Cisco’s software-defined wide area network (SD-WAN) solution, powered by Viptela, allows user to quickly and seamlessly establish an overlay fabric to connect an enterprise’s data centers, branch and campus locations, as well as colocation facilities in order to improve the network’s speed, security, and efficiency.
This upgrade guide is designed to be used as a detailed example of onboarding a remote device and adding it to your existing SD-WAN fabric. This guide should be used in conjunction with the complete “SD-WAN End-to-End Deployment Guide.”
This configuration guide assumes that an SD-WAN fabric consisting of at least one vManage, one vSmart, and one vBond instance has already been setup and at least one SD-WAN compatible platform (see Supported Platforms below) has been physically connected, is powered on, and is reachable from a remote workstation. The guide also assumes that the remote routing device that’s being added to the fabric has a version of the SD-WAN image installed that is compatible with the hardware platform, as well as the version of vManage installed on the vManage controller.
This guide will cover the process for adding a remote vEdge or cEdge router to an existing SD-WAN fabric. Router configurations beyond those necessary for connectivity to the SD-WAN controllers are not covered by this guide. Router software upgrades are also not covered by this guide.
The IOS XE SD-WAN software can be installed on the following hardware platforms:
The following interface modules are supported for the ISR 4000 series routers:
The following crypto modules are required for the ASR 1000 series routers:
Before a remote router can be added to an SD-WAN fabric, the router needs to be running the Cisco IOS-XE SD-WAN image that is compatible with it. The router’s software image version can be checked by issuing the “show version” command on the router’s CLI.
If your remote router is not running an appropriate version of IOS-XE SD-WAN, the software can be downloaded and installed using the guide located at this page, and following the sections “Download the XE SD-WAN Software” and “Install the XE SD-WAN Software.”
After ensuring that the remote router is running the correct XE SD-WAN software version, and that the device is physically powered on and remotely reachable, follow one of the available options for onboarding the device into your SD-WAN fabric.
The first option for onboarding a remote device into an SD-WAN fabric, is to use Zero-Touch Provisioning (ZTP). This approach requires the least hands-on configuration from a user, however, it relies on the GigabitEthernet0/0 interface on the remote router to be configured for DHCP, and physically connected to an internet gateway in order to receive an IP address and locate its vBond IP address to begin the authentication process with the controllers.
Assuming that the remote router is physically connected and configured to receive its IP address from a DHCP server, these simple steps can be followed to check the code version for the remote router and ensure ZTP is enabled for your SD-WAN fabric.
The second option for onboarding a remote device into a SD-WAN fabric is to use the “Plug and Play Device Portal” or “PnP Portal,” for short. The PnP Portal is accessible through software.cisco.com using a Cisco Smart Account.
Similarly to onboarding using ZTP, onboarding through the PnP Portal requires the remote router to already be physically connected, using interface GigabitEthernet0/0, to a DHCP server and configured to receive an IP address from that server.
Once the remote router has received an IP address, following these steps will ensure that the PnP server is ready to receive onboarding requests for your device(s) and redirect the remote devices to vBond for authentication.
Lastly, a remote router can be onboarded, and brought into the rest of the SD-WAN fabric by logging into the router via SSH or Telnet and configuring the vBond IP address, as well as a few other configurations specific to the SD-WAN fabric. This will enable the remote router to communicate with vBond, and subsequently, the other SD-WAN controllers. The following steps assume that the remote router is physically connected to an internet gateway using interface GigabitEthernet 0/0.
