I am sure many who have experienced labbing with Catalyst SD-WAN is familiar with Templates, Cisco recently added a new feature called Configuration Groups too!
Now, I have learnt there is another method in creating Templates via Network Design!
Network Design allows you to build your Topology in SD-WAN Manager and then configure Parameters such as WAN, LAN and Management.
In a nutshell, you can create/modify Templates underNetwork Design as well as Templates.
All posts by jaychou_uk
Catalyst SD-WAN Bootstrap!
With airgap environments or where you’re unable to download the configuration for the WAN Edge device to establish DTLS tunnels back to SD-WAN Controllers you could use the Bootstrap option!
With the Bootstrap method, you can configure on SD-WAN Manager the pre-configuration and save this onto a USB Drive. When the WAN Edge is powered on it will then look for the Bootstrap file (ciscosdwan.cfg) with the initial configs to begin onboarding!
SD-WAN Manager Database Security
Warning: The configuration database administrator username and password is default and less secure.
Familiar when you login to Cisco Catalyst SD-WAN Manager?
You can disable this by changing the DB username and password.
1 – request nms application-server stop
Stop application servers on all the Cisco SD-WAN Manager
2 – request nms configuration-db update-admin-user
Default username and password is – neo4j and password
3 – Enter your new username and password
Checking Chassis Number and Token ID
When I onboard any vEdge or cEdge devices with Cisco Catalyst SD-WAN, I’d look under Manager>Devices and then copy the Chassis Number as well as the Token ID. This can sometimes be time consuming with clicking back and forth.
I’ve recently figured out how to view the Chassis Number and Token ID by just logging into the Validator.
show orchestrator valid-vedges | tab
PLATFORM ERROR C8000V
If you encounter error logs that constantly appears on the CLI along the lines of:
%SMART_LIC-2-PLATFORM_ERROR: Smart Licensing has encountered an internal software error.
SOLUTION:
config-transaction
license smart transport off
commit
Or
CLI Add on Template
!
logging discriminator ERROR mnemonic drops PLATFORM_ERROR
!
logging console discriminatorERROR
!
ZTP/PnP Process
ZTP Process Overview–Pure Play Viptela operating system
When using vEdge, it will use ZTP, the following steps are:
- Router reaches out to ztp.viptela.com
- Public Validator will then redirect to the appropriate Validator.
- Then the whitelist/blacklist approval process before receiving the device config from Manager.
- Full config and registration is then completed.
Cisco Plug-and-Play Process Overview
- Customer or Partner creates an order on Cisco Commerce Workspace (CCW) and the order will belong to th Smart Account.
- Cisco team defines the Org name and deploys the SD-WAN Controllers in the Public Cloud, by default you will receive one Manager, Controller and Validator. The one Validator and Controller in a secondary region.
- The Smart Account info and overlay info is synchronised to the PnP Connect Service and ZTP servers even though ZTP belongs to vEdge only.
- PnP belongs to cEdge only.
- WAN edges whether its cEdge or vEdge will learn the IP address of the Validator.
- Manager will synchronise Smart Account information directly from the PnP Connect service which in turn will download the WAN Edge allowed list.
- WAN Edge connects to the Validator and begins the on boarding process.
Perform a Database Installation
I use to do this all the time and never really understood what it’s for. Well I do now!
- Compute and Data – Includes all services that are required for Manager, includes services for Application, statistics, configuration, messaging, and coordination. This persona should be used for a standalone node, and for the first node in a vManage cluster.
- Compute: Includes services that are used for the application, configuration, messaging, and coordination. This persona does not include services that are used for statistics. A node with this persona cannot operate as a standalone node and must be part of a vManage cluster.
- Data: Includes only services that are used for the application and statistics. A node with this persona cannot operate as a standalone node and must be part of a vManage cluster.
- Statistics Database: Stores statistics from all the Cisco Catalyst SD-WAN devices in the network.
- Configuration Database: Stores all the device and feature templates and configurations for all the Cisco Catalyst SD-WAN devices in the network.
- Messaging Server: Distributes messages and shares state among all the Cisco SD-WAN Manager cluster members.
SD-WAN MSP Deployment
Tenancy Models
- Per Overlay Tenancy – where the controllers are shared except for the Wan edge which is dedicated per customer
- Per VPN Tenancy – where controllers and WAN edges are share but PVN segments are dedicated per customer.
SD-WAN Multitenancy vSmart Resilience
When a tenant shares the Controller, Manager will choose the lease two loaded Controllers and assigns them to the tenant. In v20.9.1, you can choose which Controllers the tenant can use. This acts in Active-active customers and only 2 Controllers per tenant. Each pair of Controllers can serve 24 tenants.
