SD-WAN Controller hosted On-prem

samirshaikh52 · ‎09-30-2019

Hello

We have setup the lab with 3 controllers (vManage,vBond & vSmart) installed on Vmware ESXI host. The controllers are behind firewall. therefore what are NAT requirements to allow communication between vEdge and Controllers. Do we need to NAT all three controllers

Thanks

samirshaikh52 · ‎10-02-2019

Anyone please ?

RohitRaj03827 · ‎10-02-2019

Hi samirshaikh52,

First of all i would like to know ,

1. Are you using MPLS as a transport for you sdwan controllers to vEdges or cEdges communication?

Ans:- if you are using MPLS only as a transport for on-prem controllers to vEdges or cEdges communication then in this case you dont have use NAT, you can use private IP for controllers and vEdges/cEdges will communicate to on-prem controllers.

==================================================================================

2. Are you using internet as a transport for you sdwan controllers to vEdges or cEdges communication?
Ans:- if you are using Internet only as a transport for on-prem controllers to vEdges or cEdges communication then in this case you you will have to use one public ip address for each controllers which means vManage, vBond and vSmart and you will have to configure the NAT on your firewall and when remote site vEdge or cEdge routers will communicate to on-prem controllers NAT will translate the public ip address of vManage, vBond and vSmart to private IP address.

================================================================================

Note:- In case of hybrid deployment :-

Hybrid means if you are using MPLS and Internet both as a transport then in this case, again you have to use NAT and one public ip address for each controllers.

below is the explanation for hybrid deployment:-

On-Prem Controllers Hybrid Deployment:-
For Controllers Communication :-
=>vSmart and vManage point to the vBond IP address - NATed public IP address •

=>vBond learns interface private and NATed public IP address of vSmart and vManage - Private is pre-NAT, public is postNAT •

=>vSmart and vManage use interface private IP addresses for communication - vSmart and vManage use private color (non-default) - Private color to private color uses private IP address

------------------------------------------------------------------------------------
For vEdge or cEdge to Controller Communications:-

=> vEdge/cEdge points to the vBond FQDN that resolves to both public and private IP addresses
=>vEdge/cEdge communicates with vSmart and vManage NATed public IP addresses over Internet and interface private IP addresses over MPLS - Private color to private color uses private IP address, private color to public color uses public IP address

======================================================================================

Kindly let me know if you have further queries for SD-WAN deployment.

Thanks & Regards,

Rohit Raj

Regards,
Rohit Raj

samirshaikh52 · ‎10-03-2019

Hi RohitRaj,

Thanks for your reply.

I am using Internet as tranport for communication between vEdge and controllers. So you said I need 1:1 NAT for each controller

So basically I need to NAT System-IP of controllers ?

RohitRaj03827 · ‎10-03-2019

Hi samirshaikh52,

Kindly read my previous post once again.

In SD-WAN The system IP address provides a fixed location of the device in the overlay network and is a component of the device's TLOC address. It is used as the device's loopback address in the transport VPN (VPN 0). You cannot use this same address for another interface in VPN 0. So there is not point to NAT System-IP of the controllers.

===================================================================================

If you are using Internet as a transport in this case:-

You will have to NAT the IP addresses those are used for VPN 0 interface. and vSmart and vManage point to the vBond IP address which is NATed public IP address •

->Once vBond learns interface private and NATed public IP address of vSmart and vManage - Private is pre-NAT, public is postNAT •

->Then vSmart and vManage use interface private IP addresses for communication - vSmart and vManage use private color (non-default) - Private color to private color uses private IP address.

========================================================================

For vEdge or cEdge to Controller Communications:-

=> vEdge/cEdge points to the vBond FQDN that resolves to both public and private IP addresses
=>vEdge/cEdge communicates with vSmart and vManage NATed public IP addresses over Internet and interface private IP addresses over MPLS - Private color to private color uses private IP address, private color to public color uses public IP address.

=================================================================================

I hope this will help.

Kindly let me know if you have still doubt in it. I will send you IP schema including configurations and all.

Kindly hit helpful button if you think that my post has helped you.

Thanks & Regards,

Rohit Raj.

Regards,
Rohit Raj

samirshaikh52 · ‎10-04-2019

Thanks Rohit for clarification. Its crystal clear now

I am facing another issue with certificate. I am deploying a certificate using Windows Server CA. CSR generated by vmanage is adding a number followed by UUID due to which I am unable to certificate. Any clue what could be the cause ?

vmanage-d83277f8-ede4-43eb-89fd-e6c2675fdd0b-6.testlab.com

RohitRaj03827 · ‎10-04-2019

Hi samirshaikh52 ,

First i would like to know vManage, vBond, vSmart and vEdge/cEdge version.

For certificate authorization follow below steps:-

===========================================================

For SD-WAN Controllers:-

For vManage :-

if you are using Enterprise CA then install ROOTCA in vManage follow the steps below:-

Go to vManage GUI, Go to Administration -> Settings->

Under this setting fill all necessary basic details like:-

=> Organization Name, vBond and in the Controller Authorization Certificate select Enterprise Root Certificate.

Change the Controller Certificate Authorization to use Enterprise Root Certificate. Paste in the contents of the generated ROOTCA.pem and click on import&Save.

