devices to continue. Wait for a few seconds until the template is pushed to
the vEdge2 router.
Verification
Great, our policer is in place. Let’s find out whether or not it works. A quick way to test the
policer is to send some packets from SW2 to SW3:
Some packets make it, others don’t. This is a good indicator that our policer works.
Let’s check the configuration of vEdge2. To be honest, I had some issues with the commands to
verify everything. Maybe this is related to the version I am using. Let’s take a look. We can see
the access-list is attached to the ge0/3 interface:
Above, we see the policer and counter. Here is the policer configuration:
We can see the association between the policy, access-list, and interface here:
INTERFACE INTERFACE
NAME NAME DIRECTION
-----------------------------------------
SITE2-POLICER ge0/3 in
Or in the interface:
Maybe this is a bug in version 19.3.0. If you do see something here, let me know. I didn’t try
version 18.x or 20.x in my lab. Anyway, this is how you configure a localized control policy.
system
host-name vEdge2
system-ip 172.16.1.2
site-id 2
sp-organization-name nwl-lab-sdwan
organization-name nwl-lab-sdwan
vbond 10.1.0.2
!
omp
no shutdown
graceful-restart
advertise connected
advertise static
!
banner
motd "Welcome to the vEdge router!"
!
vpn 0
interface ge0/0
ip address 10.65.91.2/24
tunnel-interface
encapsulation ipsec
color biz-internet
allow-service all
no allow-service bgp
allow-service dhcp
allow-service dns
allow-service icmp
no allow-service sshd
no allow-service netconf
no allow-service ntp
no allow-service ospf
no allow-service stun
allow-service https
!
no shutdown
!
interface ge0/1
ip address 10.65.92.2/24
tunnel-interface
encapsulation ipsec
color public-internet
allow-service all
no allow-service bgp
allow-service dhcp
allow-service dns
allow-service icmp
no allow-service sshd
no allow-service netconf
no allow-service ntp
no allow-service ospf
no allow-service stun
allow-service https
!
no shutdown
!
ip route 10.1.0.0/24 10.65.91.100
!
vpn 10
interface ge0/3
ip address 10.2.0.254/24
no shutdown
access-list SITE2-POLICER in
!
omp
advertise connected
!
!
vpn 512
interface eth0
shutdown
!
!
policy
app-visibility
flow-visibility
log-frequency 60
policer POLICER
rate 15000
burst 15000
exceed drop
!
lists
data-prefix-list SITE2-PREFIX
ip-prefix 10.2.0.0/24
!
access-list SITE2-POLICER
sequence 1
match
source-data-prefix-list SITE2-PREFIX
!
action accept
count COUNTER1
policer POLICER
!
!
default-action accept
!
!
system
host-name vEdge3
system-ip 172.16.1.3
site-id 3
organization-name nwl-lab-sdwan
vbond 10.1.0.2
!
vpn 0
interface ge0/0
ip address 10.65.91.3/24
ipv6 dhcp-client
tunnel-interface
encapsulation ipsec
color biz-internet
allow-service all
!
no shutdown
!
interface ge0/1
ip address 10.65.92.3/24
tunnel-interface
encapsulation ipsec
color public-internet
allow-service all
!
no shutdown
!
ip route 10.1.0.0/24 10.65.91.100
!
vpn 10
interface ge0/3
ip address 10.3.0.254/24
no shutdown
!
omp
advertise connected
!
vpn 512
interface eth0
shutdown
hostname SW2
!
no ip routing
!
interface GigabitEthernet0/0
no switchport
ip address 10.2.0.102 255.255.255.0
!
ip default-gateway 10.2.0.254
hostname SW3
!
no ip routing
!
interface GigabitEthernet0/0
no switchport
ip address 10.3.0.103 255.255.255.0
!
ip default-gateway 10.3.0.254
Conclusion
You have now learned how to configure a localized control policy using vManage and templates.
Cisco SD-WAN Localized Control Policy
BGP
Cisco SD-WAN offers a centralized policy (network-wide scope) and a localized policy (single-
device scope). There are two localized policy types:
The localized data policy affects the data plane. You can influence the flow and data going in
and out of an interface (queues).
