Hello Andres,
The vEdge Cloud is based on Viptela OS, while the CSR1000v and Catalyst 8000v are running IOS-XE.
Actually, the Catalyst 8000v is an evolution of the CSR1000v and starting from release 17.4, only the Catalyst 8000v will be available.
How to choose between them? If your current architecture is built on vEdge devices, the vEdge Cloud is probably the best option.
In case of green field deployment, the Catalyst 8000v could offer more services.

The Catalyst 8000v is available on AWS, Azure and Google Cloud Platform.
The vEdge Cloud can be found in Azure and AWS marketplace.

Below the link to the Catalyst 8000v Configuration Guides where you can see some deployment examples:
https://www.cisco.com/c/en/us/support/routers/catalyst-8000v-edge-software/products-installation-and-configuration-guides-list.html

Hello Jackson, how are you?

First, keep in mind what are the business goals with this solution, what are the reasons you are deploying it, what you are trying to accomplish.

Second, take your time Planning before diving into configuration. Plan ahead your System IPs, create a structured Site ID scheme, define what TLOC Colors you're going to use, design your security policy regarding VPN Segmentation and Topologies and so on. This way, you will bring up most of the details involved in the configuration and it will save you quite some time later when you're creating your Configuration Templates.

Once you're done planning, then it's time to set up the control plane. At this point you will configure basic connectivity and deploy certificates on the vManage, vBond and vSmart controllers. Once your control plane is up and running, with control connections established, you're ready to start creating your Configuration Templates and provisioning your WAN Edges.

Hope this helps and, please, hit us up if you have any further questions.

Regards.

G.

Hello Adolfo,

First, the control plane uses digital certificates with 2048-bit RSA keys to authenticate the edge routers in the network.
The Control Plane is encrypted either by DTLS or TLS. Which means that all the edge devices will establish secure connections with the orchestration components.

We keep the control plane integrity by using the combination of two security elements: AES-GCM message digests, and public and private keys.

As our control plane is now secure and trusted, we are building IPsec tunnels for data traffic (data plane).

This is a simplified answer but let me point you out to the following documentation, you will find here all the details about the security inside the SD-WAN Fabric:
https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/security/vedge-20-x/security-book/security-overview.html

Hello, thank you so much for participating in the forum, all questions are welcome.

1. Can Viptela and Cisco's ISR and ASR series coexist in an SD-WAN network?  Absolutely, XE and Viptela OS can completely interoperate in one single SD-WAN Fabric.
2. Viptela equipment seems outdated nowadays. What are the advantages of upgrading ISR, ASR and other equipment to SD-WAN mirroring, compared to Viptela? From 17.x versions in XE we have a universal image that allows you run in Autonomous mode (traditional XE) or Controller mode (SDWAN), only thing required is a single command. XE offers a more rich set of functionalities compared to Viptela OS, while having embedded SD-WAN capabilities that Viptela OS brought to Cisco SD-WAN. Just to mention some features XE can offer and Viptela OS cannot, is URL-F and IPS, which are functions hosted on containers inside XE architecture. Remember Cisco has launched new routers, Catalyst 8000 Edges which can help as well. Check more details on https://www.cisco.com/c/es_mx/solutions/enterprise-networks/sd-wan/index.html#~case-studies
3. vManage, vBond, vSmart, vEdge, what are their main roles in the SD-WAN network, and how many of them can exist in the SD-WAN network at least & at most?

vManage is the single pane of glass from where you can operate, configure, troubleshoot, monitor your SD-WAN network. vBond acts as an orchestrator and leverages trustworthy systems from Cisco as well as acts as STUN server to deal with private/public addressing for fabric elements. vSmart is the brain of the operation and deals with encryption keys and all intelligence -meaning routing information- propagation to data plane -routers-. Last but not less important, WAN Edges execute what controllers dictate, while maintaining their intelligence and horse powers to develop tasks like QoS, ACLs, etc.

Numbers can vary for Edges on an overlay, it depends on customer, but that number will directly matter in terms of how many vManage, vBond and vSmart instances we will have in the overlay. Common deployments have 1 vManage, 2 vBonds and 2 vSmarts. But you can have up to 6 vBonds, 20 vSmarts and 6 vManages. In order to design according to best practices make sure you check https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/sdwan-xe-gs-book/hardware-and-software-installation.html , Cisco Team is always happy to help you design with best practices according to your customer requirements.

