With airgap environments or where you’re unable to download the configuration for the WAN Edge device to establish DTLS tunnels back to SD-WAN Controllers you could use the Bootstrap option!
With the Bootstrap method, you can configure on SD-WAN Manager the pre-configuration and save this onto a USB Drive. When the WAN Edge is powered on it will then look for the Bootstrap file (ciscosdwan.cfg) with the initial configs to begin onboarding!
Warning: The configuration database administrator username and password is default and less secure.
Familiar when you login to Cisco Catalyst SD-WAN Manager?
You can disable this by changing the DB username and password.
1 – request nms application-server stop
Stop application servers on all the Cisco SD-WAN Manager
2 – request nms configuration-db update-admin-user
Default username and password is – neo4j and password
3 – Enter your new username and password
When I onboard any vEdge or cEdge devices with Cisco Catalyst SD-WAN, I’d look under Manager>Devices and then copy the Chassis Number as well as the Token ID. This can sometimes be time consuming with clicking back and forth.
I’ve recently figured out how to view the Chassis Number and Token ID by just logging into the Validator.
show orchestrator valid-vedges | tab
If you encounter error logs that constantly appears on the CLI along the lines of:
%SMART_LIC-2-PLATFORM_ERROR: Smart Licensing has encountered an internal software error.
SOLUTION:
config-transaction
license smart transport off
commit
Or
CLI Add on Template
!
logging discriminator ERROR mnemonic drops PLATFORM_ERROR
!
logging console discriminatorERROR
!
When using vEdge, it will use ZTP, the following steps are:
I use to do this all the time and never really understood what it’s for. Well I do now!
When a tenant shares the Controller, Manager will choose the lease two loaded Controllers and assigns them to the tenant. In v20.9.1, you can choose which Controllers the tenant can use. This acts in Active-active customers and only 2 Controllers per tenant. Each pair of Controllers can serve 24 tenants.
Follow these steps to deploy the SD-WAN controllers in a cloud:
Elastic IPs means the IP address belongs to the customer only and stays with the customer.
I’m writing this blog as a reminder for myself as i get asked a lot of questions that is not technical related but more product specific. So instead of clicking different links to understand the diferences i decided to put them all in one place with brief description to help me remember!
First and formost a common question is the DNA licensing, DNA licesning is like a minefield and I think I have just about understood this enough to get my head around it. The role I do, especially SD-WAN as my stronger subject, i need to know the information.
So lets start by understanding how Cisco DNA licesning works for routing and SD-WAN:
SDWAN image above
There’s two ways to work out the bandwidth – the first method is to add all the upload and download together which works the total Aggregate bandwidth – based on the aggregate bandwidth you can then choose the correct tier using the aggregate bandwidth number.
Alternatively you could add the the total aggregate bandwidth then divide by 2 and based on that number you choose the tiered bandwidth which is the up to XXMbps.
One thing i have learnt when creating a BoM is some of the tiered license will not show up if the router is not able to push that amount of throughput. An example is when you are trying to create a BoM for Cat8200, you cannot choose the T3 license which pushes up to 10Gbps/ 20Gbps Aggregate as the router is not possible.
Now, earlier I mentioned there are different types of DNA license available and what are the main differences?
To begin on the SD-WAN world, we have the following:
With DNA Essentials you have the basic DNA license for SD-WAN, I will not list out all the features but one thing to be aware of is that you only get up to 5 VPNS/VRF overlays in the SD-WAN world. 4VPNs of your choice and one for MGMT.
With DNA Advantage, you dont have any restrictions of VPNs/Overlays other than the maximum supported which is VPNs 1–511, 513–65530—Service VPNs, for service-side data traffic on Cisco IOS XE Catalyst SD-WAN devices.
You also get all the Essentials plus Advantage together, Advantage offers the following below:
This inclused Essentials and Advantage, the main difference is if you want to go to the world of SASE with Umbrella capabilities then this is the license you would be better off. I have only added what the Premier offers, remember it includes Essentials and Advantage plus the below in Green
Now with SD-WAN licensing out of the way, there is a subtle difference with None SD-WAN which i will call it autonomous mode as Cisco image now allows you to configure it in SD-WAN mode (controller-mode enable) or autonomous mode (Normal Routing).