The localized control plane affects the control plane. Therefore, you can manipulate routing
decisions. In this lesson, I’ll explain how to configure a localized control policy so you can
influence the BGP local preference.
Configuration
This is the topology we’ll use:
This is the exact same topology that I used in the Cisco SD-WAN BGP configuration lesson. We
are going to create a localized control policy to change the local preference for a prefix we
receive from SW1. I use Cisco SD-WAN version 19.3.0.
system
host-name vEdge1
system-ip 172.16.1.1
site-id 2
sp-organization-name nwl-lab-sdwan
organization-name nwl-lab-sdwan
vbond 10.1.0.2
!
omp
no shutdown
graceful-restart
advertise connected
advertise static
!
vpn 0
interface ge0/0
ip address 10.65.91.1/24
tunnel-interface
encapsulation ipsec
color biz-internet
allow-service all
!
no shutdown
!
interface ge0/1
ip address 10.65.92.1/24
tunnel-interface
encapsulation ipsec
color public-internet
allow-service all
!
no shutdown
!
ip route 10.1.0.0/24 10.65.91.100
!
vpn 10
router
bgp 1
neighbor 10.2.1.101
no shutdown
remote-as 1
!
interface ge0/3
ip address 10.2.1.1/24
no shutdown
!
omp
advertise connected
!
!
vpn 512
interface eth0
shutdown
hostname SW1
!
ip cef
!
interface Loopback0
ip address 11.11.11.11 255.255.255.255
!
interface GigabitEthernet0/0
no switchport
ip address 10.2.1.101 255.255.255.0
!
router bgp 1
bgp log-neighbor-changes
network 11.11.11.11 mask 255.255.255.255
neighbor 10.2.1.1 remote-as 1
!
end
hostname SW2
!
ip cef
!
interface Loopback0
ip address 22.22.22.22 255.255.255.255
!
interface GigabitEthernet0/1
no switchport
ip address 10.2.2.102 255.255.255.0
!
router ospf 1
network 10.2.2.0 0.0.0.255 area 1
network 22.22.22.22 0.0.0.0 area 1
!
end
Let’s start with the policy. Go to Configuration > Policies > Localized Policy and click on Add
Policy.
Prefix List
This prefix list matches the loopback0 interface of SW1. Click on Add, and it will show up in the
overview:
Route Policy
Click Next until you reach the Route Policy overview. Click on Add Route Policy and then
Create New:
The route policy screen looks similar to the access control list. Enter a name and description,
then click on + Sequence Type and + Sequence Rule:
Click on Match, select Address, and select the prefix list we created:
Now click on Actions, Local Preference, set a value (it doesn’t matter what you pick in this
example), and click on Save Match And Actions:
Make sure the overview looks OK to you, then click on Save Route Policy:
Before we can use the route policy in BGP, we have to push the localized policy to the router.
We’ll do this with the device template. Go to Configuration > Templates > Device and Edit the
device template:
Scroll down to Additional Templates and select the localized policy we just created:
Click on Update to continue. Click Next in the next screen:
In the Config Preview, we can see the actual configuration for the policy:
Once the device template with the policy is pushed to the router, we can edit our BGP feature
template to include the route policy. Go to Configuration > Templates > Feature and Edit the
BGP feature template:
Click on Update, so vManage will push the updated feature template to the router. We don’t
need to edit any variables, so click on Next:
In the Config Diff screen, we can see that two lines are added to the configuration:
Click on Configure Devices so that the configuration is pushed to the router. This completes the
configuration.
system
host-name vEdge1
system-ip 172.16.1.1
site-id 2
sp-organization-name nwl-lab-sdwan
organization-name nwl-lab-sdwan
vbond 10.1.0.2
!
omp
no shutdown
graceful-restart
advertise connected
advertise static
!
vpn 0
interface ge0/0
ip address 10.65.91.1/24
tunnel-interface
encapsulation ipsec
color biz-internet
allow-service all
!
no shutdown
!
interface ge0/1
ip address 10.65.92.1/24
tunnel-interface
encapsulation ipsec
color public-internet
allow-service all
!
no shutdown
!
ip route 10.1.0.0/24 10.65.91.100
!
vpn 10
router
bgp 1
neighbor 10.2.1.101
no shutdown
remote-as 1
address-family ipv4-unicast
route-policy BGP-LOCAL-PREFERENCE in
!
interface ge0/3
ip address 10.2.1.1/24
no shutdown
!
omp
advertise connected
!
