In previous sections, all of SD-WAN controllers are installed. Now is the time to add WAN edge router to complete our SD-WAN infrastructure. That is the discussion of this section.
Based on the topology, we will add four WAN routers in our SD-WAN Infrastructure which are connected to each other through two transport, internet and MPLS. Four WAN routers are in different sites with a Site-ID from 101 to 104. The last digit of the IP address, connected to the Internet, connected to MPLS, connected to the LAN and also system-ip will be configured equal to Site-ID.
In this section, we will bring up the connections between WAN routers, only through internet transport. interconnection through MPLS transport will be configured in the next videos through vManage GUI interface.
As I have in previous section explained, our WAN routers will be only based on CSR1000v due to the free license restriction. I’ll show you how to add one of these WAN routers into SD-WAN infrastructure. I will add the other three WAN routers myself and will be not shown in the video.
Configure SD-WAN Edge Router
This is a CSR1000v OVA image that I will import into the ESX server. This differs from the normal CSR1000v image since it is extended with Viptela features and is called CSR1000v SD-WAN image which you can download it directly from the Cisco website.
Now let’s import CSR1KV image into ESX server. It has by default three network interfaces which can be connected to three WAN transport. in this section, I will use only the first interface.
default username and password are admin/admin. I will change the password to rayka-co.com.
With native IOS XE command “show ip interface brief”, you see that three interfaces are called GigabitEthernet1 to GigabitEthernet3.
First, we need to configure the system configuration much like all controllers. Instead of “Configure Terminal” command we have to use “config-transaction” command. The host-name, system-ip, site-id, organization name, vBond IP address and ntp are exactly the same that we have configured in other controllers. Site IDs are configured from 101 to 104 in WAN-Site1 to WAN-Site4.
!!! cEdge1 system configuration config-transaction hostname cEdge1 system system-ip 18.104.22.168 site-id 101 organization-name RAYKA vbond 192.168.1.51 commit clock timezone Tehran +3 30 ntp server 22.214.171.124 prefer commit
Now DTLS tunnel must be configured over internet transport like all other controllers. The configuration is shown here.
!!! cEdge1 DTLS Tunnel configuration interface GigabitEthernet1 no shutdown ip address 192.168.1.101 255.255.255.0 ! interface Tunnel0 no shutdown ip unnumbered GigabitEthernet1 tunnel source GigabitEthernet1 tunnel mode sdwan ! sdwan interface GigabitEthernet1 tunnel-interface allow-service all encapsulation ipsec ip route 0.0.0.0 0.0.0.0 192.168.1.1 commit
To display the configuration we use the command “show sdwan running-config system” . most sdwan configuration are started with sdwan keyword.
cEdge1# show sdwan running-config system system system-ip 126.96.36.199 site-id 101 admin-tech-on-failure organization-name RAYKA vbond 192.168.1.51
With “show ip interface brief”, we can double check our IP addressing configuration.
cEdge1#show ip int brief Interface IP-Address OK? Method Status Protocol GigabitEthernet1 192.168.1.101 YES other up up GigabitEthernet2 unassigned YES unset up up GigabitEthernet3 unassigned YES unset up up Loopback65528 192.168.1.1 YES other up up Tunnel0 192.168.1.101 YES TFTP up up cEdge1#
With ping command, we can make sure of controllers and internet connectivity.
Copy Certificate to WAN Edge Manually
With the cEdge router, unlike other controllers, the CA certificate is not automatically copied to the router. So we have to copy it manually via FTP or SCP. I have already prepared an FTP server pointing to the folder where CA certificate named CA.cer exist.
copy ftp://rayka:[email protected] bootflash: or copy scp://admin:[email protected] bootflash:
Now we will install CA certificate with the following command:
request platform software sdwan root-cert-chain install bootflash:CA.cer
With command “show sdwan certificate root-ca-cert | inc rayka”, we make sure that CA certificate is correctly installed
show sdwan certificate root-ca-cert | inc rayka
Authenticate WAN Edge Router and Install Certificate
Now is the time to authenticate WAN router to the controllers using the chassis number and token number that we already received from the Cisco Plug and Play portal and we can see them in vManage interface. We can do it with the command:
request platform software sdwan vedge_cloud activate chassis-number CSR-680085FB-3F90-83E8-EAE6- 050F101A4F4A token 0e09a491f48f390cfac9643ab88aadbc
It takes a few minutes for DTLS tunnels to come up between the WAN router and all controllers.
With “show sdwan control local-properties”, we can check if serial number is assigned to the WAN router.
cEdge1#show sdwan control local-properties personality vedge sp-organization-name RAYKA organization-name RAYKA root-ca-chain-status Installed certificate-status Installed certificate-validity Valid certificate-not-valid-before Oct 04 22:14:07 2021 GMT certificate-not-valid-after Oct 02 22:14:07 2031 GMT enterprise-cert-status Not-Applicable enterprise-cert-validity Not Applicable enterprise-cert-not-valid-before Not Applicable enterprise-cert-not-valid-after Not Applicable dns-name 192.168.1.51 site-id 101 domain-id 1 protocol dtls tls-port 0 system-ip 188.8.131.52 chassis-num/unique-id CSR-E5E5BB2E-E2D6-C404-0A01-A3284A58C6D8 serial-num 50C0D519 token Invalid keygen-interval 1:00:00:00 retry-interval 0:00:00:15 no-activity-exp-interval 0:00:00:20 dns-cache-ttl 0:00:02:00 port-hopped TRUE time-since-last-port-hop 0:15:44:57 embargo-check success ....
Also in vManage Interface , the status of WAN router must be changed to certificate installed.
Configuration -> devices -> WAN edge list
With the command “show sdwan control connections” we can ensure that the tunnel with all controllers come up.
cEdge1# show sdwan control connections PEER PEER CONTROLLER PEER PEER PEER SITE DOMAIN PEER PRIV PEER PUB GROUP TYPE PROT SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT LOCAL COLOR PROXY STATE UPTIME ID ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- vsmart dtls 184.108.40.206 100 1 192.168.1.52 12446 192.168.1.52 12446 default No up 0:15:36:48 0 vbond dtls 0.0.0.0 0 0 192.168.1.51 12346 192.168.1.51 12346 default - up 0:15:36:51 0 vmanage dtls 220.127.116.11 100 0 192.168.1.50 12446 192.168.1.50 12446 default No up 0:15:36:36 0
in vManage Interface , the status of WAN router must be changed to in Sync.
In the main dashboard, the WAN edge router must now be in the list and must be also green.