Deploy Cisco SD-WAN Edge Routers

Deploy Cisco SD-WAN Edge Routers

Task: 

• Configure and verify system parameters and interfaces of WAN Edge routers.
• Install and verify the root certificate chain.
• Register and activate WAN Edge routers in Cisco vManage.
• Troubleshoot deployment issues and verify data connections.

In this lab topology,You will deploy the BR2-Edge1 router into the overlay network. The BR1-Edge1 router was initially deployed in the overlay network but is currently experiencing issues that you must troubleshoot and resolve.

Topology: 

Solution: 

Configure and Verify WAN Edge Router System Parameters and Interfaces

In this task, you will configure and verify the system parameters and interfaces of the WAN Edge routers using the CLI. To access the CLI of a WAN Edge router - BR2-Edge1. 

Step 1: 

Select the BR2-Edge1 device and log into the WAN Edge router . Enter configuration mode on the WAN Edge router and configure the following system parameters (Use the Job Aid tables as reference):

• Hostname
• System IP Address
• Site ID
• Organization Name
• Remote vBond Address

Commit the current set of changes and exit the system parameter configuration menu.

Step 2: 

Configure the transport VPN (0)  to configure the IP addresses on the WAN interfaces connecting to the public internet and MPLS networks. Change the administrative state of interfaces to up.

Configure two default static routes in the VPN instance. Commit the current set of changes.

Step 3:

Configure the tunnel interfaces and Cisco SD-WAN Tunnel Interfaces. Use the Transport VPN Interface Parameters table as a reference:

• Tunnel interface

  1. IP unnumbered

  2. Tunnel source

  3. Tunnel mode

• Cisco SD-WAN Tunnel Interface

  1. Encapsulation

  2. Color

Commit the current set of changes.

Step 4:

Configure the management interface.  Commit the current set of changes and exit the configuration mode.

Step 5: 

Use the show ip interface brief command to verify if interfaces are configured with proper IP addresses and are administratively and operationally up.

Step 6: 

Verify connectivity to the vManage, vBond, vSmart, and the CA Server.

• 10.0.0.102 - vManage
• 10.0.0.103 - vBond
• 10.0.0.104 - vSmart
• 10.0.0.252 - CA Server

Till Now we have done the Follwoing: 

• Configured system parameters on the BR2-Edge1 WAN Edge router.
• Configured WAN and management interfaces on the BR2-Edge1 WAN Edge router.
• Verified system parameters and connectivity on the BR2-Edge1 WAN Edge router.

Install and Verify Enterprise Root Certificate Chain

Step 7:

Copy the root certificate chain from the CA server to the BR2-Edge1 WAN Edge router bootflash (Use SCP for the file transfer)

Step 8:

Install the root certificate chain on the BR2-Edge1 WAN Edge router.

From the BR2-Edge1 CLI, execute the request platform software sdwan root-cert-chain install bootflash:CA.crt command to install the root certificate chain.

The root certificate chain file is copied to the bootflash. CA.crt is the root certificate chain file that is copied over.

Execute the show sdwan control local-properties command.

The root certificate chain status remains Installed, but this is now the enterprise CA root certificate.

Till Now we have done the following task:

• Uploaded the root certificate chain to the BR2-Edge1 WAN Edge router.
• Installed the root certificate chain on the BR2-Edge1 WAN Edge router.
• Verified the status of the root certificate chain on the BR2-Edge1 WAN Edge router.

Register and Activate WAN Edge Router

In this task, we will register and activate an authorized WAN Edge router in the Cisco vManage. A WAN Edge list file is provided by Cisco and contains all the WAN Edge routers authorized to be deployed in overlay network. The WAN Edge list has already been uploaded and installed into Cisco vManage in the lab, and multiple WAN Edge routers have already been onboarded. The WAN Edge virtual routers must be activated to participate in the overlay network. You will activate the BR2-Edge1 and onboard it into the overlay network.

Step 9:

In Cisco vManage navigate to Administration > Settings. Scroll down and find the WAN Edge Cloud Certificate Authorization option and make sure it is set to Automated.

Step 10:

In Cisco vManage user interface, navigate to Configuration > Devices.

Use one of the unused cloud router entries from the device list to activate BR2-Edge1. Using the More Actions (three dots) button generate the bootstrap configuration for the BR2-Edge1 virtual router. Copy the information to a text file for later use.

Click the More Actions (...) button and choose Generate Bootstrap Configuration. Choose Cloud-Init, clear the Include Default Root Certificate checkbox and click OK.

Choose Cloud-Init, clear the Include Default Root Certificate checkbox and click OK.

Copy the uuid and otp values and paste them to a Notepad text file for later use.

Step 11:

Access the BR2-Edge1 router CLI and activate the WAN Edge router using the chassis number (uuid) and token (otp) from the bootstrap configuration.

Execute the request platform software sdwan vedge_cloud activate chassis-number C8K-PAYG-e49-205f-4d26-9a72-75261485e57d token da1d269e13b24e76a8a6085f96a034ad command to activate the BR2-Edge1 router.

Wait a few minutes for the certificate to be signed and installed to BR2-Edge1, then verify the WAN Edge activation.

Step 12:

Verify control connections from BR2-Edge1.

Step 13:

Verify that the certificate is installed on BR2-Edge1 in Cisco vManage. In Cisco vManage, from the main menu, select Configuration > Certificates.

In the WAN Edge List, hover your mouse over the state for rows three and four for the BR2-Edge1.

Verify there is a full mesh of VPN tunnels between BR2-Edge1 and the DC WAN Edge routers.

You have completed this task when you have:

• Activated the BR2-Edge1 WAN Edge router.
• Verified the WAN Edge router activation and certificate installation.
• Verified control and data connections on the WAN Edge router.