!
vpn 512
interface eth0
shutdown
!
policy
!
lists
prefix-list SW1-L0-PREFIX
ip-prefix 11.11.11.11/32
!
route-policy BGP-LOCAL-PREFERENCE
sequence 1
match
address SW1-L0-PREFIX
!
action accept
set
local-preference 111
!
default-action reject
hostname SW1
!
ip cef
!
interface Loopback0
ip address 11.11.11.11 255.255.255.255
!
interface GigabitEthernet0/0
no switchport
ip address 10.2.1.101 255.255.255.0
!
router bgp 1
bgp log-neighbor-changes
network 11.11.11.11 mask 255.255.255.255
neighbor 10.2.1.1 remote-as 1
!
end
hostname SW2
!
ip cef
!
interface Loopback0
ip address 22.22.22.22 255.255.255.255
!
interface GigabitEthernet0/1
no switchport
ip address 10.2.2.102 255.255.255.0
!
router ospf 1
network 10.2.2.0 0.0.0.255 area 1
network 22.22.22.22 0.0.0.0 area 1
!
end
Verification
The simplest way to verify whether this works is to check the BGP routes in the CLI:
vEdge1# show bgp routes
bgp routes-table vpn 10 11.11.11.11/32
info 0
nexthop 10.2.1.101
metric 0
local-pref 111
weight 0
origin igp
as-path Local
path-status valid,best,internal
tag 0
As you can see above, the local preference is set to 111. This is the value we specified in the
route policy.
Conclusion
You have now learned how to configure a localized control policy to influence the BGP local
preference on a vEdge router. I hope you enjoyed this lesson.
Cisco SD-WAN Hub and Spoke Topology
In a Cisco SD-WAN network, vEdge routers build a full-mesh topology with vEdge routers in
other sites. This is the default behavior, and it means that all devices within a service VPN can
communicate with each other. However, a full mesh topology is not always required, and with
many vEdge routers, it can even become a scalability issue.
This lesson will explain how you can use a centralized policy to configure a hub and spoke
topology. The hub site will be able to communicate with all spoke sites. However, spoke sites
can only communicate with the hub and not with other spoke sites.
We have three sites, and I assigned the Gi0/3 interfaces of all vEdge routers to service VPN 10.
We’ll do a “before and after” scenario so you can see the difference between the default (full
mesh) and a hub and spoke topology. I am using Cisco SD-WAN version 19.3.0.
system
host-name vEdge1
system-ip 172.16.1.1
site-id 2
organization-name nwl-lab-sdwan
vbond 10.1.0.2
!
omp
no shutdown
graceful-restart
advertise connected
advertise static
!
banner
motd "Welcome to the vEdge router!"
!
vpn 0
interface ge0/0
ip address 10.65.91.1/24
tunnel-interface
encapsulation ipsec
color biz-internet
allow-service all
!
no shutdown
!
interface ge0/1
ip address 10.65.92.1/24
tunnel-interface
encapsulation ipsec
color public-internet
allow-service all
!
no shutdown
!
ip route 10.1.0.0/24 10.65.91.100
ip route 10.1.0.0/24 10.65.92.100
!
vpn 10
interface ge0/3
ip address 10.2.0.254/24
no shutdown
!
omp
advertise connected
!
!
vpn 512
interface eth0
shutdown
!
!
system
host-name vEdge3
system-ip 172.16.1.3
site-id 3
organization-name nwl-lab-sdwan
vbond 10.1.0.2
!
omp
no shutdown
graceful-restart
advertise connected
advertise static
!
banner
motd "Welcome to the vEdge router!"
