SD-WAN Lab Guide
SD-WAN Lab Guide
SD-WAN Lab Guide
Workbook
By Mr. Abhijit Bakale
Cisco SD-WAN Components are broken into 4 planes and dedicated components
are added into that, lets discuss about that:
1. vManage
2. vBond
3. vSmart
Edge device in cisco SD WAN are knows as WAN Edges
Cisco ISR 4K / ASR 1K can be deployed as WAN edge device along with native
viptela hardware.
The cluster of controllers are formed with the help of 3 controllers: vManage,
vSmart and vBond, in which the have their own different roles, let’s talk about
that:
1. vManage: This is the main component to SDWAN Management, this will give
the GUI for managing complete sdwan solution, all the other components are part
of it and will get integrated to it but all will be managed by it only.
2. vSmart:Thisisthemaincomponentforthecompletecontrolplaneoperationsof
SDWAN, this will be responsible to taking decisions for all the control plane and
policy plane for sdwan, all WAN edges will form OMP tunnels with vSmart which
will be used to exchange the routing updates between the WAN edges as well as
the policy exchange between them.
3. vBond:ThisplayaroleinSDWANorchestrationplane,whichisresponsiblefor
performing automation features like PnP (Plug n Play) or ZTP (Zero Touch
Provisioning) along with that vBond is also responsible for device onboarding.
All these controller will integrate with each other using Secure Channel of
DTLS/SSL. SD-WAN Lab setup:
Post this, the ROOT-CA is ready to generate and grant all the SSL Certificate
Signing and authorization. All WAN Edges and controllers now require to install
the ROOT Certificate and get their device certificates (Local Certificates) signed
by the ROOT-CA.
Step-1: Initializing HDD for vManage: vManage being the single pane of glass
requires dedicated storage for installing its GUI Software and hence asks for the
drive to be chosen for installing software at the first boot.
4. Site-ID: This is used to define the site domain and it should be same on all the
components of the same site.
VPN in SDWAN components are the other name of VRF, unlike VRF they cannot
be configured with name.
VPN 0 is reserved for all the control connection as well as the management
traffic, whereas they also have VPN 512, which is just responsible for handling
management traffic.
Here we are using VPN 0 for both Management as well as Control Connection
traffic.
Management ports are kept separate as well and maintain a separate VPN, which
is internally maintained as VPN 512
VPN 0 is the transport VPN. It carries control traffic over secure DTLS or TLS
connections between vSmart controllers and vEdge routers, and between vSmart
controllers and vBond orchestrators. Initially, VPN 0 contains all a device's
interfaces except for the management interface, and all the interfaces are
In this step, we are configuring two interfaces of vManage. Eth0 will be the
member of VPN0 which is dedicated for all WAN facing interfaces being stated as
Transport VPN and Eth1 will be the member of VPN 512 which is dedicated for
Management being referred as OOB Management VPN.
Here we will be downloading the ROOT Certificate from ROOT-CA Server that we
configured above via TFTP and install the root certificate.
After configuring your vManage Interface, you can open your web browser and
login into the vManage GUI by using VPN 512 interface Eth1 ip address in the
browser on https://10.255.1.110.
A login prompt will pop up and you can login into the GUI using the credentials of
vManage admin/admin.
Afrer logging in, you will have to configure basic administration settings to let the
vManage GUI know about the organization name, vBond IP address and ROOT
Certificate details.
Dashboard > Administration > Settings > Controller Certificate Authorization >
Select Enterprise Root Certificate (In Lab Enviroment):
Note: You need to paste the root certificate here in the box which you can copy by
running the following command on your ROOT-CA Router:
Dashboard > Administration > Settings > Controller Certificate Authorization >
Set CSR Properties:
Dashboard > Configuration > Certificates > Options > Generate CSR >
Step 7: Copy the Certificate Key and Submit the CSR for signing on Root CA:
Dashboard > Configuration > Certificates > Select vManage > Install Certificate
(Right Upper Corner) > Paste the Granted Certificate Copied from the terminal of
Root-CA > Install
Step-1: vBond System Configuration: Login into the vBond and vSmar using same
default credentials: admin/admin and configure system and interface parameters
given below.
Note: When we configure vBond IP address on vBond itself we need use its local
address and specify local keyword there.
If you can see here, we are using ge0/0 instead of eth0, this is because vBond is
the same image as vEdge, the only difference is we enable vBond features in it.
Along with changing the interface type we are also allowing all the services in
here so that we can communicate with all other components without any service
limitations:
Step 8: After downloading, we need to do the certificate signing just like we did
for vManage.
You should get the granted certificate in the CLI of root-ca. Copy that certificate
and paste it in the vManage GUI for installing that certificate like we did for
vManage:
Dashboard > Configuration > Certificates > Controllers > Install Certificates
(Right Upper Corner with vBond highlighted) > Paste > Install
Status should come as Success.
Step 3: Copy the certificate prompted and paste it in the terminal of Root-CA by
executing following command:
After this, the controllers vManage, vSmart and vBond are up and running.
You can use the verification commands to check about the control connections on
the controllers:
vManage: show control connections
vBond: show orchestrator connections
vSmart: show control connections