7 Tips You Should Know Prior to Implementing Cisco SD-WAN cEdges
Written by Rio Zavarace, Principal Consulting Engineer, Aspire Technology Partners
Introduction
If you are a seasoned Cisco engineer with knowledge of and experience with Dynamic Multipoint VPNs and/or iWAN, and you want to get started with Cisco SD-WAN with cEdges (IOS-based SD-WAN routers), this paper may be for you.
In this post, I will summarize 7 items that I consider important and think you will need to know if you have not had exposure to Cisco SD-WAN.
Let’s dive right in.
Problem Statement
Many of us have been Cisco engineers for so many years and worked on the command line every time we work on an IOS devices. But things are changing.
If you are trying something new to discover new trends and technologies or maybe because you are an implementation engineer and a Cisco SD-WAN project landed on your desk, you may want to know a few things before your project kicks off.
This article provides with a few insights that I consider you should know if you are a post-sales engineer and new to the Cisco SD-WAN technology.
Background
Experienced Cisco route engineers have been working for many years with Cisco’s IOS. All IOS-based routers offer a command line interface that allows engineers to interact with Cisco devices. This interaction consists of configuration commands to tell the device what to do and show commands for verification and protocol status.
With Cisco SD-WAN, these command line devices can be configured and managed from a management server called the vManage located at the customer’s premises or on the Cisco cloud. The vManage offers a Graphical User Interface (GUI) in which configuration, policies, verification, and troubleshooting tasks can be executed.
Cisco SD-WAN comes with a few changes that I’m going to cover in the following section.
Tip #1: The Commit Command
IOS versions prior 17 were split into IOS-XE and IOS-XE SD-WAN—two separate trains. The traditional IOS-XE code allows configure terminal to get into configuration mode. You should be familiar with this; however, the IOS-XE SD-WAN train supports config-transaction instead of “configure terminal.”
Starting with version 17, the traditional IOS-XE and SD-WAN XE are combined, and as a result, the config-transaction command replaces old configure terminal.
Instead of saving your configuration with write mem, you need to use the commit command to save your changes prior to leaving configuration mode.
Tip #2: Transport, Service, and Management VPNs
In Cisco SD-WAN, a VPN is equivalent to a VRF (virtual routing and forwarding).
The transport VPN, or VPN 0, is always VPN 0. The interfaces that belong to this VPN are the interfaces connected to the Internet over which tunnels are created to the controllers and other routers. VPNs to the controllers are “control connections” built with TLS or DTLS. VPNs to other routers are IPsec tunnels for user data transfer.
A service VPN ranges from 1 through 511 and is where your user data comes from. The interfaces that belong to a service VPN will connect to a firewall, your internal switch, etc.
Lastly, the management VPN is always VPN 512. This VPN allows for out-of-band management.
Tip #3: Controller vs IOS Versions
It is recommended that your controllers (vManage, vSmart, and vBond) are on the same version. Your router needs to be on an IOS version supported by your vManage version. Why? Because configuration templates on vManage generate CLI commands and these commands need to be supported by the IOS version on your cEdges. Check the compatibility matrix on any release notes for SD-WAN IOS XE.
Tip #4: Upgrading Controller Software
To upgrade the controllers’ software, you need to follow this path to find the images. Do not confuse with downloading ova or qcow2 files. These files are for on-premise installations.
There is an image for vManage and another image for vSmart and vBond controllers. Update the vManage first, then the vBonds, and, lastly, the vSmarts, in this order.
With SD-WAN, “installing” a software version means uploading and expanding that version onto the device and leaving it ready for “activation.” When you “activate” it, the server will reboot and load the newly installed version. When it comes back after about 15 minutes (no progress bar), you then should make the new installed version “default” so that the new version loads after every reboot. Three steps.
The same concepts of install, activate, and set-default apply to the cEdges.
Tip #5: cEdge Factory Default
There is no write erase! To bring you cEdge router to factory default, you need to enter the following command:
request platform software sdwan software reset
Tip #6: TLOCs
TLOCs are Transport Locators composed of three values: system IP, transport color, and encapsulation.
Each router has a system IP. This IP does not need to be routable. It is just for identification purposes.
The color is a designation given to the transport interface in VPN 0 that indicates whether this interface is directly connected to the Internet or if there is the potential for NAT translation. For instance, the color mpls, metro-ethernet, and private1-6 are private colors. They are intended to be used for private networks or in places where you will have no NAT addressing of the transport IP endpoints.
The remaining colors 3g, biz-internet, blue, bronze, custom1-3, default, gold, green, lte, public-internet, red, and silver, are public colors. They are intended to be used for public networks or in places where you will use public IP addressing of the transport IP endpoints, either natively or through NAT. For instance, if you have two ISPs, one ISP could be assigned gold and the other one silver.
The encapsulation type is important for the advertising of data plane connectivity. The choices are IPSec or GRE, and, for obvious reasons, a GRE TLOC will not establish a data plane tunnel with an IPSec one.
Tip #7: Useful Verification Commands
Control Plane verification commands:
show sdwan control connections
show sdwan control local-properties
show sdwan control connection-history
show sdwan certificate installed
show sdwan certificate serial
show sdwan omp routes
show sdwan omp tlocs
show sdwan omp services
Data Plane verification commands:
show sdwan bfd sessions
show sdwan ipsec inbound-connections
show sdwan ipsec outbound-connections
Running configuration commands:
show running
show sdwan running
Conclusion
Working with Cisco SD-WAN is a little different than what you may be used to if you worked with DMVPN and iWAN with Performance Routing (PfR). Getting familiar with these tips will make it easier for you to understand the online documentation.
It is recommended, however, that you take the following two classes for a better understanding of Cisco SD-WAN.
- Cisco SD-WAN Operation and Deployment (ENSDW)
- Implementing Cisco SD-WAN Solutions (ENSDWI)
For any questions on your SD-WAN Implementation, contact us at info@aspiretransforms.com
About the Author
Rio Zavarce, Principal Consulting Engineer, Aspire Technology Partners
Alirio (Rio) Zavarce possesses over 24 years of technical network consulting experience in LAN, WAN, datacenter, and security technologies. His broad range of experience in architecting and implementing advanced technology solutions includes working with clients across multiple verticals including manufacturing, financial services, real estate, higher education, and healthcare. Rio holds numerous industry certifications including Cisco Certified Internetwork Expert (CCIE) Routing and Switching.