Cisco SD-WAN Controllers Onboarding Configuration
Contents
SDWAN Controllers Onboarding Overview
Controller Deployment Options:
- Cisco-Hosted Cloud: Cisco manages provisioning, backups, and disaster recovery, offering SD-WAN control as a SaaS model.
- Public Cloud: Deploy controllers in public clouds like AWS or Azure, managed by the customer or a service provider.
- On-Premises: Host controllers within company data centers, with the customer responsible for backups and disaster recovery, this is common in sectors with strict regulatory compliance.
Controller Communication:
- The SDWAN Controllers establish secure connections using either TLS (TCP transport) or DTLS (UDP transport), with DTLS as the default.
- The communication between SDWAN controllers and nodes is based on the Third-party trust approach.
- The SDWAN controller trust a Root CA (Certificate Authority) and other nodes also trust the CA. As a result, the SDWAN nodes trust each other, because they trust the CA.
The Certificate Authority (CA) provides root certificates that are installed on devices to serve as identifiers for the CA (Root certificates are self-signed).
In this post, We will Setup the SDWAN controllers and onboard them:
I- Generate Root Certificate on CA:
The Root CA generates a root certificate:
CA(config)#crypto key generate rsa label PKI modulus 2048
The name for the keys will be: PKI
% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 3 seconds)
CA(config)#crypto pki server PKI
CA(cs-server)# database url flash:
% Server database url was changed. You need to move the
% existing database to the new location.
CA(cs-server)# database level complete
CA(cs-server)# issuer-name CN=rootca.learnduty.local
CA(cs-server)# hash sha256
CA(cs-server)# database archive pkcs12 password cisco333
CA(cs-server)# grant auto
CA(cs-server)# no shut
%Some server settings cannot be changed after CA certificate generation.
*Dec 21 22:07:39.704: %SSH-5-ENABLED: SSH 1.99 has been enabled
*Dec 21 22:07:39.968: %PKI-6-CS_GRANT_AUTO: All enrollment requests will be automatically granted.
CA(config)#tftp-server flash:PKI.ca
CA(config)#crypto pki export PKI pem url flash:
% The specified trustpoint is not enrolled (PKI).
% Only export the CA certificate in PEM format.
% Exporting CA certificate...
Destination filename [PKI.ca]?
% File 'PKI.ca' already exists.
% Do you really want to overwrite it? [yes/no]: yes
Writing file to flash0:PKI.ca
CA(config)#crypto pki export PKI pem terminal
% The specified trustpoint is not enrolled (PKI).
% Only export the CA certificate in PEM format.
% CA certificate:
-----BEGIN CERTIFICATE-----
MIIDIDCCAgigAwIBAgIBATANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDExZyb290
Y2EubGVhcm5kdXR5LmxvY2FsMB4XDTI0MTIyMTIyMDc0MFoXDTI3MTIyMTIyMDc0
MFowITEfMB0GA1UEAxMWcm9vdGNhLmxlYXJuZHV0eS5sb2NhbDCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAJq2Lhmz/NlG5vS0mNjutBNL2SgSdteVKH9A
csJPu/0FVQHWQvgdOqkfqRIQPczXtFnGy2ZneH8F33wSVC+KktsIkhKN3y6pqV0+
+GPDrg80rjwHWC3ZtptaHcHdPOF3tyAiezyiW5jEoV55ygl6+Fipw6ASlgrRr2a2
SNIP
DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwHwYDVR0jBBgwFoAU82k+
VuyVy9JF/S8SkCBloxGztfYwHQYDVR0OBBYEFPNpPlbslcvSRf0vEpAgZaMRs7X2
MA0GCSqGSIb3DQEBCwUAA4IBAQBdkx0rSH4E4kW4UxfKUr0f52K4Rftp6Ial5II9
q7e2Jko5xXlUWovNYkQ7qFt7wBVpCYYUpMaTMeVIf7oofHx1W+9YurDZmGwWkhxg
IDCwqiB0ljQb7/AboDmgox1XojMit0lgzAD4ZAQbTsJVGHbc+9tLXj4J5q2dvfhh
9kJmGCER4IBFSp+gsQPp6ov2f530aS9GHfiaSZQq6xuUMOYSFGdqhYcYS4sTYyYR
A3IM21chGf5/l0FoskHl+1HMNmiPu9y8oXj8uHVbqvladFhW9bfN2xmO6EW9DVVY
BMm/MnYCJUFAgkpA6nr5SzZedEb/S96+NC90RT5KAuMOXF1x
-----END CERTIFICATE-----
CA(config)#interface gi0/0
CA(config-if)#ip address 222.2.2.4 255.255.255.0
CA(config-if)#no sh
CA(config)#ip route 0.0.0.0 0.0.0.0 222.2.2.254
Code language: PHP (php)
II- vManage Onboarding and Certificate Installation
Step-1: vManage Initial setup configuration:
The vManage initial configuration mainly include:
The system configuration:
- Hostname
- System-ip
- Site-id
- Organization name
- vBond IP
Also, I’ve configured VPN0 interfaces:
- Eth0: used for transport communication with SDWAN nodes.
