In previous sections, all of SD-WAN controllers are installed. Now is the time to add WAN edge router  to complete our SD-WAN infrastructure. That is the discussion of this section.

Based on the topology, we will add four WAN routers in our SD-WAN Infrastructure which are connected to each other through two transport, internet and MPLS. Four WAN routers are in different sites with a Site-ID from 101 to 104. The last digit of the IP address, connected to the Internet, connected to MPLS, connected to the LAN and also system-ip will be configured equal to Site-ID.

SD-WAN Basic Topology
SD-WAN Basic Topology

2. Cisco SD-WAN Implementation Guide

In this section, we will bring up the connections between WAN routers, only through  internet transport. interconnection through MPLS transport will be configured in the next videos through vManage GUI interface.

As I have in previous section explained, our WAN routers will be only based on CSR1000v due to the free license restriction. I’ll show you how to add one of these WAN routers into SD-WAN infrastructure. I will add the other three WAN routers myself and will be not shown in the video.

Configure SD-WAN Edge Router

This is a CSR1000v OVA image that I will import into the ESX server. This differs from the normal CSR1000v image since it is extended with Viptela features and is called CSR1000v SD-WAN image which you can download it directly from the Cisco website.

CSR 1000V Series IOS XE SD-WAN Download

Now let’s import CSR1KV image into ESX server. It has by default three network interfaces which can be connected to three WAN transport. in this  section, I will use only the first interface.

default username and password are admin/admin. I will change the password to

With native IOS XE command “show ip interface brief”, you see that three interfaces are called GigabitEthernet1 to GigabitEthernet3.

First, we need to configure the system configuration much like all controllers. Instead of “Configure Terminal” command we have to use “config-transaction” command. The host-name, system-ip, site-id, organization name, vBond IP address and ntp are exactly the same that we have configured in other controllers. Site IDs are configured from 101 to 104 in WAN-Site1 to WAN-Site4.

!!! cEdge1 system configuration
 hostname cEdge1
  site-id 101
  organization-name RAYKA
 clock timezone Tehran +3 30
 ntp server prefer

Now DTLS tunnel must be configured over internet transport like all other controllers. The configuration is shown here.

!!! cEdge1 DTLS Tunnel configuration
interface GigabitEthernet1
  no shutdown
  ip address
 interface Tunnel0
  no shutdown
  ip unnumbered GigabitEthernet1
  tunnel source GigabitEthernet1
  tunnel mode sdwan
  interface GigabitEthernet1
    allow-service all
    encapsulation ipsec
 ip route

To display the configuration we use the command “show sdwan running-config system” . most sdwan configuration are started with sdwan keyword.

cEdge1# show sdwan running-config system
 site-id               101
 organization-name     RAYKA

With “show ip interface brief”, we can double check our IP addressing configuration.

cEdge1#show ip int brief
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet1   YES other  up                    up
GigabitEthernet2       unassigned      YES unset  up                    up
GigabitEthernet3       unassigned      YES unset  up                    up
Loopback65528     YES other  up                    up
Tunnel0         YES TFTP   up                    up

With ping command, we can make sure of controllers and internet connectivity.

Copy Certificate to WAN Edge Manually

With the cEdge router, unlike other controllers, the CA certificate is not automatically copied to the router. So we have to copy it manually via FTP or SCP. I have already prepared an FTP server pointing to the folder where CA certificate named CA.cer exist.

copy ftp://rayka:[email protected] bootflash:
copy scp://admin:[email protected] bootflash:

Now we will install CA certificate with the following command:

request platform software sdwan root-cert-chain install bootflash:CA.cer

With command “show sdwan certificate root-ca-cert | inc rayka”, we make sure that CA certificate is correctly installed

show sdwan certificate root-ca-cert | inc rayka

Authenticate WAN Edge Router and Install Certificate

Now is the time to authenticate WAN router to the controllers using the chassis number and token number that we already received from the Cisco Plug and Play portal and we can see them in vManage interface. We can do it with the command:

request platform software sdwan vedge_cloud activate 

chassis-number CSR-680085FB-3F90-83E8-EAE6-

050F101A4F4A token 0e09a491f48f390cfac9643ab88aadbc

It takes a few minutes for DTLS tunnels to come up between the WAN router and all controllers.

With “show sdwan control local-properties”, we can check if serial number is assigned to the WAN router.

cEdge1#show sdwan control local-properties
personality                       vedge
sp-organization-name              RAYKA
organization-name                 RAYKA
root-ca-chain-status              Installed

certificate-status                Installed
certificate-validity              Valid
certificate-not-valid-before      Oct 04 22:14:07 2021 GMT
certificate-not-valid-after       Oct 02 22:14:07 2031 GMT

enterprise-cert-status            Not-Applicable
enterprise-cert-validity          Not Applicable
enterprise-cert-not-valid-before  Not Applicable
enterprise-cert-not-valid-after   Not Applicable

site-id                           101
domain-id                         1
protocol                          dtls
tls-port                          0
chassis-num/unique-id             CSR-E5E5BB2E-E2D6-C404-0A01-A3284A58C6D8
serial-num                        50C0D519
token                             Invalid
keygen-interval                   1:00:00:00
retry-interval                    0:00:00:15
no-activity-exp-interval          0:00:00:20
dns-cache-ttl                     0:00:02:00
port-hopped                       TRUE
time-since-last-port-hop          0:15:44:57
embargo-check                     success

Also in vManage Interface , the status of WAN router must be changed to certificate installed.

Configuration -> devices -> WAN edge list

With the command “show sdwan control connections” we can ensure that the tunnel with all controllers come up.

cEdge1# show sdwan control connections
                                                                                       PEER                                          PEER                                          CONTROLLER
PEER    PEER PEER            SITE       DOMAIN PEER                                    PRIV  PEER                                    PUB                                           GROUP
TYPE    PROT SYSTEM IP       ID         ID     PRIVATE IP                              PORT  PUBLIC IP                               PORT  LOCAL COLOR     PROXY STATE UPTIME      ID
vsmart  dtls        100        1                            12446                            12446 default         No    up     0:15:36:48  0
vbond   dtls         0          0                            12346                            12346 default         -     up     0:15:36:51  0
vmanage dtls        100        0                            12446                            12446 default         No    up     0:15:36:36  0

in vManage Interface , the status of WAN router must be changed to in Sync.

In the main dashboard, the WAN edge router must now be in the list and must be also green.

Back to: Implementing Cisco SD-WAN Solutions > SD-WAN WAN Edge List provisioning and installation

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment