Cisco Catalyst SD-WAN Lab Documentation
A Comprehensive Guide for CCIE Enterprise Infrastructure Preparation
Introduction to Cisco SD-WAN
Cisco Catalyst SD-WAN (formerly Viptela) is a software-defined wide area network solution that simplifies WAN management, enhances application performance, and improves security. It creates an overlay network over various transports (e.g., MPLS, Internet, LTE) using centralized management and policy enforcement.
Key components include:
- vManage: Centralized management for configuration, monitoring, and analytics.
- vBond: Orchestrator for device onboarding and controller discovery.
- vSmart: Control plane controller for routing and policy distribution via Overlay Management Protocol (OMP).
- WAN Edge Devices: Physical or virtual routers (e.g., vEdge, Cisco IOS XE SD-WAN) forming the data plane.
- OMP: Proprietary protocol for exchanging routes, TLOCs (Transport Locators), and policies.
- TLOC: Identifier combining system IP, color, and encapsulation (e.g., IPsec).
- Color: Label for transport types (e.g., MPLS, public-internet).
This lab deploys a functional SD-WAN environment, demonstrates certificate installation using Linux, and covers CCIE-relevant configurations.
Lab Objectives
- Deploy and configure SD-WAN controllers (vManage, vBond, vSmart).
- Onboard two WAN Edge routers (Edge1, Edge2) and establish the overlay network.
- Install certificates on controllers and WAN Edge devices using a Linux OS.
- Configure control and data plane policies.
- Verify connectivity and troubleshoot issues.
- Understand SD-WAN concepts and certificate management.
Lab Topology
Controllers:
- vManage: Management IP 192.168.1.1 (VPN 512), Transport IP 10.0.0.1 (VPN 0).
- vBond: Management IP 192.168.1.2, Transport IP 10.0.0.2.
- vSmart: Management IP 192.168.1.3, Transport IP 10.0.0.3.
WAN Edge Routers:
- Edge1: System IP 192.168.1.11, Site ID 100, Transport IP 10.0.1.11 (public-internet), LAN IP 172.16.100.1 (VPN 10).
- Edge2: System IP 192.168.1.12, Site ID 200, Transport IP 10.0.1.12 (mpls), LAN IP 172.16.200.1 (VPN 10).
Transport: Simulated public Internet and MPLS (VPN 0).
Service VPN: VPN 10 for LAN connectivity.
Linux System: Ubuntu 20.04 LTS, IP 192.168.1.100, for certificate management.
Assumptions: Virtualized environment (VMware ESXi/KVM), Cisco SD-WAN Release 20.12, DNS resolves vbond.example.com to 10.0.0.2, Symantec/DigiCert or enterprise CA certificates available.
SD-WAN Concepts Explained
A virtual network over physical transports, using tunnels to connect sites securely. Example: Edge1 and Edge2 form IPsec tunnels over public-internet and MPLS.
vSmart uses OMP to advertise routes and policies. vBond facilitates initial device connections. OMP is lightweight, similar to BGP, but optimized for SD-WAN.
WAN Edge devices establish tunnels with BFD to monitor path quality (latency, loss, jitter). Policies influence traffic forwarding (e.g., preferring MPLS for critical apps).
Certificates authenticate devices and secure DTLS/IPsec connections. Each device requires a root CA certificate and a signed device certificate. In this lab, a Linux system generates and signs certificates.
Control Policies: Modify OMP route attributes (e.g., prefer MPLS paths).
Data Policies: Control forwarding based on application or SLA requirements.
Localized Policies: Device-specific configurations (e.g., ACLs).
VPN 0: Transport for control/data plane traffic.
VPN 512: Out-of-band management.
Service VPNs (e.g., VPN 10): Isolate user traffic, akin to VRFs.
Lab Prerequisites
Hardware/Software:
- vManage: 16 vCPUs, 32 GB RAM, 100 GB disk.
- vBond: 2 vCPUs, 4 GB RAM, 20 GB disk.
- vSmart: 4 vCPUs, 8 GB RAM, 20 GB disk.
- WAN Edge: Cisco IOS XE SD-WAN routers (e.g., ISR 1100) or vEdge.