SD-WAN Cloud Deployment
Follow these steps to deploy the SD-WAN controllers in a cloud:
- First, create information about the customer and overlay network in Cisco Commerce to seamlessly integrate Cisco Plug and Play (PnP) into the solution.
- To establish the network automatically, complete the setup on Cisco PnP. Certificates use the DigiCert CA infrastructure, and customers are not required to maintain the CA. Certain IP prefixes in the setup must be allowed explicitly for permission to access the setup. Also, this information is required in the overlay setup. The final bring-up of the overlay requires some networking configuration.
- The controllers check whether a connecting WAN Edge device belongs to the network. To allow this operation, the customer supplies a list of WAN Edge routers in the viptela file format, which includes the serial numbers of the WAN Edge routers. The customer must supply this list to allow the WAN Edge routers to join the overlay.
Elastic IPs means the IP address belongs to the customer only and stays with the customer.
Cisco DNA Software for SD-WAN and Routing
I’m writing this blog as a reminder for myself as i get asked a lot of questions that is not technical related but more product specific. So instead of clicking different links to understand the diferences i decided to put them all in one place with brief description to help me remember!
First and formost a common question is the DNA licensing, DNA licesning is like a minefield and I think I have just about understood this enough to get my head around it. The role I do, especially SD-WAN as my stronger subject, i need to know the information.
So lets start by understanding how Cisco DNA licesning works for routing and SD-WAN:
- Green – illustrates the type of DNA license, whether it will be on prem or managed in the cloud.
- Orange – is the Tiered license so you know which bandwidth you need to purchase. This is important – as you can see the aggregate doubles. This is to account for symmentrical upload and download.
- Grey – The type of license in terms of package, Essentials, Advantage etc. The difference is essentially the capabilities you want to achieve or do. I will explain a little more in that later.
- Blue – is how long you want the license to last.
Understanding the Cisco DNA for SD-WAN and Routing and Cisco IOS Product Part Codes
SDWAN image above
Bandwidth Entitlement
There’s two ways to work out the bandwidth – the first method is to add all the upload and download together which works the total Aggregate bandwidth – based on the aggregate bandwidth you can then choose the correct tier using the aggregate bandwidth number.
Alternatively you could add the the total aggregate bandwidth then divide by 2 and based on that number you choose the tiered bandwidth which is the up to XXMbps.
One thing i have learnt when creating a BoM is some of the tiered license will not show up if the router is not able to push that amount of throughput. An example is when you are trying to create a BoM for Cat8200, you cannot choose the T3 license which pushes up to 10Gbps/ 20Gbps Aggregate as the router is not possible.
DNA license, What is the difference?
Now, earlier I mentioned there are different types of DNA license available and what are the main differences?
To begin on the SD-WAN world, we have the following:
- DNA Essentials
- DNA Advantage
- DNA Premier
DNA Essentials
With DNA Essentials you have the basic DNA license for SD-WAN, I will not list out all the features but one thing to be aware of is that you only get up to 5 VPNS/VRF overlays in the SD-WAN world. 4VPNs of your choice and one for MGMT.
DNA Advantage
With DNA Advantage, you dont have any restrictions of VPNs/Overlays other than the maximum supported which is VPNs 1–511, 513–65530—Service VPNs, for service-side data traffic on Cisco IOS XE Catalyst SD-WAN devices.
You also get all the Essentials plus Advantage together, Advantage offers the following below:
DNA Premier
This inclused Essentials and Advantage, the main difference is if you want to go to the world of SASE with Umbrella capabilities then this is the license you would be better off. I have only added what the Premier offers, remember it includes Essentials and Advantage plus the below in Green
DNA for None SD-WAN
Now with SD-WAN licensing out of the way, there is a subtle difference with None SD-WAN which i will call it autonomous mode as Cisco image now allows you to configure it in SD-WAN mode (controller-mode enable) or autonomous mode (Normal Routing).
When you purchase a router which will be operating in Autonomous mode, you HAVE to buy a DNA license. So this means you either need to buy DNA essentials or Advantage based on the capabilities and features you need. So if you required to run PIM (Multicast) straight out of the box then it will be Advantage straight away. Once the duration of the license is over, you can then move to the DNA Routing Perpeptual license which doesn’t cost any money afterwards.
Another thing I wanted to mention is the bandwidth tier – You just need to choose the lowest bandwidth tier IF you are not running IPSec or encryption. So just pure routing and no encryption then you can choose the lowest tier which is T0. However if you do choose encryption then it is the DNA license you need to choose the DNA Essentials or Advantage.
https://www.cisco.com/c/m/en_us/products/software/sd-wan-routing-matrix.html