!
vpn 0
interface ge0/0
ip address 10.65.91.3/24
tunnel-interface
encapsulation ipsec
color biz-internet
allow-service all
!
no shutdown
!
interface ge0/1
ip address 10.65.92.3/24
tunnel-interface
encapsulation ipsec
color public-internet
allow-service all
!
no shutdown
!
ip route 10.1.0.0/24 10.65.91.100
ip route 10.1.0.0/24 10.65.92.100
!
vpn 10
interface ge0/3
ip address 10.3.0.254/24
no shutdown
!
omp
advertise connected
!
!
vpn 512
interface eth0
shutdown
!
!
system
host-name vEdge4
system-ip 172.16.1.4
site-id 4
organization-name nwl-lab-sdwan
vbond 10.1.0.2
!
omp
no shutdown
graceful-restart
advertise connected
advertise static
!
banner
motd "Welcome to the vEdge router!"
!
vpn 0
interface ge0/0
ip address 10.65.91.4/24
tunnel-interface
encapsulation ipsec
color biz-internet
allow-service all
!
no shutdown
!
interface ge0/1
ip address 10.65.92.4/24
tunnel-interface
encapsulation ipsec
color public-internet
allow-service all
!
no shutdown
!
ip route 10.1.0.0/24 10.65.91.100
ip route 10.1.0.0/24 10.65.92.100
!
vpn 10
interface ge0/3
ip address 10.4.0.254/24
no shutdown
!
omp
advertise connected
!
!
vpn 512
interface eth0
shutdown
!
!
hostname SW1
!
no ip routing
!
interface GigabitEthernet0/0
no switchport
ip address 10.2.0.101 255.255.255.0
!
ip default-gateway 10.2.0.254
!
end
hostname SW3
!
no ip routing
!
interface GigabitEthernet0/0
no switchport
ip address 10.3.0.103 255.255.255.0
!
ip default-gateway 10.3.0.254
!
end
hostname SW3
!
no ip routing
!
interface GigabitEthernet0/0
no switchport
ip address 10.4.0.104 255.255.255.0
!
ip default-gateway 10.4.0.254
!
end
SW3#ping 10.2.0.101
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.0.101, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 51/63/79 ms
SW3#ping 10.4.0.104
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.4.0.104, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/65/74 ms
SW4 can also ping SW1:
SW4#ping 10.2.0.101
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.0.101, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 55/63/72 ms
We have full connectivity because each vEdge router advertises its prefix through OMP to the
vSmart controller. The vSmart controller advertises all prefixes to the vEdge routers.
In the show ip routes omp and show ipsec outputs below, I removed non-relevant columns to
keep it readable.
In the output above, you can see that all prefixes are learned and installed. One for each WAN
connection.
This also means that all vEdge routers establish IPSec connections with each other. Between
TLOCs on one WAN interface and TLOCs of different WAN interfaces (if there is reachability
between the two WAN clouds). That is the case with two Internet connections like I have, but
not if you have a private WAN connection (like MPLS). You can see the IPSec connections
below:
Each vEdge router has 8 IPSec connections, and we only have three routers (with two WAN
interfaces). This can become a scalability issue with large topologies, especially if you have low-
end branch vEdge routers.
Configuration
Let’s change our topology from full mesh to a hub and spoke topology.
Centralized Policy
Go to Configuration > Policies > Centralized Policy and click on Add Policy:
Groups of Interest
• Site List: A list so we know which site will be the hub and which sites will be the spokes.
• VPN List: The VPN that we want to create a hub and spoke topology for.
Site List
• HUB: site 2.
• SPOKES: site 3 and 4.
Let’s create the VPN list. Under Groups of Interest, select VPN. Enter a name and the VPN
number (10) here:
Click on Add to continue. Then, under Topology, click on Add Topology and select Hub-and-
Spoke:
Give the policy a name, select the VPN List we created, and select the Hub and Spoke Sites.
Click on Save Hub-And-Spoke Policy to save the policy:
If you get an error that the vSmart controller is not in vManaged mode, take a look at this lesson.
