Cisco SD-WAN Controllers Onboarding Configuration

SDWAN Controllers Onboarding Overview

Controller Deployment Options:

  • Cisco-Hosted Cloud: Cisco manages provisioning, backups, and disaster recovery, offering SD-WAN control as a SaaS model.
  • Public Cloud: Deploy controllers in public clouds like AWS or Azure, managed by the customer or a service provider.
  • On-Premises: Host controllers within company data centers, with the customer responsible for backups and disaster recovery, this is common in sectors with strict regulatory compliance.

Controller Communication:

  • The SDWAN Controllers establish secure connections using either TLS (TCP transport) or DTLS (UDP transport), with DTLS as the default. 
  • The communication between SDWAN controllers and nodes is based on the Third-party trust  approach.
  • The SDWAN controller trust a Root CA (Certificate Authority) and other nodes also trust the CA. As a result, the SDWAN nodes trust each other, because they trust the CA.

The Certificate Authority (CA) provides root certificates that are installed on devices to serve as identifiers for the CA (Root certificates are self-signed).


In this post, We will Setup the SDWAN controllers and onboard them:

I- Generate Root Certificate on CA:

The Root CA generates a root certificate:

CA(config)#crypto key generate rsa label PKI modulus 2048
The name for the keys will be: PKI

% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 3 seconds)

CA(config)#crypto pki server PKI
CA(cs-server)# database url flash:
% Server database url was changed. You need to move the
% existing database to the new location.
CA(cs-server)# database level complete
CA(cs-server)# issuer-name CN=rootca.learnduty.local
CA(cs-server)# hash sha256
CA(cs-server)# database archive pkcs12 password cisco333
CA(cs-server)# grant auto
CA(cs-server)# no shut
%Some server settings cannot be changed after CA certificate generation.

*Dec 21 22:07:39.704: %SSH-5-ENABLED: SSH 1.99 has been enabled
*Dec 21 22:07:39.968: %PKI-6-CS_GRANT_AUTO: All enrollment requests will be automatically granted.


CA(config)#tftp-server flash:PKI.ca
CA(config)#crypto pki export PKI pem url flash:
% The specified trustpoint is not enrolled (PKI).
% Only export the CA certificate in PEM format.
% Exporting CA certificate...
Destination filename [PKI.ca]?
% File 'PKI.ca' already exists.
% Do you really want to overwrite it? [yes/no]: yes
Writing file to flash0:PKI.ca

CA(config)#crypto pki export PKI pem terminal
% The specified trustpoint is not enrolled (PKI).
% Only export the CA certificate in PEM format.
% CA certificate:
-----BEGIN CERTIFICATE-----
MIIDIDCCAgigAwIBAgIBATANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDExZyb290
Y2EubGVhcm5kdXR5LmxvY2FsMB4XDTI0MTIyMTIyMDc0MFoXDTI3MTIyMTIyMDc0
MFowITEfMB0GA1UEAxMWcm9vdGNhLmxlYXJuZHV0eS5sb2NhbDCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAJq2Lhmz/NlG5vS0mNjutBNL2SgSdteVKH9A
csJPu/0FVQHWQvgdOqkfqRIQPczXtFnGy2ZneH8F33wSVC+KktsIkhKN3y6pqV0+
+GPDrg80rjwHWC3ZtptaHcHdPOF3tyAiezyiW5jEoV55ygl6+Fipw6ASlgrRr2a2
SNIP
DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwHwYDVR0jBBgwFoAU82k+
VuyVy9JF/S8SkCBloxGztfYwHQYDVR0OBBYEFPNpPlbslcvSRf0vEpAgZaMRs7X2
MA0GCSqGSIb3DQEBCwUAA4IBAQBdkx0rSH4E4kW4UxfKUr0f52K4Rftp6Ial5II9
q7e2Jko5xXlUWovNYkQ7qFt7wBVpCYYUpMaTMeVIf7oofHx1W+9YurDZmGwWkhxg
IDCwqiB0ljQb7/AboDmgox1XojMit0lgzAD4ZAQbTsJVGHbc+9tLXj4J5q2dvfhh
9kJmGCER4IBFSp+gsQPp6ov2f530aS9GHfiaSZQq6xuUMOYSFGdqhYcYS4sTYyYR
A3IM21chGf5/l0FoskHl+1HMNmiPu9y8oXj8uHVbqvladFhW9bfN2xmO6EW9DVVY
BMm/MnYCJUFAgkpA6nr5SzZedEb/S96+NC90RT5KAuMOXF1x
-----END CERTIFICATE-----