- Software: Cisco SD-WAN Release 20.12 (
viptela-20.12.qcow2,isr1100-ucmk9.17.12.01a.bin). - Linux: Ubuntu 20.04 LTS, IP 192.168.1.100, with OpenSSL installed.
Licensing: Cisco Smart Licensing account with DNA Advantage licenses.
Network: Simulated Internet/MPLS via lab switch/router. Open ports: DTLS (UDP 12346), IPsec (UDP 4500), HTTPS (TCP 443).
Tools: SSH client (e.g., PuTTY), browser for vManage GUI, Linux system with SCP and OpenSSL.
Step-by-Step Configuration
1.1 vManage Setup
Purpose: vManage provides centralized management for the SD-WAN fabric.
1. Deploy vManage VM: Download viptela-20.12.qcow2. Deploy on ESXi/KVM with two NICs (eth0: VPN 0, eth1: VPN 512). Boot and set persona:
Persona: vmanage
2. Configure vManage:
config
system
host-name vmanage
system-ip 192.168.1.1
site-id 1
organization-name "CCIE-Lab"
vbond 10.0.0.2
vpn 0
interface eth0
ip address 10.0.0.1/24
tunnel-interface
no shutdown
ip route 0.0.0.0/0 10.0.0.254
vpn 512
interface eth1
ip address 192.168.1.1/24
no shutdown
commit
Explanation: system-ip is a unique identifier. site-id groups devices by location. vbond points to vBond. vpn 0 is for transport, vpn 512 for management.
3. Access vManage GUI: Open https://192.168.1.1:8443, log in with admin/admin, and change the password.
1.2 vBond Setup
Purpose: vBond orchestrates device onboarding and controller discovery.
1. Deploy vBond VM: Use vBond image with 2 vCPUs, 4 GB RAM. One NIC for VPN 0.
2. Configure vBond:
config
system
host-name vbond
system-ip 192.168.1.2
site-id 1
organization-name "CCIE-Lab"
vbond 10.0.0.2 local
vpn 0
interface ge0/0
ip address 10.0.0.2/24
tunnel-interface
no shutdown
ip route 0.0.0.0/0 10.0.0.254
commit
Explanation: vbond local designates this as the orchestrator. tunnel-interface enables DTLS.
1.3 vSmart Setup
Purpose: vSmart manages the control plane, distributing OMP routes and policies.
1. Deploy vSmart VM: Use vSmart image with 4 vCPUs, 8 GB RAM. One NIC for VPN 0.
2. Configure vSmart:
config
system
host-name vsmart
system-ip 192.168.1.3
site-id 1
organization-name "CCIE-Lab"
vbond 10.0.0.2
vpn 0
interface ge0/0
ip address 10.0.0.3/24
tunnel-interface
no shutdown
ip route 0.0.0.0/0 10.0.0.254
commit
Purpose: Certificates secure SD-WAN communications. Use Ubuntu 20.04 to generate a root CA, create CSRs, sign certificates, and install them.
2.1 Set Up Linux Environment
1. Install OpenSSL:
sudo apt update
sudo apt install openssl
2. Create Directory Structure:
mkdir -p ~/sdwan-certs/{ca,certs,csr}
cd ~/sdwan-certs
2.2 Create Root CA
1. Generate Root CA Private Key:
openssl genrsa -out ca/root-ca.key 4096
Explanation: Creates a 4096-bit private key.
2. Create Root CA Certificate:
openssl req -x509 -new -nodes -key ca/root-ca.key -sha256 -days 3650 -out ca/root-ca.crt -subj "/C=US/ST=CA/O=CCIE-Lab/CN=RootCA"
Explanation: Creates a self-signed certificate valid for 10 years.
2.3 Generate and Sign Certificates
Repeat for vManage, vBond, vSmart, Edge1, Edge2.
1. Generate Device Private Key (e.g., vManage):
openssl genrsa -out certs/vmanage.key 2048
2. Create CSR:
openssl req -new -key certs/vmanage.key -out csr/vmanage.csr -subj "/C=US/ST=CA/O=CCIE-Lab/CN=vmanage"
3. Sign CSR:
echo -e "[v3_ca]\nsubjectAltName=IP:10.0.0.1" > v3.ext
openssl x509 -req -in csr/vmanage.csr -CA ca/root-ca.crt -CAkey ca/root-ca.key -CAcreateserial -out certs/vmanage.crt -days 1825 -sha256 -extfile v3.ext
Explanation: Adds transport IP as SAN, signs certificate for 5 years.