Click on Activate:
Verification
Let’s verify our work. First, I’ll try to ping the spoke sites from the hub site:
SW1#ping 10.3.0.103
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.3.0.103, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/66/80 ms
SW1#ping 10.4.0.104
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.4.0.104, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 59/64/70 ms
We can ping from the hub site to both spoke sites. However, I can’t ping between the spoke sites
anymore:
SW3#ping 10.4.0.104
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.4.0.104, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)
vEdge1 has entries for both spoke sites. Now take a look at the spoke routers:
Our spoke routers only know about the 10.2.0.0/24, which belongs to the hub site. The vSmart
controller doesn’t advertise the routes of spoke sites to spoke routers anymore.
Let’s check our IPSec connections again. Here is vEdge1:
vEdge1 still has every possible IPSec connection to the spoke routers. Here are the spoke routers:
Conclusion
You have now learned how to configure a Cisco SD-WAN hub and spoke topology:
What if the performance of the MPLS connection degrades? Temporarily switching over to the
Internet connection could offer a better end-user experience.
Another example is when you have multiple Internet connections. Perhaps through Fiber, Cable,
DSL, and 4G. It would be nice if you could always pick the best connection out of these options.
With Application-Aware Routing (AAR), we can decide which applications should use what
WAN connection, and we can failover based on criteria like packet loss, jitter, and delay.
AAR tracks network statistics from data plane tunnels between Cisco SD-WAN devices and uses
this information to calculate optimal traffic paths.
In this lesson, I’ll show you how to configure AAR and verify your traffic flows. This is the
topology we’ll use:
I have two sites with a single service VPN (10). The two sites are connected using two different
WAN links:
• biz-internet
• public-internet
We’ll take a look at how Cisco SD-WAN uses these two WAN connections if you don’t have
any policies.
Afterward, we’ll configure a centralized policy with Application-Aware Routing and two traffic
rules:
• Telnet traffic should use the “biz-internet” connection. When this traffic exceeds a certain
loss, latency, or delay, it should switch over to the public-internet link.
• An application list with multiple applications should use the “public-internet” link. When
this traffic exceeds a certain loss, latency, or delay, it should switch over to the biz-
internet link.
These two examples will help to understand AAR so you can create your own policies in the
future. I’m using Cisco SD-WAN version 19.3.0.
system
host-name vEdge1
system-ip 172.16.1.1
site-id 2
organization-name nwl-lab-sdwan
vbond 10.1.0.2
!
omp
no shutdown
graceful-restart
advertise connected
advertise static
!
banner
motd "Welcome to the vEdge router!"
!
vpn 0
interface ge0/0
ip address 10.65.91.1/24
tunnel-interface
encapsulation ipsec
color biz-internet
allow-service all
!
no shutdown
!
interface ge0/1
ip address 10.65.92.1/24
tunnel-interface
encapsulation ipsec
color public-internet
allow-service all
!
no shutdown
!
ip route 10.1.0.0/24 10.65.91.100
ip route 10.1.0.0/24 10.65.92.100
!
vpn 10
interface ge0/3
ip address 10.2.0.254/24
no shutdown
!
omp
advertise connected
!
!
vpn 512
interface eth0
shutdown
!
!
system
host-name vEdge3
system-ip 172.16.1.3
site-id 3
organization-name nwl-lab-sdwan
vbond 10.1.0.2
!
omp
no shutdown
graceful-restart
advertise connected
advertise static
!
banner
motd "Welcome to the vEdge router!"
!
vpn 0
interface ge0/0
ip address 10.65.91.3/24
tunnel-interface
encapsulation ipsec
color biz-internet
allow-service all
!
no shutdown
!
interface ge0/1
ip address 10.65.92.3/24
tunnel-interface
encapsulation ipsec
color public-internet
allow-service all
!
no shutdown
!
ip route 10.1.0.0/24 10.65.91.100
ip route 10.1.0.0/24 10.65.92.100
!
vpn 10
interface ge0/3
ip address 10.3.0.254/24
no shutdown
!
omp
advertise connected
!
!
vpn 512
interface eth0
shutdown
!