- Eth1: used for OOB management
Also, I’ve added routes to reach the needed network for underlay and management.
LearnDuty-vManage# show run
system
host-name LearnDuty-vManage
system-ip 10.10.0.10
site-id 10
organization-name learnduty.com
vbond 222.2.2.3
vpn 0
interface eth0
ip address 222.2.2.1/24
tunnel-interface
allow-service all
!
no shutdown
!
interface eth1
ip address 10.48.16.33/24
no shutdown
!
ip route 0.0.0.0/0 222.2.2.254
ip route 10.61.0.0/16 10.48.16.1
Code language: PHP (php)
Step-2: Root CA certificate installation on vManage:
In this step, on vManage, we will request the root certificate from the CA:
LearnDuty-vManage# vshell
LearnDuty-vManage:~$ tftp -g -r PKI.ca 222.2.2.4
LearnDuty-vManage# request root-cert-chain install home/admin/PKI.ca
Uploading root-ca-cert-chain via VPN 0
Copying ... /home/admin/PKI.ca via VPN 0
Updating the root certificate chain..
Successfully installed the root certificate chain
Code language: PHP (php)
CA#
*Dec 22 08:02:34.035: TFTP: Server request for port 51696, socket_id 0xFE6C920 for process 121
*Dec 22 08:02:34.035: TFTP: read request from host 222.2.2.1(51696) via GigabitEthernet0/0
*Dec 22 08:02:34.036: TFTP: Looking for PKI.ca
*Dec 22 08:02:34.046: TFTP: Opened flash0:PKI.ca, fd 0, size 1143 for process 121
*Dec 22 08:02:34.046: TFTP: Sending block 1 (retry 0), len 512, socket_id 0xFE6C920
*Dec 22 08:02:34.052: TFTP: Received ACK for block 1, socket_id 0xFE6C920
*Dec 22 08:02:34.052: TFTP: Sending block 2 (retry 0), len 512, socket_id 0xFE6C920
*Dec 22 08:02:34.056: TFTP: Received ACK for block 2, socket_id 0xFE6C920
*Dec 22 08:02:34.056: TFTP: Sending block 3 (retry 0), len 119, socket_id 0xFE6C920
*Dec 22 08:02:34.091: TFTP: Received ACK for block 3, socket_id 0xFE6C920
*Dec 22 08:02:34.091: TFTP: Finished flash0:PKI.ca, time 00:00:00 for process 121
Code language: PHP (php)
Step-3: Generate vManage Certificate Signing Request (CSR)
vManage will generates a key pair and a Certificate Signing Request (CSR), which includes identity details and the public key. The private key remains secure and is never shared.
Step-4: Installation of Root Signed certificate on vManage
The generated CSR is sent to a Certificate Authority (CA), which verifies the information, signs the certificate with its private key, and returns it to the vManage.
Basically, based on vManage CSR, the CA will generated a granted signed certificate. The signed certificate can then be verified by any device with the CA’s root certificate.
From vManage GUI, navigate to the menu Configuration > certificate tab > Controllers, we select option “Install Certificate” and paste the CA signed certificate (you can upload file, if it was done via different way, for example with dedicated CA server authority etc)
Click Install, it will take few seconds, then we can see status success indicating that certificate was installed properly:
We can verify the Certificate installation details from vmanage CLI as well:
LearnDuty-vManage# show certificate installed
Server certificate
------------------
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=rootca.learnduty.local
Validity
Not Before: Dec 22 09:25:17 2024 GMT
Not After : Dec 22 09:25:17 2025 GMT
Subject: C=BE, ST=Brussels, L=Belgium, OU=learnduty.com, O=learnduty.com, CN=vmanage-2632349d-cbbf-421b-8de5-3c874358ec58-0.learnduty.com/emailAddress=admin@local.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c8:cd:6a:4e:b0:9e:f4:49:6d:7a:79:cf:03:88:
2f:5b:ea:bb:5c:36:04:7b:81:36:2c:67:da:40:2c:
84:f0:31:26:63:44:b4:76:ef:c1:a2:85:29:03:4f:
SNIP...
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Authority Key Identifier:
keyid:F3:69:3E:56:EC:95:CB:D2:45:FD:2F:12:90:20:65:A3:11:B3:B5:F6
X509v3 Subject Key Identifier:
1E:A5:C2:BE:24:EE:77:10:AB:0B:21:14:AD:D8:78:C9:D3:09:4E:7B
Signature Algorithm: sha256WithRSAEncryption
42:29:fa:65:b6:17:01:45:a3:10:06:6c:ce:10:cc:09:2a:c7:
SNIP...
Code language: PHP (php)
LearnDuty-vManage# show certificate root-ca-cert | in Issuer
Issuer: CN=rootca.learnduty.local
Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA
Issuer: OU=Arcturus, O=Cisco, CN=Internal Customer Root CA
CA Issuers - URI:http://www.cisco.com/security/pki/certs/icrca.cer
Issuer: OU=Arcturus, O=Cisco, CN=Internal Customer Root CA
Issuer: C=US, O=Symantec Corporation, CN=Symantec Trust Services Private SHA256 Root CA
Issuer: C=US, O=Symantec Corporation, CN=Symantec Trust Services Private SHA256 Root CA
Issuer: C=US, CN=2632349d-cbbf-421b-8de5-3c874358ec58, O=Viptela
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
Issuer: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority
Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2
Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA
Code language: PHP (php)
III- vBond Onboarding and Certificate Installation
Basically, we will go through the same process, by performing the initial setup and certificate installation:
Step-1: vBond Initial setup Configuration
The we define the node parameters:
- Hostname
- System-ip
- Site-id
- Organization name
The difference with vBond is that vbond IP is defined with “local” keyword indicating that this node is the vBond.
Note
The vEDGE node firmware image is the same for vBond and vManage (running same OS), but vBond will have vBond IP defined as local.
We can also define the vpn0 interfaces part of initial setup configuration:
vedge# conf t
Entering configuration mode terminal
vedge(config)# system
vedge(config-system)# host-name LearnDuty-vBond
vedge(config-system)# system-ip 10.10.0.13
vedge(config-system)# site-id 10
vedge(config-system)# organization-name learnduty.com
vedge(config-system)# vbond 222.2.2.3 local
vedge(config-system)# exit
vedge(config)# commit
Commit complete.
LearnDuty-vBond(config)# vpn 0
LearnDuty-vBond(config-vpn-0)# interface ge0/0
LearnDuty-vBond(config-interface-ge0/0)# ip address 222.2.2.3/24
LearnDuty-vBond(config-interface-ge0/0)# no shutdown
LearnDuty-vBond(config-interface-ge0/0)# tunnel-interface
LearnDuty-vBond(config-tunnel-interface)# encapsulation ipsec
LearnDuty-vBond(config-tunnel-interface)# allow-service all
LearnDuty-vBond(config-tunnel-interface)# exit
LearnDuty-vBond(config-interface-ge0/0)# exit
LearnDuty-vBond(config-vpn-0)# ip route 0.0.0.0/0 222.2.2.254
LearnDuty-vBond(config-vpn-0)# exit
LearnDuty-vBond(config)# commit
Commit complete.
Step-2: Add vBond to vManage
in vManage GUI, Navigate to Configuration > Devices > Controllers > “Add Controller” and select vBond:
Provide the vBond IP and credential, which will be used by vManage to connect to vBond:
Step-3: vBond Certificate Installation
For getting the Root CA certificate, I’ve used different method by by copying Root CA from vManage to vBond:
LearnDuty-vManage# request execute vpn 0 scp /home/admin/PKI.ca admin@222.2.2.3:/home/admin/
The authenticity of host '222.2.2.3 (222.2.2.3)' can't be established.