4. Repeat: Use SAN IPs 10.0.0.2 (vBond), 10.0.0.3 (vSmart), 10.0.1.11 (Edge1), 10.0.1.12 (Edge2).
2.4 Transfer Certificates
1. Enable SCP on Devices:
config
ip scp server enable
commit
2. Copy Files:
scp ca/root-ca.crt certs/vmanage.crt certs/vmanage.key admin@192.168.1.1:/home/admin
scp ca/root-ca.crt certs/vbond.crt certs/vbond.key admin@192.168.1.2:/home/admin
scp ca/root-ca.crt certs/vsmart.crt certs/vsmart.key admin@192.168.1.3:/home/admin
scp ca/root-ca.crt certs/edge1.crt certs/edge1.key admin@10.0.1.11:/home/admin
scp ca/root-ca.crt certs/edge2.crt certs/edge2.key admin@10.0.1.12:/home/admin
2.5 Install Certificates
1. Install Root CA:
request root-cert-chain install /home/admin/root-ca.crt
2. Install Device Certificate (vManage, vBond, vSmart):
request certificate install /home/admin/.crt
(Edge1, Edge2):
request platform software sdwan certificate install /home/admin/.crt
3. Verify:
show sdwan certificate status
2.6 Add Controllers to vManage
In vManage GUI (Configuration > Devices > Controllers):
- Add vBond (IP: 10.0.0.2, Type: vBond).
- Add vSmart (IP: 10.0.0.3, Type: vSmart).
- Verify certificates in Configuration > Certificates.
3.1 Prepare WAN Edge Devices
Use Cisco IOS XE SD-WAN routers (e.g., ISR 1100). Download isr1100-ucmk9.17.12.01a.bin.
3.2 Configure Edge1
1. Bootstrap Configuration:
config
system
host-name edge1
system-ip 192.168.1.11
site-id 100
organization-name "CCIE-Lab"
vbond 10.0.0.2
vpn 0
interface ge0/0/0
ip address 10.0.1.11/24
tunnel-interface
encapsulation ipsec
color public-internet
no shutdown
ip route 0.0.0.0/0 10.0.1.254
vpn 10
interface ge0/0/1
ip address 172.16.100.1/24
no shutdown
commit
2. Install Software:
copy scp://admin@192.168.1.100/isr1100-ucmk9.17.12.01a.bin bootflash:
request platform software install bootflash:isr1100-ucmk9.17.12.01a.bin
reload
3.3 Configure Edge2
1. Bootstrap Configuration:
config
system
host-name edge2
system-ip 192.168.1.12
site-id 200
organization-name "CCIE-Lab"
vbond 10.0.0.2
vpn 0
interface ge0/0/0
ip address 10.0.1.12/24
tunnel-interface
encapsulation ipsec
color mpls
no shutdown
ip route 0.0.0.0/0 10.0.1.254
vpn 10
interface ge0/0/1
ip address 172.16.200.1/24
no shutdown
commit
2. Install Software: Repeat steps from Edge1.
3. Onboard to vManage: In vManage (Configuration > Devices > Unclaimed WAN Edges), claim Edge1 and Edge2.
1. System Template:
System IP: {{system-ip}}
Site ID: {{site-id}}
Hostname: {{hostname}}
Organization Name: CCIE-Lab
vBond: 10.0.0.2
2. VPN 0 Template:
VPN 0
Interface: ge0/0/0
IP Address: {{ip-address}}/24
Tunnel-Interface
Encapsulation: ipsec
Color: {{color}}
Allow-Service: all
Default Gateway: {{gateway}}
3. VPN 10 Template:
VPN 10
Interface: ge0/0/1
IP Address: {{lan-ip}}/24
4. Attach Templates:
- Edge1: system-ip 192.168.1.11, site-id 100, ip-address 10.0.1.11, color public-internet, lan-ip 172.16.100.1, gateway 10.0.1.254.
