Setting Up Cisco SD-WAN Specific Configurations in Cisco MSX

Configure the following for Cisco SD-WAN setup:

Configuring Cisco SD-WAN Orchestrator Settings

Before creating a control plane for a tenant, you must first provide the SD-WAN Orchestration settings in the Cisco MSX Portal.

To configure orchestrator settings for Cisco SD-WAN:

Before you begin

Request for the SD-WAN Orchestration stack URL from your Cisco account representative using your Service Provider's Smart Account details.

Procedure

Step 1

Step 2

From the main menu, click Settings > Service Configurations > SD-WAN > Settings > Cisco SD-WAN Orchestration Settings tile, to access the orchestrator settings for Cisco SD-WAN.

Step 3

Specify the details of the SD-WAN orchestration stack, such as orchestrator URL, username, password, contact email, and status tag.

The Status Tag field accepts two values—Proof-of-concept (POC), and production. So, you can add the status tag with one of these values. This status tag applies the relevant label within the vOrchestrator.

Note

By default, the vOrch tagged as POC expires in 90 days. So, you can extend this timeline from the vOrchestrator.

The Contact Email field notifies the user about progress in the SD-WAN processes. Only three email domains are accepted in this field: gmail.com, cisco.com, and external.cisco.com

Step 4

Click Save.

Configuring Serial Number Format for an ENCS Device

Cisco SD-WAN coordinates with the SD-Branch service pack to deploy virtual vEdge on ENCS. To configure the ENCS device serial number format for the vEdge cloud deployments, do the following:

Procedure

Step 1	Log in to the Cisco MSX portal using your credentials.
Step 2	From the left hand pane, choose Settings > Service Configurations > SD-Branch > Settings > SD-Branch Settings.
Step 3	Choose device serial number format. Specify device serial number format to be used during the Add Site flow: Cisco: Applies Cisco format for device serial number Custom: Preloads Cisco’s regex. You can edit this regex or replace with a new one None: Applies no specific format
Step 4	Specify the Site Contact Information and Terms and Conditions for the service.
Step 5	Click Submit.

Configuring Subnet Pools

Use the following procedure for the vEdge Cloud to configure subnet pool for IPSec Tunnel for secure communication between Cisco MSX and NFVIS.

Procedure

Step 1	Log in to the Cisco MSX portal using your credentials.
Step 2	From the left hand pane, choose Settings > Service Configurations > SD-Branch > Settings > SD-Branch > Settings > Subnet Pools.
Step 3	Specify the following for the IPsec tunnel: Specify the time for which the IP Subnet Allocation is reserved. Add IP subnet pool for ENCS NFVIS internal management to allow users to assign IP for the ENCS from this pool.
Step 4	Click Submit.

Managing Cisco SD-WAN vEdge Cloud TDE Templates

Cisco SD-WAN coordinates with SD-Branch service pack to deploy virtual vEdge on ENCS. To simplify the deployment of the virtual branch that gets hosted on the ENCS unit, operators can use existing vEdge cloud TDE templates in Cisco MSX and collect inputs from users associated with the parameters used in the branch.

Along with the vEdge cloud templates, ensure you have the desired version of the vEdge image available within Cisco MSX or on a webserver to deploy devices on ENCS.

Generate vEdge TAR image for new Cisco SD-WAN versions or custom root certificates. The process of generating vEdge TAR image for deploying vEdge Cloud on ENCS device is available in the Cisco MSX DevNet Portal documentation.

By default, the following onboarding types will use the following template and image for both new install or upgrade:

Open Network Policy:
- Internal value: ("standard")
- TDE Template file name: DualIP-vedge19.1.0-msx3.6.tar.gz (image)
- NFVIS < 3.11
2 Public IP Addresses:
- Internal value: ("standard-secure")
- TDE Template file name: DualIP-vedge19.1.0-msx3.6.tar.gz (image)
- NFVIS 3.11, 3.10.2+
Single Public IP:
- Internal value: ("single_ip_secure")
- TDE Template file name: SingleIP-vedge19.1.0-msx3.6.tar.gz (image)
- NFVIS 3.11, 3.10.2+

For more information on these onboarding types, see Step 15 in Adding a vEdge Cloud Device.