ECDSA key fingerprint is SHA256:7U34AGNwc0Xu1FlF17GRRvhQc/KYH0E2hfI6FcEmb4M.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '222.2.2.3' (ECDSA) to the list of known hosts.
viptela 19.2.3
admin@222.2.2.3's password:
PKI.ca 100% 1143 54.0KB/s 00:00
LearnDuty-vManage#
Code language: PHP (php)
Then, from vBond installed the Root certificate in the path home/admin/:
LearnDuty-vBond# request root-cert-chain install home/admin/PKI.ca
Uploading root-ca-cert-chain via VPN 0
Copying ... /home/admin/PKI.ca via VPN 0
Updating the root certificate chain..
Successfully installed the root certificate chain
Code language: PHP (php)
After that, from vManage, GUI, (Configuration > Certificate > Controllers) we select vBond and click view CSR, and same way, we use this CSR on the CA (certificate authority) to generate a granted signed certificate.
This signed certificate should be installed for vBond by clicking on “Install Certificate”:
Then, after few seconds, the vBond certificate is properly installed:
This process status is summarized in the bottom of the page on vManage:
Step-4: SSL / DTLS verification
After this stage, the vManage will start establishing DTLS session with vBond:
In Cisco SD-WAN, mutual authentication occurs, with both client (e.g., vBond) and server (e.g., vManage) proving their identities (certificate) to each other during the connection process.
We can verify that DTLS sessions state via the command “show control connections” on vManage, we can see state is UP, ensuring that these node node trust each other now and communication is encrypted:
LearnDuty-vManage# show control connections
PEER PEER PEER
PEER PEER PEER CONFIGURED SITE DOMAIN PEER PRIV PEER PUB
INDEX TYPE PROT SYSTEM IP SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT ORGANIZATION REMOTE COLOR STATE UPTIME
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0 vbond dtls 10.10.0.13 10.10.0.13 0 0 222.2.2.3 12346 222.2.2.3 12346 learnduty.com default up 0:00:43:41
1 vbond dtls 0.0.0.0 - 0 0 222.2.2.3 12346 222.2.2.3 12346 learnduty.com default up 0:00:43:42
2 vbond dtls 0.0.0.0 - 0 0 222.2.2.3 12346 222.2.2.3 12346 learnduty.com default up 0:00:43:56
3 vbond dtls 0.0.0.0 - 0 0 222.2.2.3 12346 222.2.2.3 12346 learnduty.com default up 0:00:43:56
Code language: CSS (css)
Same way, we can verify on the vBond side via command “show orchestrator connections”:
LearnDuty-vBond# show orchestrator connections
PEER PEER
PEER PEER PEER SITE DOMAIN PEER PRIVATE PEER PUBLIC ORGANIZATION
INSTANCE TYPE PROTOCOL SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT REMOTE COLOR STATE NAME UPTIME
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0 vmanage dtls 10.10.0.10 10 0 222.2.2.1 12346 222.2.2.1 12346 default up learnduty.com 0:00:45:47
0 vmanage dtls 10.10.0.10 10 0 222.2.2.1 12446 222.2.2.1 12446 default up learnduty.com 0:00:45:48
0 vmanage dtls 10.10.0.10 10 0 222.2.2.1 12546 222.2.2.1 12546 default up learnduty.com 0:00:45:46
0 vmanage dtls 10.10.0.10 10 0 222.2.2.1 12646 222.2.2.1 12646 default up learnduty.com 0:00:45:46
Code language: CSS (css)
Note
We can use TLS instead of DTLS, but by default it’s DTLS in Cisco SDWAN.
The key difference between DTLS and TLS is that DTLS uses UDP, while TLS uses TCP. DTLS (Datagram Transport Layer Security) is based on TLS and secures data privacy, preventing eavesdropping and tampering, commonly used in web browsing, email, and messaging.
