Day Zero Configuration for Viptela SD-WAN Edges

Day Zero Configuration for Viptela SD-WAN Edges
Profile Picture Small
Matt Albrecht, July 10th 2019

How can we configure a Viptela edge router on day zero to establish a secure tunnel to our vManage orchestrator? That is, what configuration is required to essentially activate our edge? Today, we'll answer that question in the context of the Cisco ISR Series.

Viptela or Cisco SD-WAN?

Let's begin today's topic by touching on the title of this article.

The Viptela SD-WAN product is now known as Cisco SD-WAN. This change has been in effect for a while now since the acquisition of Viptela by Cisco. Despite this, however, I entitled the article with the old product name for the sake of clarity; Cisco has other SD-WAN products such as Meraki so it can get a bit hazy when using the new name.

Today's SD-WAN Lab

Let's move onto the scope of today's discussion. I will be going over the day zero configuration of a Cisco ISR Series device before its activation on a vManage orchestrator. The day zero configuration will allow our device to build a secure tunnel back to our SD-WAN infrastructure cluster. Once the tunnel is established no further CLI configuration will be required as the orchestrator will take over control of the device.

Several prerequisites will be assumed before we begin to apply the required configuration.

  1. Device Model - The device is a Cisco ISR Series device with SD-WAN support.
  2. Operating System - The device is running the SD-WAN version of the IOS XE operating system.
  3. Orchestrator Preparation - The device metadata has already been onboarded to a vManage instance.
  4. Internet Connectivity - Our device has an uplink with access to our SD-WAN infrastructure cluster. An Internet link will suffice for cloud-hosted deployments.

Switch off PNPA service discovery

With these preparations complete, we may now commence the configuration process. Connect to the console of your device and begin by disabling plug-and-play discovery. This command is necessary to enable configuration-level access to the CLI. Attempts to enter configuration mode before running this command will be rejected.

pnpa service discovery stop

It will take approximately 30 seconds for the service to shut down.

How to switch to config mode on IOS XE SD-WAN

With this step complete, we can now enter configuration mode. Note that the command to do so differs from the standard IOS XE software family.

config-transaction

How to add the SD-WAN system config

We may now start the actual day zero configuration. The first section we'll apply is the system config. Modify the sample configuration below to match your environment. The organization-name will come from the relevant smart account name within plug-and-play connect. The system IP and site ID need to be unique from other edges and SD-WAN nodes. The vbond server and port need to match the details configured within plug-and-play connect.

system
 organization-name robot-corp
 system-ip 1.1.1.10
 site-id 10
 vbond vbond-server.viptela.net port 12346
 exit

Enable DNS and a default route

Next, we'll enable DNS lookups and configure our DNS servers as well as a default route. The IP address 10.0.0.1 will need to be replaced with the address of your default gateway.

ip domain lookup
ip name-server 8.8.8.8 8.8.4.4
ip route 0.0.0.0 0.0.0.0 10.0.0.1

Configure the WAN interface

Our uplink will need a layer 3 endpoint configured. The sample configuration below will do so for ethernet access. To use this configuration, simply ensure the IP address, subnet mask, and physical port are all adjusted to match the topology of your network.

no interface GigabitEthernet0/0/0
interface GigabitEthernet0/0/0
 ip address 10.0.0.2 255.255.255.252
 no shutdown
 arp timeout 1200
 ip mtu 1500
 mtu 1500
 negotiation auto
 exit

How to enable IPSec to our SD-WAN management nodes

Finally, to establish secure tunnels back to our infrastructure nodes we'll need to enable IPSec on our layer 3 uplink. The configuration below will do so. To use it, modify the port name based on the index of your physical uplink. The color of biz-internet may be modified to mpls depending on the type of uplink being used. In either case, though, the value of the color is not critical for activation.

interface Tunnel0
 no shutdown
 ip unnumbered GigabitEthernet0/0/0
 no ip redirects
 ipv6 unnumbered GigabitEthernet0/0/0
 no ipv6 redirects
 tunnel source GigabitEthernet0/0/0
 tunnel mode sdwan
 exit
sdwan
 interface GigabitEthernet0/0/0
  tunnel-interface
   color biz-internet
   encapsulation ipsec
   exit
  exit
 exit

With the day zero configuration now complete, the changes may be committed.

commit
exit

If all is well, messages will now be logged to the console reporting on the establishment of IPSec tunnels. This process can take over 30 seconds.

How to check the status of SD-WAN control connections

There is a useful command for checking the status of control tunnels provided below.

show sdwan control connections

In a successful scenario, the "state" of tunnels to the vSmart and vManage nodes will change to "up". If tunnels are not established another command may be executed which will provide information on the results of connection attempts.

show sdwan control connection-history

Other useful troubleshooting commands can be run too.

! Does our default route exist in the routing table?
show ip route 0.0.0.0 0.0.0.0

! Do we have Internet access?
ping 8.8.8.8

! Do DNS lookups complete successfully?
ping google-public-dns-a.google.com

Hopefully, this blog post has helped get you going. If you are having issues I would recommend you double-check all of the details in plug-and-play to make sure nothing is misaligned. If you have any questions, feel free to leave a comment beneath the post and we'll do our best to help. And of course, a TAC case with Cisco can be opened if all else fails. I've certainly opened many myself over the years!

Ultra Config Generator

You can download a configuration template for Viptela below and import it into your Ultra Config Generator instance. We've also shown a screenshot of the template in action.

Download: viptela-day-zero-2019-07-10.json

UCG Viptela Template

Figure 1: UCG Viptela Template

If you haven't heard of Ultra Config Generator, I would highly recommend you check it out. We designed the product to allow network engineers to generate and automate network configuration in a highly flexible, efficient and elegant manner. Our customers love the application and I hope that you will too.

Take care until next time!

Ultra Config


JOIN THE DISCUSSION

Subscribe to the Blog

Subscribe now and never miss a new post!