The topics below describe how to manage vEdge cloud templates in Cisco MSX.

Uploading a vEdge Cloud Template

Before you begin

Download the vEdge templates from DevNet Portal and save it on your local.

To upload a template:

Procedure

Step 1

Step 2

In the main menu, choose Settings > Service Configuration.

Step 3

Click SD-Branch and then click the Settings > Template Management. The Manage Template appears.

Step 4

To add a new template:

Select Import Template. The Import Template dialog box appears.

Figure 1. Import Template
Click the Browse icon to upload the zip file that has VNF file, Service file, Topology file, or Template file. This zip file was downloaded from Cisco DevNet Portal and was saved in your local directory.

Click Import.

Note

The template name is defined in the template.json and topology.json file.

Step 5

To modify an existing template:

Select the template that you want to modify and select Import Template.The Import Template dialog box appears.
Click the Browse icon to upload the zip file that has VNF file, Service file, Topology file, or Template file. This zip file was downloaded from Cisco DevNet Portal and was saved in your local directory.
Click Import.

Deleting a vEdge Cloud Template

To delete a template version:

Procedure

Step 1

Step 2

In the main menu, choose Settings > Service Configuration.

Step 3

Click SD-Branch and then click the Settings > Template Management. The Manage Template appears and list the existing templates.

Step 4

Select the template version that you want to delete and click the Delete (X) icon. A confirmation dialog box appears.

Note

You cannot delete a template version if the template version is associated with a site.

Step 5

Click Delete Template.

Managing vEdge Cloud Template Access for Tenants

After the cloud service (vEdge cloud) templates are created via TDE and uploaded into Cisco MSX, use this procedure to assign these templates to a tenant user. These templates will then be visible to a tenant user while adding a site.

To assign or modify template access for tenants:

Procedure

Step 1

Step 2

In the main menu, choose Settings > Service Configuration.

Step 3

Click SD-Branch and then click the Settings > TemplateManagement. The Manage Template appears and list the existing templates.

Step 4

To assign the template to a tenant:

Click the template that you want to assign to the tenant.
Select the template version.
To display the template version, click >.
In the Available Tenants list, select one or more tenant users to assign the template to. To assign the template to all the tenants, click Select All.
Click >.The tenant record(s) moves to the Tenant With Access list.
Click Apply.

Step 5

To remove access to a template:

Click the template that for which modify the access.
In the Tenants with Access list, select the tenant to revoke the access.To revoke the access for all the existing and future customers, click Select All.

Click <.The tenant records moves to the Available Tenant list.

Note

For a tenant with active sites that use a template, the tenant user continues to appear in the Tenants with Access list, but is dimmed, if you remove access.

Click Apply.

Setting Up Control Plane for Cisco SD-WAN

The deployment of an SD-WAN service in the context of a managed service requires deployment per customer and includes the SD-WAN management control plane (vManage, vBond and vSmart), and the corresponding data plane (vEdge and cEdge).

Note

This section describes the steps required to set up Cisco MSX control plane on both AWS and OpenStack.

The following are the topics covered in this section:

Prerequisites for Setting Up Control Plane

This section lists the common prerequisites as well as OpenStack and AWS-specific prerequisites for setting up Control Plane.

Control Plane Prerequisites for both AWS and OpenStack

The following are control plane prerequisites applicable for both AWS and OpenStack environment:

Contact Cisco Account representative for:
- Setting up a Smart Account if you are a Service Provider, or you can request for a smart account here: https://software.cisco.com.
- Creating a Virtual Account for a new tenant (Service Provider end customer) and associating it to the service provider smart account. A Virtual Account is necessary for every new SD-WAN tenant.
- Requesting for Cisco SD-WAN orchestration stack environment. This is required to spin up control plane components on AWS.
- Ordering physical devices and virtual devices through Cisco Commerce Workspace (CCW).
- Associating the purchased devices to the Virtual Account.
  