IV- vSmart Onboarding
Mostly same process as onboarding other controllers, including initial setup, adding device to vManage and installation of certificate:
Step-1: vSmart Initial configuration
vsmart(config-system)# system
vsmart(config-system)# host-name LearnDuty-vSmart
vsmart(config-system)# system-ip 10.10.0.12
vsmart(config-system)# site-id 10
vsmart(config-system)# organization-name learnduty.com
vsmart(config-system)# vbond 222.2.2.3
vsmart(config-system)# exit
vsmart(config)# commit
Commit complete.
LearnDuty-vSmart(config)# vpn 0
LearnDuty-vSmart(config-vpn-0)# interface eth0
LearnDuty-vSmart(config-interface-eth0)# ip address 222.2.2.2/24
LearnDuty-vSmart(config-interface-eth0)# no shutdown
LearnDuty-vSmart(config-interface-eth0)# tunnel-interface
LearnDuty-vSmart(config-tunnel-interface)# allow-service all
LearnDuty-vSmart(config-tunnel-interface)# exit
LearnDuty-vSmart(config-interface-eth0)# exit
LearnDuty-vSmart(config-vpn-0)# ip route 0.0.0.0/0 222.2.2.254
LearnDuty-vSmart(config-vpn-0)# exit
LearnDuty-vSmart(config)# commit
Commit complete.
Step-2: Add vSmart to vManage
From vManage GUI, Navigate to Configuration > Devices > Controllers > “Add Controller” and select vSmart:
Note about SSL/TLS
When a client starts an SSL/TLS or DTLS connection with a server, it provides its certificate during the SSL/TLS handshake to authenticate itself. If the server possesses the issuer’s public key for the client’s certificate, it can validate the certificate’s signature and establish trust in the client.
Get the Root CA certificate:
LearnDuty-vSmart# vshell
LearnDuty-vSmart:~$ tftp -g -r PKI.ca 222.2.2.4
Code language: PHP (php)
CA#
*Dec 22 11:02:55.481: TFTP: Server request for port 37259, socket_id 0x115E0438 for process 3
*Dec 22 11:02:55.482: TFTP: read request from host 222.2.2.2(37259) via GigabitEthernet0/0
*Dec 22 11:02:55.482: TFTP: Looking for PKI.ca
*Dec 22 11:02:55.491: TFTP: Opened flash0:PKI.ca, fd 0, size 1143 for process 3
*Dec 22 11:02:55.491: TFTP: Sending block 1 (retry 0), len 512, socket_id 0x115E0438
*Dec 22 11:02:55.496: TFTP: Received ACK for block 1, socket_id 0x115E0438
*Dec 22 11:02:55.496: TFTP: Sending block 2 (retry 0), len 512, socket_id 0x115E0438
*Dec 22 11:02:55.501: TFTP: Received ACK for block 2, socket_id 0x115E0438
*Dec 22 11:02:55.502: TFTP: Sending block 3 (retry 0), len 119, socket_id 0x115E0438
*Dec 22 11:02:55.506: TFTP: Received ACK for block 3, socket_id 0x115E0438
*Dec 22 11:02:55.506: TFTP: Finished flash0:PKI.ca, time 00:00:00 for process 3
Code language: PHP (php)
Install Root certificate on vSmart:
LearnDuty-vSmart# request root-cert-chain install home/admin/PKI.ca
Uploading root-ca-cert-chain via VPN 0
Copying ... /home/admin/PKI.ca via VPN 0
Updating the root certificate chain..
Successfully installed the root certificate chain
Code language: PHP (php)
Since we already checked “generate CSR” when adding vSmart controller to vManage, and Root certificate is installed, we can view the generated CSR as below:
Then, we input the CSR on the CA (Certificate Authority) server to generated a granted signed certificate:
CA#crypto pki server PKI request pkcs10 terminal
PKCS10 request in base64 or pem
% Enter Base64 encoded or PEM formatted PKCS10 enrollment request.
% End with a blank line or "quit" on a line by itself.
-----BEGIN CERTIFICATE REQUEST-----
MIIDSTCCAjECAQAwgcgxCzAJBgNVBAYTAkJFMREwDwYDVQQIEwhCcnVzc2VsczEQ
MA4GA1UEBxMHQmVsZ2l1bTEWMBQGA1UECxMNbGVhcm5kdXR5LmNvbTEWMBQGA1UE
....