When you purchase a router which will be operating in Autonomous mode, you HAVE to buy a DNA license. So this means you either need to buy DNA essentials or Advantage based on the capabilities and features you need. So if you required to run PIM (Multicast) straight out of the box then it will be Advantage straight away. Once the duration of the license is over, you can then move to the DNA Routing Perpeptual license which doesn’t cost any money afterwards.
Another thing I wanted to mention is the bandwidth tier – You just need to choose the lowest bandwidth tier IF you are not running IPSec or encryption. So just pure routing and no encryption then you can choose the lowest tier which is T0. However if you do choose encryption then it is the DNA license you need to choose the DNA Essentials or Advantage.
https://www.cisco.com/c/m/en_us/products/software/sd-wan-routing-matrix.html
I may have previously touched up on CoR in my previous blogs, but I would like to dedicate a blog post specifically about CoR.
So what is CoR actually?
SaaS – Uses real-time, granular analytics for each application to steer users onto the best-performing path for optimal application performance. In another words, best path available to your Cloud environment.
COR for Multicloud –Cloud Hub -Extend the WAN to a public cloud with a single SD-WAN fabric. Apply consistent policy to cloud workloads.
Cloud Interconnect—Automate on-demand connectivity between multiple sites and to leading cloud provider networks, directly from your SD-WAN controller.
1 – All transports that are able to provide SaaS access will request DNS on their Transport VPN 0.
2 – HTTP/S pings are sent to the SaaS provider to begin measurement.
3 – Scores are measured with a best score of 10.
As you can see the example of a CoR traffic flow in how it all works. ISP 1 has the best score therefore it will choose ISP 1.
An example of CoR for Microsoft 365, Dynamic URL Categories is where you can multiple Microsoft Service offerings such as Teams, Outlook, Sharepoint etc.
With Informed Network Routing, this is end to end telemetry for the Services I mentioned above, this allows CoR to select the best path depending on the SaaS application with a score.
With CoR, you can also monitor Webex where Edge router will sends HTTPS probes to Cisco Webex Responders across Cisco’s global regions.
Webex API enhances the classification of traffic that needs to go to the best performing Webex region.
You can even configure and setup your own CoR for your own custom applications usning NBAR or your own FQDN application. Same principle applies with HTTPS probes.
Examples and uses cases of CoR:
In this model we spin up virtual routers (Cat 8000v) inside the cloud service provider to extend the SDWAN fabric all the way to the application and networking of the CSP. This can be automated by developing workflows in SD-WAN Manager. Workflows is a new tool that helps you click and configure features without the need of defining Groups of Interests like we use to have. This workflow allows the user to configure without the expert knowledge required in the Cloud world. This allows network operators to easily deploy the SDWAN service in each of the cloud service providers. SD-WAN Manager can then deploy and bootstrap the cat8000v in the CSP. Within minutes your SDWAN environment will have access to your key applications running in the CSP.
There is different use cases when you are spinning up within the AWS environment. Below are a few examples in how you can leverage SD-WAN and AWS.
The above example above illustrates where you have a AWS region with Cat 8kv deployed in HA, but you also have another region for example in USA. So to connect between two regions you can spin up Transit Gateway so the SD-WAN fabric can be extended.
AWS Cloud WAN is a managed wide-area networking (WAN) service that you can use to build, manage, and monitor a unified global network that connects resources running across your cloud and on-premises environments. It provides a central dashboard from which you can connect on-premises branch offices, data centers, and Amazon Virtual Private Clouds (VPCs) across the AWS global network. You can use simple network policies to centrally configure and automate network management and security tasks, and get a complete view of your global network.
https://docs.aws.amazon.com/network-manager/latest/cloudwan/what-is-cloudwan.html
With SD-WAN you can even connect your other Cloud providers with other cloud providers as part of your SD-WAN fabric. The example below basically illustrates if you use AWS for a specific workload and Azure for another Workload.
I’ve previously wrote a blog about MRF, but you can even implement Multicloud acting as your Region 0 (Backbone) from a design perspective.
Cisco has partnered with Equinix and Megaport as the backbone provider. Essentially if you wanted a private back bone in your core network, you could utilise either partner and spinning up a Cat 8kv.
So instead of relying on the Internet as your transport for a Cloud to Cloud SD-WAN fabric, you can utilise the high speed backbone to connect back to your Cloud Provider. Most providers will usually build a Private MPLS L3VPN network in order to connect to the cloud provider, using Interconnect providers, you do not need to rely on your local ISP’s to do this.