To begin, connect to the router’s console via SSH or Telnet using an admin account, then enter configuration mode by entering “config-t” and enter the following configuration/commands to establish basic connectivity to vBond:
ip domain lookup
ip name-server <DNS Server IP Address>
ip route 0.0.0.0 0.0.0.0 <Gateway IP Address>
ip address <IPv4 Address being assigned to this Device/Interface> <Subnet Mask>
An example of a complete configuration following these steps would look like:
ip domain lookup ip name-server 220.127.116.11 ip route 0.0.0.0 0.0.0.0 18.104.22.168 interface GigabitEthernet1 ip address 22.214.171.124 255.255.255.240 no shutdown commit end
Once basic connectivity to vBond has been established, the following configuration/commands will need to be entered in order to establish control connections with the SD-WAN controllers:
hostname <Desired Hostname of this Remote Router>
system-ip <Private IPv4 Address to be Used as a Router ID for this Device>
site-id <Site ID Number for the Site this Remote Router will be in>
organization-name <Organization Name as Defined in vManage Admin Settings>
vbond <IP Address of vBond Instance>
interface Tunnel 0
ip unnumbered GigabitEthernet1
tunnel source GigabitEthernet1
tunnel mode sdwan
color <Tunnel Color>
encapsulation <Encapsulation type> (gre | ipsec)
An example of a complete configuration following these steps would look like:
config-t system host-name Site-Edge-1 system-ip 126.96.36.199 site-id 102 organization-name “Enterprise Network - 102" vbond 188.8.131.52 interface Tunnel 0 ip unnumbered GigabitEthernet1 tunnel source GigabitEthernet1 tunnel mode sdwan sdwan interface GigabitEthernet1 tunnel-interface color biz-internet encapsulation ipsec commit end
After entering these commands and establishing basic connectivity to the SD-WAN controllers, ensure that the Root Certificate (which is already installed on the controllers) file has been copied from one of the controllers to the bootflash of the router that is being configured/onboarded. Then, issue the command "request platform software sdwan root-cert-chain install bootflash: <Root Certificate Filename e.g. root.crt>" to install the root certificate on the edge router.
In order for the edge router to appear in the devices list on the vManage web GUI, a valid WAN edge device list (in .csv format) will need to be signed and uploaded to vManage. By issuing the command "show sdwan certificate serial" the serial number and device PID for this edge router will be displayed in the following format. Copy the serial number and PID generated by this command to make the WAN edge serial file.
This information is necessary for generating the valid WAN edge device list file, however, this file can only be used if using vManage version 16.9.x or older. On vManage 17.x and newer, the WAN edge serial file is a signed, binary file that can only be obtained through Cisco, and only for the edge devices for which a license has been purchased. For vManage 17.x and newer, these WAN edge serial files can be downloaded from a the Network Plug and Play Connect portal, using a valid Cisco Smart Account. For vManage 16.9.x and older, the WAN edge serial file can be generated using the output copied from the "show sdwan certificate serial" command. On a local PC, create a new file titled "vedges.csv" and paste the output copied from the previous command. This file can contain the serial number and PIDs for more than one edge router being onboarded, with each device beginning on a new line, as such:
ab1cde23-4567-8f89-01fd-gh2i3j44k5l6,F1AB23CD4E5678F9, mn7opq89-0123-4r45-67st-uv8w9x01y2z3,F1AB23CD4E5678F9, ab4cde56-7890-1f23-45gh-ij6k7l89m0n1,F1AB23CD4E5678F9
After this file is generated, navigate to the vManage web GUI, then go to the Configuration tab and select "Devices" to go the devices page. Click on "Upload WAN Edge List" to upload the .csv file.After these steps are completed, the remote router should have established connectivity to the SD-WAN controllers, allowing further device upgrades and configurations to be pushed to the remote device through vManage.
Control connections can be verified by entering the commands “show sdwan control summary” and “show sdwan control connections” on the remote device, through the CLI.
Additionally, information about overall fabric health and connectivity, as well as individual device connectivity can be found on the vManage web console:
In order to view the onboarded devices in vManage, either a Cisco Smart Account must be synced with the vManage instance, or a list of corresponding, authorized WAN edge serial numbers in .csv format must be uploaded to vManage. These options can both be accessed by going to the Configuration tab on the left, then selecting "Devices"