SNIP
-----END CERTIFICATE REQUEST-----
quit
% Granted certificate:
-----BEGIN CERTIFICATE-----
MIIDuDCCAqCgAwIBAgIBBDANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDExZyb290
Y2EubGVhcm5kdXR5LmxvY2FsMB4XDTI0MTIyMjExMTA0NVoXDTI1MTIyMjExMTA0
NVowgcgxCzAJBgNVBAYTAkJFMREwDwYDVQQIEwhCcnVzc2VsczEQMA4GA1UEBxMH
QmVsZ2l1bTEWMBQGA1UECxMNbGVhcm5kdXR5LmNvbTEWMBQGA1UEChMNbGVhcm5k
....
Code language: PHP (php)
And last step is to install the CA signed certificate for vSmart, we can verify from below that cerificate installation status is success:
Rechecking the control connections from vManage CLI, we see vSmart successfully added and DTLS session is UP:
LearnDuty-vManage# show control connections
PEER PEER PEER
PEER PEER PEER CONFIGURED SITE DOMAIN PEER PRIV PEER PUB
INDEX TYPE PROT SYSTEM IP SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT ORGANIZATION REMOTE COLOR STATE UPTIME
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0 vsmart dtls 10.10.0.12 10.10.0.12 10 1 222.2.2.2 12346 222.2.2.2 12346 learnduty.com default up 0:00:02:02
0 vbond dtls 10.10.0.13 10.10.0.13 0 0 222.2.2.3 12346 222.2.2.3 12346 learnduty.com default up 0:01:08:55
1 vbond dtls 0.0.0.0 - 0 0 222.2.2.3 12346 222.2.2.3 12346 learnduty.com default up 0:01:08:55
2 vbond dtls 0.0.0.0 - 0 0 222.2.2.3 12346 222.2.2.3 12346 learnduty.com default up 0:01:09:09
3 vbond dtls 0.0.0.0 - 0 0 222.2.2.3 12346 222.2.2.3 12346 learnduty.com default up 0:01:09:10
Code language: CSS (css)
Same way, we can verify from vBond that DTLS connection is properly established with vSmart along with already setup connection to vManage:
LearnDuty-vBond# show orchestrator connections
PEER PEER
PEER PEER PEER SITE DOMAIN PEER PRIVATE PEER PUBLIC ORGANIZATION
INSTANCE TYPE PROTOCOL SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT REMOTE COLOR STATE NAME UPTIME
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0 vsmart dtls 10.10.0.12 10 1 222.2.2.2 12346 222.2.2.2 12346 default up learnduty.com 0:00:02:55
0 vsmart dtls 10.10.0.12 10 1 222.2.2.2 12446 222.2.2.2 12446 default up learnduty.com 0:00:02:55
0 vmanage dtls 10.10.0.10 10 0 222.2.2.1 12346 222.2.2.1 12346 default up learnduty.com 0:01:09:49
0 vmanage dtls 10.10.0.10 10 0 222.2.2.1 12446 222.2.2.1 12446 default up learnduty.com 0:01:09:50
0 vmanage dtls 10.10.0.10 10 0 222.2.2.1 12546 222.2.2.1 12546 default up learnduty.com 0:01:09:50
0 vmanage dtls 10.10.0.10 10 0 222.2.2.1 12646 222.2.2.1 12646 default up learnduty.com 0:01:09:50
Code language: CSS (css)
same can be verified from vSmart side:
LearnDuty-vSmart# show control connections
PEER PEER
PEER PEER PEER SITE DOMAIN PEER PRIV PEER PUB
INDEX TYPE PROT SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT REMOTE COLOR STATE UPTIME
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0 vbond dtls 0.0.0.0 0 0 222.2.2.3 12346 222.2.2.3 12346 default up 0:00:03:26
0 vmanage dtls 10.10.0.10 10 0 222.2.2.1 12346 222.2.2.1 12346 default up 0:00:03:11
1 vbond dtls 0.0.0.0 0 0 222.2.2.3 12346 222.2.2.3 12346 default up 0:00:03:26
Code language: CSS (css)
At this point, SD-WAN controllers are onboarded , added to vManage and SSL/DTLS connection is established between them:
Next, we will go through vEDGEs onboarding and configuration, later we will explore OMP, templating..