Day Zero Configuration for Viptela SD-WAN Edges
How can we configure a Viptela edge router on day zero to establish a secure tunnel to our vManage orchestrator? That is, what configuration is required to essentially activate our edge? Today, we'll answer that question in the context of the Cisco ISR Series.
Viptela or Cisco SD-WAN?
Let's begin today's topic by touching on the title of this article.
The Viptela SD-WAN product is now known as Cisco SD-WAN. This change has been in effect for a while now since the acquisition of Viptela by Cisco. Despite this, however, I entitled the article with the old product name for the sake of clarity; Cisco has other SD-WAN products such as Meraki so it can get a bit hazy when using the new name.
Today's SD-WAN Lab
Let's move onto the scope of today's discussion. I will be going over the day zero configuration of a Cisco ISR Series device before its activation on a vManage orchestrator. The day zero configuration will allow our device to build a secure tunnel back to our SD-WAN infrastructure cluster. Once the tunnel is established no further CLI configuration will be required as the orchestrator will take over control of the device.
Several prerequisites will be assumed before we begin to apply the required configuration.
- Device Model - The device is a Cisco ISR Series device with SD-WAN support.
- Operating System - The device is running the SD-WAN version of the IOS XE operating system.
- Orchestrator Preparation - The device metadata has already been onboarded to a vManage instance.
- Internet Connectivity - Our device has an uplink with access to our SD-WAN infrastructure cluster. An Internet link will suffice for cloud-hosted deployments.
Switch off PNPA service discovery
With these preparations complete, we may now commence the configuration process. Connect to the console of your device and begin by disabling plug-and-play discovery. This command is necessary to enable configuration-level access to the CLI. Attempts to enter configuration mode before running this command will be rejected.
pnpa service discovery stop
It will take approximately 30 seconds for the service to shut down.
How to switch to config mode on IOS XE SD-WAN
With this step complete, we can now enter configuration mode. Note that the command to do so differs from the standard IOS XE software family.
How to add the SD-WAN system config
We may now start the actual day zero configuration. The first section we'll apply is the system config. Modify the sample configuration below to match your environment. The organization-name will come from the relevant smart account name within plug-and-play connect. The system IP and site ID need to be unique from other edges and SD-WAN nodes. The vbond server and port need to match the details configured within plug-and-play connect.
vbond vbond-server.viptela.net port 12346
Enable DNS and a default route
Next, we'll enable DNS lookups and configure our DNS servers as well as a default route. The IP address 10.0.0.1 will need to be replaced with the address of your default gateway.
ip domain lookup
ip name-server 126.96.36.199 188.8.131.52
ip route 0.0.0.0 0.0.0.0 10.0.0.1
Configure the WAN interface
Our uplink will need a layer 3 endpoint configured. The sample configuration below will do so for ethernet access. To use this configuration, simply ensure the IP address, subnet mask, and physical port are all adjusted to match the topology of your network.
no interface GigabitEthernet0/0/0
ip address 10.0.0.2 255.255.255.252
arp timeout 1200
ip mtu 1500
How to enable IPSec to our SD-WAN management nodes
Finally, to establish secure tunnels back to our infrastructure nodes we'll need to enable IPSec on our layer 3 uplink. The configuration below will do so. To use it, modify the port name based on the index of your physical uplink. The color of biz-internet may be modified to mpls depending on the type of uplink being used. In either case, though, the value of the color is not critical for activation.
ip unnumbered GigabitEthernet0/0/0
no ip redirects
ipv6 unnumbered GigabitEthernet0/0/0
no ipv6 redirects
tunnel source GigabitEthernet0/0/0
tunnel mode sdwan
With the day zero configuration now complete, the changes may be committed.
If all is well, messages will now be logged to the console reporting on the establishment of IPSec tunnels. This process can take over 30 seconds.
How to check the status of SD-WAN control connections
There is a useful command for checking the status of control tunnels provided below.
show sdwan control connections
In a successful scenario, the "state" of tunnels to the vSmart and vManage nodes will change to "up". If tunnels are not established another command may be executed which will provide information on the results of connection attempts.
show sdwan control connection-history
Other useful troubleshooting commands can be run too.
! Does our default route exist in the routing table?
show ip route 0.0.0.0 0.0.0.0
! Do we have Internet access?
! Do DNS lookups complete successfully?
Hopefully, this blog post has helped get you going. If you are having issues I would recommend you double-check all of the details in plug-and-play to make sure nothing is misaligned. If you have any questions, feel free to leave a comment beneath the post and we'll do our best to help. And of course, a TAC case with Cisco can be opened if all else fails. I've certainly opened many myself over the years!
Ultra Config Generator
You can download a configuration template for Viptela below and import it into your Ultra Config Generator instance. We've also shown a screenshot of the template in action.
Figure 1: UCG Viptela Template
If you haven't heard of Ultra Config Generator, I would highly recommend you check it out. We designed the product to allow network engineers to generate and automate network configuration in a highly flexible, efficient and elegant manner. Our users love the application and I hope that you will too.
Take care until next time!
JOIN THE DISCUSSION
Subscribe to the Blog
Subscribe now and never miss a new post!
Success! You'll now receive emails when new blogs are posted.