!
hostname SW1
!
no ip routing
!
interface GigabitEthernet0/0
no switchport
ip address 10.2.0.101 255.255.255.0
!
ip default-gateway 10.2.0.254
!
end
hostname SW3
!
no ip routing
!
interface GigabitEthernet0/0
no switchport
ip address 10.3.0.103 255.255.255.0
!
ip default-gateway 10.3.0.254
!
end
Simulate Flows
Before we configure anything, let’s look at the default behavior. Cisco vManage has a useful tool
to simulate flows and show traffic behavior.
Go to Monitor > Network > WAN – Edge and click on a vEdge router:
Scroll down to Troubleshooting and click on Simulate Flows on the right side:
We’ll try something simple to start with. I’ll specify a flow from source 10.2.0.101 with
destination 10.3.0.103. This is traffic from site 2 to site 3. The protocol number 6 is TCP, and the
destination port is 23 (telnet). Let’s fill in all fields and click on Simulate:
In the output above, you can see that the default behavior is to use both WAN links to send
traffic between the two sites. Once we have configured Application-Aware Routing, we’ll try
this again so you can see the difference.
Configuration
Let’s configure a centralized policy with Application-Aware Routing. Go to Configuration >
Policies > Centralized Policy and click on Add Policy:
Groups of Interest
• Application List
• Site List
• SLA Class
Application List
The application list contains one or more applications that we want to use in our policy. There
are two default application lists:
Each application list has a range of applications. We’ll create a new one so you can see what it
looks like. You probably have more applications than Microsoft or Google apps. Click on New
Application List, give it a name, and select some applications from the dropdown menu. Save
the list by clicking on the Add button:
Site List
Next up is the Site List. We’ll create a new list that defines our two sites (2 and 3). Select Site
and click on New Site List:
Give the Site List a name and add site numbers two and three:
The SLA Class List defines when the traffic has to switch over to another WAN connection. This
is where we define a threshold for packet loss, latency, and jitter. There are four default SLA
classes. Let’s create an SLA Class List. Click on New SLA Class List:
We’ll set some parameters. In a lab, it doesn’t matter what values you select:
Traffic Rules
We don’t need a Topology, or VPN Membership, so click on Next. Select Create New under
Configure Traffic Rules > Application-Aware Routing > Add Policy:
Telnet
Click on + Sequence Type, then select Protocol and Destination Port. Set the Protocol to 6
(TCP) and the destination port number to 23:
Click on the Actions tab and select SLA Class List. Choose the SLA Class that we just created
and set the Preferred Color to “biz-internet”:
Traffic that matches TCP destination port 23 will use WAN connection “biz-internet” by default.
When the traffic exceeds the values we configured in SLA class “SLA-TELNET”, the traffic
switches over to other WAN connections.
When you select the “strict” checkbox, the traffic will only use this WAN interface and won’t failover to
another interface.
Application List
We’ll also add a sequence rule for the application list we created.
Click on + Sequence Rule one more time. Select Match and Application/Application Family
List. Select the Application List we created:
Now go to the Actions tab and select SLA Class List and “public-internet” as the Preferred
Color:
We’ll use the default SLA class this time. Click on Save Match And Actions. We now have two
sequence rules. Click on Save Application-Aware Routing Policy:
We are done with the Traffic Rules, so click on Next:
Application-Aware Routing
Give the centralized policy a name and select the Site List and VPN List that you want to apply
this policy to:
Click on Save Policy, and we are ready:
In the Centralized Policy overview, click on the three dots and select Activate:
If you get an error that the vSmart controller is not in vManaged mode, take a look at this lesson.
Telnet
I’ll fill in the details that match TCP and destination port 23. Click on Simulate:
This shows us that telnet traffic will use the “biz-internet” WAN link. If this traffic exceeds the
values in our SLA class, it would switch over to the other WAN link.
Application List
Let’s try a test for the Microsoft applications. Select “ms-office-365” in the Application list and
click on Simulate:
This traffic now uses the “public-internet” WAN connection. When it exceeds the “default” SLA
class, it will switch over to the “biz-internet” WAN connection.
vSmart Controller
Let me also show you the CLI configuration of the policy on the vSmart controller:
Conclusion
You have now learned how to verify your traffic flows and how to configure a centralized policy
with Application-Aware Routing. I hope you enjoyed this lesson.