CA(config)#interface gi0/0
CA(config-if)#ip address 222.2.2.4 255.255.255.0
CA(config-if)#no sh
CA(config)#ip route 0.0.0.0 0.0.0.0 222.2.2.254
Code language: PHP (php)


II- vManage Onboarding and Certificate Installation

Step-1: vManage Initial setup configuration:

The vManage initial configuration mainly include:

The system configuration:

  • Hostname
  • System-ip
  • Site-id
  • Organization name
  • vBond IP

Also, I’ve configured VPN0 interfaces:

  • Eth0: used for transport communication with SDWAN nodes.
  • Eth1: used for OOB management

Also, I’ve added routes to reach the needed network for underlay and management.

LearnDuty-vManage# show run
system
 host-name             LearnDuty-vManage
 system-ip             10.10.0.10
 site-id               10
 organization-name     learnduty.com
 vbond 222.2.2.3

vpn 0
 interface eth0
  ip address 222.2.2.1/24
  tunnel-interface
   allow-service all
  !
  no shutdown
 !
 interface eth1
  ip address 10.48.16.33/24
  no shutdown
 !
 ip route 0.0.0.0/0 222.2.2.254
 ip route 10.61.0.0/16 10.48.16.1
Code language: PHP (php)



Step-2: Root CA certificate installation on vManage:

In this step, on vManage, we will request the root certificate from the CA:


LearnDuty-vManage# vshell
LearnDuty-vManage:~$ tftp -g -r PKI.ca 222.2.2.4
LearnDuty-vManage# request root-cert-chain install home/admin/PKI.ca
Uploading root-ca-cert-chain via VPN 0
Copying ... /home/admin/PKI.ca via VPN 0
Updating the root certificate chain..
Successfully installed the root certificate chainCode language: PHP (php)
CA#
*Dec 22 08:02:34.035: TFTP: Server request for port 51696, socket_id 0xFE6C920 for process 121
*Dec 22 08:02:34.035: TFTP: read request from host 222.2.2.1(51696) via GigabitEthernet0/0
*Dec 22 08:02:34.036: TFTP: Looking for PKI.ca
*Dec 22 08:02:34.046: TFTP: Opened flash0:PKI.ca, fd 0, size 1143 for process 121
*Dec 22 08:02:34.046: TFTP: Sending block 1 (retry 0), len 512, socket_id 0xFE6C920
*Dec 22 08:02:34.052: TFTP: Received ACK for block 1, socket_id 0xFE6C920
*Dec 22 08:02:34.052: TFTP: Sending block 2 (retry 0), len 512, socket_id 0xFE6C920
*Dec 22 08:02:34.056: TFTP: Received ACK for block 2, socket_id 0xFE6C920
*Dec 22 08:02:34.056: TFTP: Sending block 3 (retry 0), len 119, socket_id 0xFE6C920
*Dec 22 08:02:34.091: TFTP: Received ACK for block 3, socket_id 0xFE6C920
*Dec 22 08:02:34.091: TFTP: Finished flash0:PKI.ca, time 00:00:00 for process 121
Code language: PHP (php)


Step-3: Generate vManage Certificate Signing Request (CSR)

vManage will generates a key pair and a Certificate Signing Request (CSR), which includes identity details and the public key. The private key remains secure and is never shared.


Step-4: Installation of Root Signed certificate on vManage

The generated CSR is sent to a Certificate Authority (CA), which verifies the information, signs the certificate with its private key, and returns it to the vManage.

Basically, based on vManage CSR, the CA will generated a granted signed certificate. The signed certificate can then be verified by any device with the CA’s root certificate.

From vManage GUI, navigate to the menu Configuration > certificate tab > Controllers, we select option “Install Certificate” and paste the CA signed certificate (you can upload file, if it was done via different way, for example with dedicated CA server authority etc)

Click Install, it will take few seconds, then we can see status success indicating that certificate was installed properly:


We can verify the Certificate installation details from vmanage CLI as well:

LearnDuty-vManage# show certificate installed

Server certificate
------------------

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=rootca.learnduty.local
        Validity
            Not Before: Dec 22 09:25:17 2024 GMT
            Not After : Dec 22 09:25:17 2025 GMT
        Subject: C=BE, ST=Brussels, L=Belgium, OU=learnduty.com, O=learnduty.com, CN=vmanage-2632349d-cbbf-421b-8de5-3c874358ec58-0.learnduty.com/emailAddress=admin@local.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c8:cd:6a:4e:b0:9e:f4:49:6d:7a:79:cf:03:88:
                    2f:5b:ea:bb:5c:36:04:7b:81:36:2c:67:da:40:2c:
                    84:f0:31:26:63:44:b4:76:ef:c1:a2:85:29:03:4f:
                   SNIP...
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Authority Key Identifier:
                keyid:F3:69:3E:56:EC:95:CB:D2:45:FD:2F:12:90:20:65:A3:11:B3:B5:F6

            X509v3 Subject Key Identifier:
                1E:A5:C2:BE:24:EE:77:10:AB:0B:21:14:AD:D8:78:C9:D3:09:4E:7B
    Signature Algorithm: sha256WithRSAEncryption
         42:29:fa:65:b6:17:01:45:a3:10:06:6c:ce:10:cc:09:2a:c7:
 SNIP...
Code language: PHP (php)
LearnDuty-vManage# show certificate root-ca-cert | in Issuer
        Issuer: CN=rootca.learnduty.local
        Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA
        Issuer: OU=Arcturus, O=Cisco, CN=Internal Customer Root CA
                CA Issuers - URI:http://www.cisco.com/security/pki/certs/icrca.cer
        Issuer: OU=Arcturus, O=Cisco, CN=Internal Customer Root CA
        Issuer: C=US, O=Symantec Corporation, CN=Symantec Trust Services Private SHA256 Root CA
        Issuer: C=US, O=Symantec Corporation, CN=Symantec Trust Services Private SHA256 Root CA
        Issuer: C=US, CN=2632349d-cbbf-421b-8de5-3c874358ec58, O=Viptela
        Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
        Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
        Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
        Issuer: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority
        Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2
        Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
        Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2
        Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA
Code language: PHP (php)


III- vBond Onboarding and Certificate Installation

Basically, we will go through the same process, by performing the initial setup and certificate installation:

Step-1: vBond Initial setup Configuration

The we define the node parameters:

  • Hostname
  • System-ip
  • Site-id
  • Organization name

The difference with vBond is that vbond IP is defined with “local” keyword indicating that this node is the vBond.

Note

The vEDGE node firmware image is the same for vBond and vManage (running same OS), but vBond will have vBond IP defined as local.


We can also define the vpn0 interfaces part of initial setup configuration:

vedge# conf t
Entering configuration mode terminal
vedge(config)# system
vedge(config-system)# host-name             LearnDuty-vBond
vedge(config-system)#  system-ip             10.10.0.13
vedge(config-system)#  site-id               10
vedge(config-system)#  organization-name     learnduty.com
vedge(config-system)#  vbond 222.2.2.3 local
vedge(config-system)# exit
vedge(config)# commit
Commit complete.

LearnDuty-vBond(config)# vpn 0
LearnDuty-vBond(config-vpn-0)# interface ge0/0
LearnDuty-vBond(config-interface-ge0/0)# ip address 222.2.2.3/24
LearnDuty-vBond(config-interface-ge0/0)# no shutdown
LearnDuty-vBond(config-interface-ge0/0)# tunnel-interface
LearnDuty-vBond(config-tunnel-interface)# encapsulation ipsec
LearnDuty-vBond(config-tunnel-interface)# allow-service all
LearnDuty-vBond(config-tunnel-interface)# exit
LearnDuty-vBond(config-interface-ge0/0)# exit
LearnDuty-vBond(config-vpn-0)# ip route 0.0.0.0/0 222.2.2.254
LearnDuty-vBond(config-vpn-0)# exit
LearnDuty-vBond(config)# commit
Commit complete.


Step-2: Add vBond to vManage

in vManage GUI, Navigate to Configuration > Devices > Controllers > “Add Controller” and select vBond:

Provide the vBond IP and credential, which will be used by vManage to connect to vBond:


Step-3: vBond Certificate Installation

For getting the Root CA certificate, I’ve used different method by by copying Root CA from vManage to vBond:

LearnDuty-vManage# request execute vpn 0 scp /home/admin/PKI.ca admin@222.2.2.3:/home/admin/
The authenticity of host '222.2.2.3 (222.2.2.3)' can't be established.
ECDSA key fingerprint is SHA256:7U34AGNwc0Xu1FlF17GRRvhQc/KYH0E2hfI6FcEmb4M.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '222.2.2.3' (ECDSA) to the list of known hosts.
viptela 19.2.3

admin@222.2.2.3's password:
PKI.ca                                        100% 1143    54.0KB/s   00:00
LearnDuty-vManage#Code language: PHP (php)


Then, from vBond installed the Root certificate in the path home/admin/:

LearnDuty-vBond# request root-cert-chain install home/admin/PKI.ca
Uploading root-ca-cert-chain via VPN 0
Copying ... /home/admin/PKI.ca via VPN 0
Updating the root certificate chain..
Successfully installed the root certificate chainCode language: PHP (php)

After that, from vManage, GUI, (Configuration > Certificate > Controllers) we select vBond and click view CSR, and same way, we use this CSR on the CA (certificate authority) to generate a granted signed certificate.