- Edge2: system-ip 192.168.1.12, site-id 200, ip-address 10.0.1.12, color mpls, lan-ip 172.16.200.1, gateway 10.0.1.254.
1. Control Policy (MPLS Preference):
policy
control-policy MPLS-Preferred
sequence 10
match route
site-id 200
prefix-list LAN-Networks
action accept
set preference 100
default-action accept
prefix-list LAN-Networks
ip-prefix 172.16.0.0/16
2. Data Policy (Application-Aware Routing):
policy
app-route-policy MS365-Priority
sequence 10
match
app-list MS365
action
sla-class Critical
preferred-color mpls
default-action sla-class Best-Effort
lists
app-list MS365
app teams
app outlook
sla-class Critical
latency 150
loss 2
jitter 30
3. Apply Policies: In vManage, activate the centralized policy.
Verification and Troubleshooting
1. Verify Control Connections:
show sdwan control connections
2. Verify Data Plane:
show sdwan bfd sessions
3. Verify Routing:
show sdwan omp routes vpn 10
4. Test Connectivity: Ping from 172.16.100.1 to 172.16.200.1.
5. Troubleshooting:
- Certificate Issues:
show sdwan certificate status - a>Control Connection Failures:
show sdwan control connections-history
Additional Resources
- Cisco Catalyst SD-WAN Configuration Guide
- Cisco Press: “Cisco Software-Defined Wide Area Networks” by Jason Gooley
- Cisco DevNet: SD-WAN Sandbox
- OpenSSL Documentation
Lab Configuration Artifact
# vManage Configuration
config
system
host-name vmanage
system-ip 192.168.1.1
site-id 1
organization-name "CCIE-Lab"
vbond 10.0.0.2
vpn 0
interface eth0
ip address 10.0.0.1/24
tunnel-interface
no shutdown
ip route 0.0.0.0/0 10.0.0.254
vpn 512
interface eth1
ip address 192.168.1.1/24
no shutdown
commit
# vBond Configuration
config
system
host-name vbond
system-ip 192.168.1.2
site-id 1
organization-name "CCIE-Lab"
vbond 10.0.0.2 local
vpn 0
interface ge0/0
ip address 10.0.0.2/24
tunnel-interface
no shutdown
ip route 0.0.0.0/0 10.0.0.254
commit
# vSmart Configuration
config
system
host-name vsmart
system-ip 192.168.1.3
site-id 1
organization-name "CCIE-Lab"
vbond 10.0.0.2
vpn 0
interface ge0/0
ip address 10.0.0.3/24
tunnel-interface
no shutdown
ip route 0.0.0.0/0 10.0.0.254
commit
# Edge1 Configuration
config
system
host-name edge1
system-ip 192.168.1.11
site-id 100
organization-name "CCIE-Lab"
vbond 10.0.0.2
vpn 0
interface ge0/0/0
ip address 10.0.1.11/24
tunnel-interface
encapsulation ipsec
color public-internet
no shutdown
ip route 0.0.0.0/0 10.0.1.254
vpn 10
interface ge0/0/1
ip address 172.16.100.1/24
no shutdown
commit
# Edge2 Configuration
config
system
host-name edge2
system-ip 192.168.1.12
site-id 200
organization-name "CCIE-Lab"
vbond 10.0.0.2
vpn 0
interface ge0/0/0
ip address 10.0.1.12/24
tunnel-interface
encapsulation ipsec
color mpls
no shutdown
ip route 0.0.0.0/0 10.0.1.254
vpn 10
interface ge0/0/1
ip address 172.16.200.1/24
no shutdown
commit
# Control Policy
policy
control-policy MPLS-Preferred
sequence 10
match route
site-id 200
prefix-list LAN-Networks
action accept
set preference 100
default-action accept
prefix-list LAN-Networks
ip-prefix 172.16.0.0/16
# Data Policy
policy
app-route-policy MS365-Priority
sequence 10
match
app-list MS365
action
sla-class Critical
preferred-color mpls
default-action sla-class Best-Effort