4. vEdge has both cloud and hardware products, while vManage / vBond / vSmart only have cloud products, am I right?  Do they need to be installed in a virtual environment? Correct, vEdge has physical appliances and VNF or virtual instance (vEdge cloud). Same happens with cEdge (XE OS), there are CSR1000V and C8KV available in public cloud providers marketplaces when IaaS is required. In case on premise deployment is required they can be instantiated according to the following links:

ESX: https://www.cisco.com/c/en/us/td/docs/routers/csr1000/software/configuration/b_CSR1000v_Configuration_Guide/b_CSR1000v_Configuration_Guide_chapter_011.html

KVM: https://www.cisco.com/c/en/us/td/docs/routers/csr1000/software/configuration/b_CSR1000v_Configuration_Guide/b_CSR1000v_Configuration_Guide_chapter_0101.html

HyperV: https://www.cisco.com/c/en/us/td/docs/routers/csr1000/software/configuration/b_CSR1000v_Configuration_Guide/b_CSR1000v_Configuration_Guide_chapter_0110.html

To  see more specific information please one of the previous questions where this has been addressed.

5. Could vEdge go online without manual intervention? It can be zero contact? What is the detailed process of launching vEdge ? Absolutely, Cisco SD-WAN offers true Zero Touch Provisioning (ZTP), you can get details here:

https://blogs.cisco.com/networking/cisco-sd-wan-delivers-true-zero-touch-provisioning-oid-psten019112

https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/SDWAN/sdwan-wan-edge-onboarding-deploy-guide-2020nov.pdf

Basically, PnP Service from Cisco maps devices you have licensed for your organization, once you connect your device and it gets an IP via DHCP as well as DNS, there is call home (to retrieve validation from PnP) and authentication from vBond, to be on boarded to SD-WAN fabric, configuration template is lately downloaded, this is one pre requisite, have one configuration template assigned to your device Serial number.

[..]

5. Could vEdge go online without manual intervention? It can be zero contact? What is the detailed process of launching vEdge ? Absolutely, Cisco SD-WAN offers true Zero Touch Provisioning (ZTP), you can get details here:

https://blogs.cisco.com/networking/cisco-sd-wan-delivers-true-zero-touch-provisioning-oid-psten019112

https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/SDWAN/sdwan-wan-edge-onboarding-deploy-guide-2020nov.pdf

6. What is the strategic framework of SD-WAN? Cisco SD-WAN offers you the most granular and customizable routing framework achieved with its different policies, this is the more strategic part of the solution, you can see detailed information here: https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/policies/ios-xe-17/policies-book-xe/policy-framework.html

7. What troubleshooting tools are commonly used in SD-WAN networks?  Under Network > Troubleshooting for each device you can check Device Bringup stage, Control Connections, use Ping or TraceRoute with specific, these two are commonly used by all network engineers. While you need to see how an application is behaving  you can use App Route visualization or simulate flows. Packet Capture is also a good tool to know the truth.

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/vManage_How-Tos/vmanage-howto-book/m-troubleshooting.html

8. What kind of backup does SD-WAN backup refer to, and how should we operate the backup involved in the topic? In terms of how to back up and/or restore your device templates, feature templates, policies or lists, you can use programmatic ways as this is native part from Cisco SD-WAN, recommended to see https://github.com/CiscoDevNet/sastre and take a look at https://developer.cisco.com .

Hope these answers help, regards.

Hi Yanli,

Cisco SD-WAN includes all the management components (vManage, vBond and vSmart)  in the cloud and supports the following platforms at the edge:

•     Cisco ASR 1000 Series Aggregation Services Routers
•     Cisco 1000 Series ISRs
•     Cisco 4000 Series ISRs
•     Catalyst 8000
•     Cisco 5400 ENCS with the ISRv
•     Cisco UCS with the ISRv
•     CSR 1000v

Having said that, if you are using the cloud deployment model and you are using Catalyst 8000,  ASRs or ISRs as an edge device, there are no specific server requirements since no servers are used.