This signed certificate should be installed for vBond by clicking on “Install Certificate”:


Then, after few seconds, the vBond certificate is properly installed:

This process status is summarized in the bottom of the page on vManage:


Step-4: SSL / DTLS verification

After this stage, the vManage will start establishing DTLS session with vBond:

In Cisco SD-WAN, mutual authentication occurs, with both client (e.g., vBond) and server (e.g., vManage) proving their identities (certificate) to each other during the connection process.

We can verify that DTLS sessions state via the command “show control connections” on vManage, we can see state is UP, ensuring that these node node trust each other now and communication is encrypted:

LearnDuty-vManage# show control connections
                                   PEER                                                                        PEER                                          PEER                                                 
      PEER    PEER PEER            CONFIGURED        SITE       DOMAIN PEER                                    PRIV  PEER                                    PUB                                                  
INDEX TYPE    PROT SYSTEM IP       SYSTEM IP       ID         ID     PRIVATE IP                              PORT  PUBLIC IP                               PORT  ORGANIZATION            REMOTE COLOR     STATE UPTIME
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0     vbond   dtls 10.10.0.13      10.10.0.13      0          0      222.2.2.3                               12346 222.2.2.3                               12346 learnduty.com           default         up     0:00:43:41
1     vbond   dtls 0.0.0.0         -               0          0      222.2.2.3                               12346 222.2.2.3                               12346 learnduty.com           default         up     0:00:43:42
2     vbond   dtls 0.0.0.0         -               0          0      222.2.2.3                               12346 222.2.2.3                               12346 learnduty.com           default         up     0:00:43:56
3     vbond   dtls 0.0.0.0         -               0          0      222.2.2.3                               12346 222.2.2.3                               12346 learnduty.com           default         up     0:00:43:56
Code language: CSS (css)

Same way, we can verify on the vBond side via command “show orchestrator connections”:

LearnDuty-vBond# show orchestrator connections
                                                                                     PEER                      PEER
         PEER     PEER     PEER             SITE        DOMAIN      PEER             PRIVATE  PEER             PUBLIC                                   ORGANIZATION
INSTANCE TYPE     PROTOCOL SYSTEM IP        ID          ID          PRIVATE IP       PORT     PUBLIC IP        PORT    REMOTE COLOR     STATE           NAME                    UPTIME
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0        vmanage  dtls     10.10.0.10       10          0           222.2.2.1        12346    222.2.2.1        12346   default          up              learnduty.com           0:00:45:47
0        vmanage  dtls     10.10.0.10       10          0           222.2.2.1        12446    222.2.2.1        12446   default          up              learnduty.com           0:00:45:48
0        vmanage  dtls     10.10.0.10       10          0           222.2.2.1        12546    222.2.2.1        12546   default          up              learnduty.com           0:00:45:46
0        vmanage  dtls     10.10.0.10       10          0           222.2.2.1        12646    222.2.2.1        12646   default          up              learnduty.com           0:00:45:46Code language: CSS (css)

Note

We can use TLS instead of DTLS, but by default it’s DTLS in Cisco SDWAN.

The key difference between DTLS and TLS is that DTLS uses UDP, while TLS uses TCP. DTLS (Datagram Transport Layer Security) is based on TLS and secures data privacy, preventing eavesdropping and tampering, commonly used in web browsing, email, and messaging.


IV- vSmart Onboarding

Mostly same process as onboarding other controllers, including initial setup, adding device to vManage and installation of certificate:

Step-1: vSmart Initial configuration

vsmart(config-system)# system
vsmart(config-system)# host-name             LearnDuty-vSmart
vsmart(config-system)#  system-ip             10.10.0.12
vsmart(config-system)#  site-id               10
vsmart(config-system)#  organization-name     learnduty.com
vsmart(config-system)#  vbond 222.2.2.3
vsmart(config-system)# exit
vsmart(config)# commit
Commit complete.