lists
app-list MS365
app teams
app outlook
sla-class Critical
latency 150
loss 2
jitter 30
# Linux Certificate Commands
# Install OpenSSL
sudo apt update
sudo apt install openssl
# Create Directory Structure
mkdir -p ~/sdwan-certs/{ca,certs,csr}
cd ~/sdwan-certs
# Generate Root CA
openssl genrsa -out ca/root-ca.key 4096
openssl req -x509 -new -nodes -key ca/root-ca.key -sha256 -days 3650 -out ca/root-ca.crt -subj "/C=US/ST=CA/O=CCIE-Lab/CN=RootCA"
# Generate vManage Certificate
openssl genrsa -out certs/vmanage.key 2048
openssl req -new -key certs/vmanage.key -out csr/vmanage.csr -subj "/C=US/ST=CA/O=CCIE-Lab/CN=vmanage"
echo -e "[v3_ca]\nsubjectAltName=IP:10.0.0.1" > v3.ext
openssl x509 -req -in csr/vmanage.csr -CA ca/root-ca.crt -CAkey ca/root-ca.key -CAcreateserial -out certs/vmanage.crt -days 1825 -sha256 -extfile v3.ext
# Generate vBond Certificate
openssl genrsa -out certs/vbond.key 2048
openssl req -new -key certs/vbond.key -out csr/vbond.csr -subj "/C=US/ST=CA/O=CCIE-Lab/CN=vbond"
echo -e "[v3_ca]\nsubjectAltName=IP:10.0.0.2" > v3.ext
openssl x509 -req -in csr/vbond.csr -CA ca/root-ca.crt -CAkey ca/root-ca.key -CAcreateserial -out certs/vbond.crt -days 1825 -sha256 -extfile v3.ext
# Generate vSmart Certificate
openssl genrsa -out certs/vsmart.key 2048
openssl req -new -key certs/vsmart.key -out csr/vsmart.csr -subj "/C=US/ST=CA/O=CCIE-Lab/CN=vsmart"
echo -e "[v3_ca]\nsubjectAltName=IP:10.0.0.3" > v3.ext
openssl x509 -req -in csr/vsmart.csr -CA ca/root-ca.crt -CAkey ca/root-ca.key -CAcreateserial -out certs/vsmart.crt -days 1825 -sha256 -extfile v3.ext
# Generate Edge1 Certificate
openssl genrsa -out certs/edge1.key 2048
openssl req -new -key certs/edge1.key -out csr/edge1.csr -subj "/C=US/ST=CA/O=CCIE-Lab/CN=edge1"
echo -e "[v3_ca]\nsubjectAltName=IP:10.0.1.11" > v3.ext
openssl x509 -req -in csr/edge1.csr -CA ca/root-ca.crt -CAkey ca/root-ca.key -CAcreateserial -out certs/edge1.crt -days 1825 -sha256 -extfile v3.ext
# Generate Edge2 Certificate
openssl genrsa -out certs/edge2.key 2048
openssl req -new -key certs/edge2.key -out csr/edge2.csr -subj "/C=US/ST=CA/O=CCIE-Lab/CN=edge2"
echo -e "[v3_ca]\nsubjectAltName=IP:10.0.1.12" > v3.ext
openssl x509 -req -in csr/edge2.csr -CA ca/root-ca.crt -CAkey ca/root-ca.key -CAcreateserial -out certs/edge2.crt -days 1825 -sha256 -extfile v3.ext
# Transfer Certificates
scp ca/root-ca.crt certs/vmanage.crt certs/vmanage.key admin@192.168.1.1:/home/admin
scp ca/root-ca.crt certs/vbond.crt certs/vbond.key admin@192.168.1.2:/home/admin
scp ca/root-ca.crt certs/vsmart.crt certs/vsmart.key admin@192.168.1.3:/home/admin
scp ca/root-ca.crt certs/edge1.crt certs/edge1.key admin@10.0.1.11:/home/admin
scp ca/root-ca.crt certs/edge2.crt certs/edge2.key admin@10.0.1.12:/home/admin
Conclusion
This lab provides a complete SD-WAN deployment with detailed certificate management using Linux, covering CCIE objectives like overlay networking, policy configuration, and security. The Linux-based certificate process ensures secure authentication, a critical SD-WAN component. For advanced scenarios (e.g., BGP, Cloud OnRamp), refer to Cisco documentation or request further configurations.
Google