In the event where you would like to have all the management components on-premise.  The ESX/KVM servers recommendations for the Cisco vBond Orchestrator server, Cisco vManage server, and Cisco vSmart Controller server are available at the following link: https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/sdwan-xe-gs-book/hardware-and-software-installation.html

The resources required to run each components Cisco vBond Orchestrator, Cisco vSmart Controller, and Cisco vManage server on the VMware vSphere ESXi or the Kernel-based Virtual Machine (KVM) server will vary depending on the number of devices you deploy in the overlay network.  Also pay attention that all the OS volume must be on a solid-state drive (SSD).

If your edge device is not a Catalyst 8000, ASRs or ISRs routers but rather an ISRv running on Cisco UCS servers and/or Cisco ENCS platforms:

The server must support at least the following:

• Intel ® Atom ® or Xeon ® CPU at 1.5 GHz or above
• AMD ® Embedded R-Series
• Gigabit Ethernet interfaces

The ISRv requires the following from the virtualized server hardware:

• CPU: 1 to 4 virtual CPUs (depending on the throughput and feature set)
• Memory: 4 GB to 16 GB (depending on the throughput and feature set)
• Disk space: 8 GB
• Network interfaces: Two or more vNICs, up to maximum allowed by hypervisor (26)

In regards to the CSR 1000v, the requirements are available here for:

ESX: https://www.cisco.com/c/en/us/td/docs/routers/csr1000/software/configuration/b_CSR1000v_Configuration_Guide/b_CSR1000v_Configuration_Guide_chapter_011.html

KVM: https://www.cisco.com/c/en/us/td/docs/routers/csr1000/software/configuration/b_CSR1000v_Configuration_Guide/b_CSR1000v_Configuration_Guide_chapter_0101.html

HyperV: https://www.cisco.com/c/en/us/td/docs/routers/csr1000/software/configuration/b_CSR1000v_Configuration_Guide/b_CSR1000v_Configuration_Guide_chapter_0110.html

Regards,

Danny

Hi Yanil,

DIA improves the user experience by allowing branch users to access Internet resources and SaaS applications directly from the branch.  Traditionally, branches have accessed SaaS applications through centralized data centers which results in increased application latency and unpredictable user experience. As SD-WAN has evolved, additional network paths to access SaaS applications are possible, including Direct Internet Access (DIA) and access through regional gateways or colocation sites. However, network administrators may have limited or no visibility into the performance of the SaaS applications from remote sites, so, choosing what network path to access the SaaS applications in order to optimize the end-user experience can be problematic. In addition, when changes to the network or impairment occurs, there may not be an easy way to move affected applications to an alternate path.

With Cisco SD-WAN this function is called Cloud onRamp. It allows you to easily configure access to SaaS applications, either direct from the Internet or through gateway locations. It continuously probes, measures, and monitors the performance of each path to each SaaS application and it chooses the best-performing path based on loss and delay. If impairment occurs, SaaS traffic is dynamically and intelligently moved to the updated optimal path.

Example of application that can leverage this functionality are: 

• Office 365
• Salesforce
• Google App
• Box
• Dropbox
• Concur
• Intuit
• AWS
• GoToMeeting
• Oracle
• SugarCRM
• Zendesk
• Zoho CRM

Cloud onRamp for SaaS – best performing path is chosen

A second example is DIA for IaaS.  IaaS delivers network, compute, and storage resources to end users on-demand, available in a public cloud (such as AWS, Azure or Google Cloud) over the Internet. Traditionally, for a branch to reach IaaS resources, there was no direct access to public cloud data centers, as they typically require access through a data center or colocation site. In addition, there was a dependency on MPLS to reach IaaS resources at private cloud data centers with no consistent segmentation or QoS policies from the branch to the public cloud. 

Cisco Cloud onRamp for IaaS is a feature that automates connectivity to workloads in the public cloud from the data center or branch. It automatically deploys WAN Edge router instances in the public cloud that become part of the SD-WAN overlay and establish data plane connectivity to the routers located in the data center or branch. It extends full SD-WAN capabilities into the cloud and extends a common policy framework across the SD-WAN fabric and cloud. Cisco Cloud onRamp for IaaS eliminates traffic from SD-WAN sites needing to traverse the data center, improving the performance of the applications hosted in the public cloud. It also provides high availability and path redundancy to applications hosted in the cloud, which is also very cost effective.

Regards,

Danny