LearnDuty-vSmart(config)# vpn 0
LearnDuty-vSmart(config-vpn-0)# interface eth0
LearnDuty-vSmart(config-interface-eth0)# ip address 222.2.2.2/24
LearnDuty-vSmart(config-interface-eth0)# no shutdown
LearnDuty-vSmart(config-interface-eth0)# tunnel-interface
LearnDuty-vSmart(config-tunnel-interface)# allow-service all
LearnDuty-vSmart(config-tunnel-interface)# exit
LearnDuty-vSmart(config-interface-eth0)# exit
LearnDuty-vSmart(config-vpn-0)# ip route 0.0.0.0/0 222.2.2.254
LearnDuty-vSmart(config-vpn-0)# exit
LearnDuty-vSmart(config)# commit
Commit complete.


Step-2: Add vSmart to vManage

From vManage GUI, Navigate to Configuration > Devices > Controllers > “Add Controller” and select vSmart:

Note about SSL/TLS

When a client starts an SSL/TLS or DTLS connection with a server, it provides its certificate during the SSL/TLS handshake to authenticate itself. If the server possesses the issuer’s public key for the client’s certificate, it can validate the certificate’s signature and establish trust in the client.


Get the Root CA certificate:

LearnDuty-vSmart# vshell
LearnDuty-vSmart:~$ tftp -g -r PKI.ca 222.2.2.4Code language: PHP (php)
CA#
*Dec 22 11:02:55.481: TFTP: Server request for port 37259, socket_id 0x115E0438 for process 3
*Dec 22 11:02:55.482: TFTP: read request from host 222.2.2.2(37259) via GigabitEthernet0/0
*Dec 22 11:02:55.482: TFTP: Looking for PKI.ca
*Dec 22 11:02:55.491: TFTP: Opened flash0:PKI.ca, fd 0, size 1143 for process 3
*Dec 22 11:02:55.491: TFTP: Sending block 1 (retry 0), len 512, socket_id 0x115E0438
*Dec 22 11:02:55.496: TFTP: Received ACK for block 1, socket_id 0x115E0438
*Dec 22 11:02:55.496: TFTP: Sending block 2 (retry 0), len 512, socket_id 0x115E0438
*Dec 22 11:02:55.501: TFTP: Received ACK for block 2, socket_id 0x115E0438
*Dec 22 11:02:55.502: TFTP: Sending block 3 (retry 0), len 119, socket_id 0x115E0438
*Dec 22 11:02:55.506: TFTP: Received ACK for block 3, socket_id 0x115E0438
*Dec 22 11:02:55.506: TFTP: Finished flash0:PKI.ca, time 00:00:00 for process 3
Code language: PHP (php)

Install Root certificate on vSmart:

LearnDuty-vSmart# request root-cert-chain install home/admin/PKI.ca
Uploading root-ca-cert-chain via VPN 0
Copying ... /home/admin/PKI.ca via VPN 0
Updating the root certificate chain..
Successfully installed the root certificate chainCode language: PHP (php)


Since we already checked “generate CSR” when adding vSmart controller to vManage, and Root certificate is installed, we can view the generated CSR as below:


Then, we input the CSR on the CA (Certificate Authority) server to generated a granted signed certificate:

CA#crypto pki server PKI request pkcs10 terminal
PKCS10 request in base64 or pem

% Enter Base64 encoded or PEM formatted PKCS10 enrollment request.
% End with a blank line or "quit" on a line by itself.
-----BEGIN CERTIFICATE REQUEST-----
MIIDSTCCAjECAQAwgcgxCzAJBgNVBAYTAkJFMREwDwYDVQQIEwhCcnVzc2VsczEQ
MA4GA1UEBxMHQmVsZ2l1bTEWMBQGA1UECxMNbGVhcm5kdXR5LmNvbTEWMBQGA1UE

....
SNIP

-----END CERTIFICATE REQUEST-----
quit
% Granted certificate:
-----BEGIN CERTIFICATE-----
MIIDuDCCAqCgAwIBAgIBBDANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDExZyb290
Y2EubGVhcm5kdXR5LmxvY2FsMB4XDTI0MTIyMjExMTA0NVoXDTI1MTIyMjExMTA0
NVowgcgxCzAJBgNVBAYTAkJFMREwDwYDVQQIEwhCcnVzc2VsczEQMA4GA1UEBxMH
QmVsZ2l1bTEWMBQGA1UECxMNbGVhcm5kdXR5LmNvbTEWMBQGA1UEChMNbGVhcm5k

