Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
661
Views
0
Helpful
1
Replies

Question about deploying a remote WAN edge into a SD-WAN fabric already in production

Juan Pablo Hidalgo Villacres
Level 1
Level 1

‎07-01-2021 04:19 PM

HI,

I am newby on SD-WAN...

I don't have a SD-wan production, but i have read several documents and have doing some test with my own lab.

I have a question... let's say i have a production sd-wan fabric working, all controller on-premise on my HQ, with public IP address, and have 5 WAN Edges already working, hub-spoke, if i need to add to the fabric one more WAN Edge, using manual provisioning, this site will have static public IP, so that will be configured on the interface for VPN 0 transport (enabling the tunnel interface) of the new WAN Edge, and then i will have to execute the command: "request vedge-cloud activate chassis-number XXXXXXXXXX token XXXXXXXXXXX"

then i will need to download the CA root cert,

The only way to download it, is using the vpn 512?. can i use a service vpn? (suppose vpn 512 has public IP address, if not i could use NAT on transport VPN). I understand that i can't use the vpn 0 because of the ipsec encapsulation is enabled, and the WAN Edge is not on the fabric yet, I am a little confuse here...

please your help,

best regards,

 

Juan Pablo

 

 

Labels:
0 Helpful
1 Reply 1

Octavian Szolga
Level 4
Level 4

‎07-04-2021 11:10 AM

Hi Juan,

You can copy any file from a server to any WAN Edge router as long as you haven't applied the tunnel-interface command on the WAN interface because that will actually harden the interface - i.e. allowing only a specific set of protocols like DTLS, ICMP, DNS, and others (FTP/SCP/TFTP are not on the list and cannot be allowed).

 

Long story short, if I remember correctly, you need "request vedge-cloud activate chassis-number XXXXXXXXXX token XXXXXXXXXXX" command only if you're using virtual devices (ISRv, CSR1000v, Cloud vEdge) or ASR1002-X which don't have SUDI/TPM certs.

 

As an alternative, you can always copy the root CA over a USB stick and install it afterwards.

Another option would be to generate the bootstrap file from vManage. The bootstrap file will contain the root CA as well.

 

BR,
Octavian

0 Helpful
Top