=> Keep the WAN Edge Cloud Certificate Authorization method as Automated (vManage - signed Certificate). This way the vManage will automatically signed the cloud edge certs when they connect to the vManage.

=> Next we need to create a CSR for the vManage. Navigate to the certificates section.

Configuration->Certificates->Controllers->vManage->click on "..."->Generate CSR.
A window will popup with the CSR text, copy that CSR text and Sign vManage generate CSR with the ROOTCA.key and ROOTCA.pem.
copy and paste the Signed CSR into the web interface in the next step.
Navigate to the certificates page and install the certificate by pasting the contents of the vmanage.crt (Signed CSR) file and click Install.
Configuration->Certificates->Controllers->vManage->Install Certificate.
You should see a success message.

=> Navigate to the devices page to add the vBond to the vManage.

Go to Configuration-> Devices->Controllers Tab->Add Controller->vBond
Enter the vBond details add click Add. (Select Generate CSR).
Navigate to the certificates page to get the vBond CSR text:-
Configuration->Certificates->Controllers->vBond->Click on "..."->View CSR
Copy the CSR text and go to the CA server to generate the certificate and sign the CSR with the Root CA certificate.
copy and past the contents of Singed CSR to the vManage in the next step.
Navigate to the certificates page and install the vBond certificate by pasting in the contents of the vbond.crt (Singed CSR) file and click Install:-
Configuration->Certificates->Controllers->vBond->Install Certificate.
you will see a success message.
Finally activate the control plane tunnel on the ge0/0 interface on vBond:-
config vpn 0
interface ge0/0
tunnel-interface
encapsulation ipsec
!
Confirm that control connections are active between the vBond and vManage:-
show orchestrator connections (this command will show you control connections status).

=> Navigate to the devices page to add the vSmart to the vManage.

Go to Configuration-> Devices->Controllers Tab->Add Controller->vSmart
Enter the vSmart details add click Add. (Select Generate CSR).
Navigate to the certificates page to get the vSmart CSR text:-
Configuration->Certificates->Controllers->vSmart->Click on "..."->View CSR
Copy the CSR text and go to the CA server to generate the certificate and sign the CSR with the Root CA certificate.
copy and past the contents of Singed CSR to the vManage in the next step.
Navigate to the certificates page and install the vSmart certificate by pasting in the contents of the vsmart.crt (Singed CSR) file and click Install:-
Configuration->Certificates->Controllers->vSmart->Install Certificate.
you will see a success message.
Finally activate the control plane tunnel on the eth1 interface on vSmart:-
config vpn 0
interface eth1
tunnel-interface
!
Confirm that control connections are active between the vSmart and vManage:-
show control connections.

================================================================================

This is for Controllers only. Let me know if you need to know for vEdge/cEdge certificate explanation. I will write for you.

================================================================================

Kindly let me know if you have further questions. Hit helpful button if you my post helped you.

Thanks and Regards,

Rohit Raj

Regards,
Rohit Raj

samirshaikh52 · ‎10-05-2019

Hi Rohit

I had performed the same steps for controllers but no luck

Controllers version is 19.1.0

RohitRaj03827 · ‎10-05-2019

you are missing steps, kindly share the lab details.

Regards,
Rohit Raj

samirshaikh52 · ‎10-05-2019

Hi

here is vmanage configuration

Also I have attached the diagram

For certificate I followed the steps as you mentioned and also I used OpenSSL and XCA but experienced same issue

the lab is running on EVE-NG emulator

system

host-name vManage

system-ip 10.255.255.1

site-id 51

organization-name “SAM SDWANLAB”

vbond 1.1.1.3

vpn 0

interface eth 0

ip address 10.0.0.2/24

ip route 0.0.0.0/0

no shut

vpn 512

interface eth1

ip address 192.168.66.2/24

no shut

Domain controller/DNS/Cloud 512 is connected to VPN 512 Cloud

RohitRaj03827 · ‎10-05-2019

There must be something you are missing, i want to know what are following for certificate also i can see the vBond ip address is wrong. If you want i can help you remotely if you can share the screen.

Regards,
Rohit Raj

boythanhdat_2012 · ‎11-13-2019

Thanks for guide.

But in case 2 (Internet Only). I configured NAT 1-1 Vmanage, Vbond, Vsmart and got issue:

1. Cedge connect to Vbond and get Private IP of Vmanage, Vsmart >>> So can't connect.

2. Vmanage and Vsmart always resolve domain name to private ip of Vbond (I used dns 8.8.8.8 and tried in my laptop, domain name = public IP)

My topology: Vmanage, Vbond, Vsmart have 3 private ip in same subnet. And nated 3 public IP.

RohitRaj03827 · ‎11-13-2019

Hi, boythanhdat_2012

Kindly hit on helpful button and mark as solve if i have answered you.

Regards,

Rohit Raj

Regards,
Rohit Raj

boythanhdat_2012 · ‎11-13-2019

Done. So, Do you have any idea for my issue?
Thansk!

RohitRaj03827 · ‎11-13-2019

Kindly share the configuration for controllers and cEdge device, will let you know what is the problem.

Also you can connect with me on remote session, i will resolve this issue.

Message me you time.

Regards,

Rohit Raj

Regards,
Rohit Raj