....Code language: PHP (php)


And last step is to install the CA signed certificate for vSmart, we can verify from below that cerificate installation status is success:


Rechecking the control connections from vManage CLI, we see vSmart successfully added and DTLS session is UP:

LearnDuty-vManage# show control connections
                                   PEER                                                                        PEER                                          PEER                                                 
      PEER    PEER PEER            CONFIGURED        SITE       DOMAIN PEER                                    PRIV  PEER                                    PUB                                                  
INDEX TYPE    PROT SYSTEM IP       SYSTEM IP       ID         ID     PRIVATE IP                              PORT  PUBLIC IP                               PORT  ORGANIZATION            REMOTE COLOR     STATE UPTIME
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0     vsmart  dtls 10.10.0.12      10.10.0.12      10         1      222.2.2.2                               12346 222.2.2.2                               12346 learnduty.com           default         up     0:00:02:02
0     vbond   dtls 10.10.0.13      10.10.0.13      0          0      222.2.2.3                               12346 222.2.2.3                               12346 learnduty.com           default         up     0:01:08:55
1     vbond   dtls 0.0.0.0         -               0          0      222.2.2.3                               12346 222.2.2.3                               12346 learnduty.com           default         up     0:01:08:55
2     vbond   dtls 0.0.0.0         -               0          0      222.2.2.3                               12346 222.2.2.3                               12346 learnduty.com           default         up     0:01:09:09
3     vbond   dtls 0.0.0.0         -               0          0      222.2.2.3                               12346 222.2.2.3                               12346 learnduty.com           default         up     0:01:09:10Code language: CSS (css)


Same way, we can verify from vBond that DTLS connection is properly established with vSmart along with already setup connection to vManage:

LearnDuty-vBond# show orchestrator connections
                                                                                     PEER                      PEER
         PEER     PEER     PEER             SITE        DOMAIN      PEER             PRIVATE  PEER             PUBLIC                                   ORGANIZATION
INSTANCE TYPE     PROTOCOL SYSTEM IP        ID          ID          PRIVATE IP       PORT     PUBLIC IP        PORT    REMOTE COLOR     STATE           NAME                    UPTIME
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0        vsmart   dtls     10.10.0.12       10          1           222.2.2.2        12346    222.2.2.2        12346   default          up              learnduty.com           0:00:02:55
0        vsmart   dtls     10.10.0.12       10          1           222.2.2.2        12446    222.2.2.2        12446   default          up              learnduty.com           0:00:02:55
0        vmanage  dtls     10.10.0.10       10          0           222.2.2.1        12346    222.2.2.1        12346   default          up              learnduty.com           0:01:09:49
0        vmanage  dtls     10.10.0.10       10          0           222.2.2.1        12446    222.2.2.1        12446   default          up              learnduty.com           0:01:09:50
0        vmanage  dtls     10.10.0.10       10          0           222.2.2.1        12546    222.2.2.1        12546   default          up              learnduty.com           0:01:09:50
0        vmanage  dtls     10.10.0.10       10          0           222.2.2.1        12646    222.2.2.1        12646   default          up              learnduty.com           0:01:09:50
Code language: CSS (css)


same can be verified from vSmart side:

LearnDuty-vSmart# show control connections
                                                                                             PEER                                          PEER
      PEER    PEER PEER            SITE       DOMAIN PEER                                    PRIV  PEER                                    PUB
INDEX TYPE    PROT SYSTEM IP       ID         ID     PRIVATE IP                              PORT  PUBLIC IP                               PORT  REMOTE COLOR     STATE UPTIME
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0     vbond   dtls 0.0.0.0         0          0      222.2.2.3                               12346 222.2.2.3                               12346 default         up     0:00:03:26
0     vmanage dtls 10.10.0.10      10         0      222.2.2.1                               12346 222.2.2.1                               12346 default         up     0:00:03:11
1     vbond   dtls 0.0.0.0         0          0      222.2.2.3                               12346 222.2.2.3                               12346 default         up     0:00:03:26
Code language: CSS (css)



At this point, SD-WAN controllers are onboarded , added to vManage and SSL/DTLS connection is established between them:


Next, we will go through vEDGEs onboarding and configuration, later we will explore OMP, templating..

Bilel Ameur

Enthusiastic Network Engineer specializing in Cisco ACI, passionate about solving challenges. A lifelong learner who loves gaining and sharing knowledge. Profile: https://www.linkedin.com/in/bilel-ameur-71116b2b5
0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x