In previous sections, all of SD-WAN controllers are installed. Now is the time to add WAN edge router to complete our SD-WAN infrastructure. That is the discussion of this section.
Based on the topology, we will add four WAN routers in our SD-WAN Infrastructure which are connected to each other through two transport, internet and MPLS. Four WAN routers are in different sites with a Site-ID from 101 to 104. The last digit of the IP address, connected to the Internet, connected to MPLS, connected to the LAN and also system-ip will be configured equal to Site-ID.
2. Cisco SD-WAN Implementation Guide
In this section, we will bring up the connections between WAN routers, only through internet transport. interconnection through MPLS transport will be configured in the next videos through vManage GUI interface.
As I have in previous section explained, our WAN routers will be only based on CSR1000v due to the free license restriction. I’ll show you how to add one of these WAN routers into SD-WAN infrastructure. I will add the other three WAN routers myself and will be not shown in the video.
Configure SD-WAN Edge Router
This is a CSR1000v OVA image that I will import into the ESX server. This differs from the normal CSR1000v image since it is extended with Viptela features and is called CSR1000v SD-WAN image which you can download it directly from the Cisco website.
CSR 1000V Series IOS XE SD-WAN Download
Now let’s import CSR1KV image into ESX server. It has by default three network interfaces which can be connected to three WAN transport. in this section, I will use only the first interface.
default username and password are admin/admin. I will change the password to rayka-co.com.
With native IOS XE command “show ip interface brief”, you see that three interfaces are called GigabitEthernet1 to GigabitEthernet3.
First, we need to configure the system configuration much like all controllers. Instead of “Configure Terminal” command we have to use “config-transaction” command. The host-name, system-ip, site-id, organization name, vBond IP address and ntp are exactly the same that we have configured in other controllers. Site IDs are configured from 101 to 104 in WAN-Site1 to WAN-Site4.
!!! cEdge1 system configuration
config-transaction
hostname cEdge1
system
system-ip 1.1.1.101
site-id 101
organization-name RAYKA
vbond 192.168.1.51
commit
clock timezone Tehran +3 30
ntp server 37.156.28.13 prefer
commitNow DTLS tunnel must be configured over internet transport like all other controllers. The configuration is shown here.
!!! cEdge1 DTLS Tunnel configuration
interface GigabitEthernet1
no shutdown
ip address 192.168.1.101 255.255.255.0
!
interface Tunnel0
no shutdown
ip unnumbered GigabitEthernet1
tunnel source GigabitEthernet1
tunnel mode sdwan
!
sdwan
interface GigabitEthernet1
tunnel-interface
allow-service all
encapsulation ipsec
ip route 0.0.0.0 0.0.0.0 192.168.1.1
commit
To display the configuration we use the command “show sdwan running-config system” . most sdwan configuration are started with sdwan keyword.
cEdge1# show sdwan running-config system
system
system-ip 1.1.1.101
site-id 101
admin-tech-on-failure
organization-name RAYKA
vbond 192.168.1.51
With “show ip interface brief”, we can double check our IP addressing configuration.
cEdge1#show ip int brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet1 192.168.1.101 YES other up up
GigabitEthernet2 unassigned YES unset up up
GigabitEthernet3 unassigned YES unset up up
Loopback65528 192.168.1.1 YES other up up
Tunnel0 192.168.1.101 YES TFTP up up
cEdge1#
With ping command, we can make sure of controllers and internet connectivity.
Copy Certificate to WAN Edge Manually
With the cEdge router, unlike other controllers, the CA certificate is not automatically copied to the router. So we have to copy it manually via FTP or SCP. I have already prepared an FTP server pointing to the folder where CA certificate named CA.cer exist.
copy ftp://rayka:[email protected] bootflash:
or
copy scp://admin:[email protected] bootflash:
Now we will install CA certificate with the following command:
request platform software sdwan root-cert-chain install bootflash:CA.cerWith command “show sdwan certificate root-ca-cert | inc rayka”, we make sure that CA certificate is correctly installed
show sdwan certificate root-ca-cert | inc rayka
Authenticate WAN Edge Router and Install Certificate
Now is the time to authenticate WAN router to the controllers using the chassis number and token number that we already received from the Cisco Plug and Play portal and we can see them in vManage interface. We can do it with the command:
request platform software sdwan vedge_cloud activate
chassis-number CSR-680085FB-3F90-83E8-EAE6-
050F101A4F4A token 0e09a491f48f390cfac9643ab88aadbcIt takes a few minutes for DTLS tunnels to come up between the WAN router and all controllers.
With “show sdwan control local-properties”, we can check if serial number is assigned to the WAN router.
cEdge1#show sdwan control local-properties
personality vedge
sp-organization-name RAYKA
organization-name RAYKA
root-ca-chain-status Installed
certificate-status Installed
certificate-validity Valid
certificate-not-valid-before Oct 04 22:14:07 2021 GMT
certificate-not-valid-after Oct 02 22:14:07 2031 GMT
enterprise-cert-status Not-Applicable
enterprise-cert-validity Not Applicable
enterprise-cert-not-valid-before Not Applicable
enterprise-cert-not-valid-after Not Applicable
dns-name 192.168.1.51
site-id 101
domain-id 1
protocol dtls
tls-port 0
system-ip 1.1.1.101
chassis-num/unique-id CSR-E5E5BB2E-E2D6-C404-0A01-A3284A58C6D8
serial-num 50C0D519
token Invalid
keygen-interval 1:00:00:00
retry-interval 0:00:00:15
no-activity-exp-interval 0:00:00:20
dns-cache-ttl 0:00:02:00
port-hopped TRUE
time-since-last-port-hop 0:15:44:57
embargo-check success
....Also in vManage Interface , the status of WAN router must be changed to certificate installed.
Configuration -> devices -> WAN edge list
With the command “show sdwan control connections” we can ensure that the tunnel with all controllers come up.
cEdge1# show sdwan control connections
PEER PEER CONTROLLER
PEER PEER PEER SITE DOMAIN PEER PRIV PEER PUB GROUP
TYPE PROT SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT LOCAL COLOR PROXY STATE UPTIME ID
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
vsmart dtls 1.1.1.52 100 1 192.168.1.52 12446 192.168.1.52 12446 default No up 0:15:36:48 0
vbond dtls 0.0.0.0 0 0 192.168.1.51 12346 192.168.1.51 12346 default - up 0:15:36:51 0
vmanage dtls 1.1.1.50 100 0 192.168.1.50 12446 192.168.1.50 12446 default No up 0:15:36:36 0
in vManage Interface , the status of WAN router must be changed to in Sync.
In the main dashboard, the WAN edge router must now be in the list and must be also green.
