Solved: SD-WAN integration

Kanan Huseynli · ‎08-21-2020

Hi team,

does DNA center supports SD-WAN integration and can SD-WAN routers be Border/control nodes for remote branch sites for SDA? I have seen and read integration option in DNA center, but it is called "vedge provisioning ". But i don't sure that whether we can use that vedge (let it be IOS XE,because less probably viptela OS will support SDA) as border/control or not. In ciscolive sessions I have seen integration option as in roadmap, but didn't get it can be done now or not.

Thanks in advance,

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

Scott Hodgdon · ‎08-21-2020

Kanan,

At this point in time there is no support for a device that can be both an SD-Access Border / Control Plane and SD-WAN Edge. We do have plans for that to happen, and it will most likely be a requirement that the device be an ISR 4331 and higher or an ASR 1K (what we call cEdge devices for SD-WAN). There are other devices that can be cEdges (such as ISR 1K), but those will not support the dual role of SD-Access B/CP and SD-WAN Edge. You may hear this called a One Box Solution as it has one physical device undertaking roles in both SD-Access and SD-WAN domains.

We also have the ability with the latest IOS-XE 17.3.1 to propagate SGTs into the SD-WAN header on most cEdge devices. This header would be taken from the Ethernet frame received by the SD-WAN cEdge from the SD-Access B/CP. In this case, most ISR 1K, all ISR4K and ASR 1K can be cEdge. You may hear this called a Two Box Solution as there will be different devices undertaking the B/CP and cEdge roles in SD-Access and SD-WAN domains, respectively.

There is a good Cisco Live session on SDA-SDWAN integration available in the On-Demand Library at ciscolive.com: Build a Software Defined Enterprise with Cisco SD-WAN and Cisco SD-Access - DGTL-BRKCRS-2818 (https://www.ciscolive.com/global/on-demand-library.html?search=2818#/session/1573153543176001JDsB).

Cheers,

Scott Hodgdon

Senior Technical Marketing Engineer

Enterprise Networking Group

View solution in original post

Scott Hodgdon · ‎08-21-2020

Kanan,

At this point in time there is no support for a device that can be both an SD-Access Border / Control Plane and SD-WAN Edge. We do have plans for that to happen, and it will most likely be a requirement that the device be an ISR 4331 and higher or an ASR 1K (what we call cEdge devices for SD-WAN). There are other devices that can be cEdges (such as ISR 1K), but those will not support the dual role of SD-Access B/CP and SD-WAN Edge. You may hear this called a One Box Solution as it has one physical device undertaking roles in both SD-Access and SD-WAN domains.

We also have the ability with the latest IOS-XE 17.3.1 to propagate SGTs into the SD-WAN header on most cEdge devices. This header would be taken from the Ethernet frame received by the SD-WAN cEdge from the SD-Access B/CP. In this case, most ISR 1K, all ISR4K and ASR 1K can be cEdge. You may hear this called a Two Box Solution as there will be different devices undertaking the B/CP and cEdge roles in SD-Access and SD-WAN domains, respectively.

There is a good Cisco Live session on SDA-SDWAN integration available in the On-Demand Library at ciscolive.com: Build a Software Defined Enterprise with Cisco SD-WAN and Cisco SD-Access - DGTL-BRKCRS-2818 (https://www.ciscolive.com/global/on-demand-library.html?search=2818#/session/1573153543176001JDsB).

Cheers,

Scott Hodgdon

Senior Technical Marketing Engineer

Enterprise Networking Group

Kanan Huseynli · ‎08-21-2020

Thanks Scoot for commenting here!

Yes,exactly...I have heard about both type of implementation. But information regarding which platforms will support first option (which is where cEDGE is also B&C) is new information for me. Thank you very much. It is really valuable information if we want to order devices for customers, we should consider this point. Looks like ISR4221 is not in this group.

So,in short: one box solution (where SD-WAN router is also SDA B&C) is not possible, but it will be supported in future, right?

Regards,

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

Scott Hodgdon · ‎08-21-2020

Kanan,

As of the writing of this message, we do not yet support the one-box solution as I described it. I do not have a committed timeframe to communicate for general availability, either.

My recommendation is to look at the two-box solution if you want some integration of SDA and SDWAN as we have just shipped the first version of code to support this. I expect there to be some further documentation on this in various places such as https://community.cisco.com/t5/networking-documents/sd-access-resources/ta-p/3812030#Design as soon as possible.

Cheers,

Scott Hodgdon

Senior Technical Marketing Engineer

Enterprise Networking Group

Kanan Huseynli · ‎08-21-2020

Scott,

thank you very much for you replies!

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

trockstr · ‎09-11-2020

Hello Scott,

thanks for the interessesting information. Can you specify how the 2-Box Solution is working. So what do I need to configure on cEdge and C/B to propgate the sgts end-to-end?

Or is this automated in DNAC and Vmanage? (don#t think so )

Regards

Tim

mnagired · ‎09-11-2020

Hi Tim,

Two box solution is manual and there is no workflow as such on DNAC or vManage.. Refer to below link for configuration details..

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/security/ios-xe-17/security-book-xe/cisco-trustsec-integration.html

Regards

Mahesh

mnagired · ‎09-11-2020

Tim..

Note: Two box solution is still in testing phase and the target is sometime end of year.