  After devices are associated with your smart account, you can synchronize the device details on the Control Plane after setting the Control Plane. For more information, see Synchronizing Smart Accounts from the Control Plane.
Assign ‘SD-WAN Control Plane’ permission to the user who will create a Control Plane for the tenant. Along with the control plane permission, assign other SD-WAN permissions to the user managing SD-WAN services. For more information on the SD-WAN-specific permissions and to associate these permissions to a role, see Managing Roles in Cisco MSX.
Create a new SD-WAN tenant for the Service Provider end customer on Cisco MSX, see Managing Tenants and Managing Users.
If you have an SD-WAN deployment with vManage connected, your external certificates must be copied and imported into the centralized Cisco MSX keystore. Contact your Cisco representative to add your external certificates to Cisco MSX.

Control Plane Prerequisites Applicable Only For AWS

The following are control plane prerequisites for AWS:

Provide the SD-WAN orchestration settings to integrate Cisco MSX with Cisco SD-WAN orchestration stack. For more information, see Configuring Cisco SD-WAN Orchestrator Settings.
Add Cisco MSX and Tenants IP Subnets in the Cisco MSX Allowed List: For Cisco MSX to create SD-WAN Control Planes, it needs to be able to communicate with the Cisco SD-WAN Orchestration stack which is protected by secure IP. Do the following to add these IP to the allowed list in Cisco MSX:
1. Determine the source IP addresses of an Cisco MSX deployment:
  - If Cisco MSX is installed on AWS: These are the NAT GW IP addresses. Go to VPC > NAT Gateway dashboard on your AWS console. There should be three IP addresses, one for each public subnet.
  - If Cisco MSX is installed on-prem: This will be proxy IP, if no proxy, then use the Cisco MSX public IP.
2. Contact Cisco TAC, submit your tenant users IP subnet and request to add these to the allowed list on SD-WAN Orchestration Stack for HTTPS/443 port.

Control Plane Prerequisites Applicable Only For OpenStack

The following are control plane prerequisites for OpenStack:

You can customize Cisco MSX to create control plane in OpenStack environment. Leverage and deploy an ansible API playbook. This will install the additional OpenStack Orchestration (OSorch) micro-services in the Cisco MSX.

Create flavors, these are hardware specifications such as vCPU, Root Disk, RAM, and so on. Provide the hardware details that are required for creating control plane on OpenStack.

Note

OS orchestration creates 100G (vManage) volume as part of the deployment

Download the qcow images from the SD-WAN Cisco website (CCO) and upload it into OpenStack cloud.

To install the OS orchestrator from the deployer system, execute the following command:


export ANSIBLE_VAULT_PASSWORD_FILE=/tmp/ansible-vault-password
cd /msx-4.1.0/ansible/ 
ansible-playbook -i inventory/inventory deploy-osorch.yml

Creating Control Plane on OpenStack

You need to specify the following attributes while creating SD-WAN control plane on OpenStack.

Table 1. Attributes Used in Creating SD-WAN Control Plane in OpenStack

Key Options of OS orchestrator

Explanation

Provider Network

Create a control plane using the existing network on OpenStack cloud.
The control plane is established using the existing subnets that are already provisioned on the Openstack cloud, it has dedicated subnets setup for different customers.

Tenant Network

Create a newly dedicated network for the customer.
Deploy the required VPN0, VPN512, and floating IPs on the OpenStack to create an SD-WAN control plane on OpenStack.

Note

Ensure floating IP addresses are available for assignment to Viptela VMs. Each control plane requires six floating IP addresses (two per instance).
Additionally two more floating IPs are created for Openstack routers as part of Tenant network flow.

Multi-Tenant

Create an SD-WAN control plane on a dedicated tenant project space. This option is used both in provider and tenant network.
OS orchestrator supports creating instances on multi-tenant or project space on the OpenStack cloud.

Note

Change the "projectName" and "projectID" values in the add vim payload to reflect the Tenant/Project space that is to be configured.

Enterprise Certificate Authentication (CA)

Cisco MSX automatically creates CA, then generates Certificate Signing Request (CSR).
Use this certificate to sign in. This is a part of deployment activity.
Thus, creates fully configured control plane instances that are ready for vEdge site deployment.

Note

To select this option, include ‘createCA: true' in the create control plane payload.

Default Symantec/Cisco CA

Log in to vManage to generates CSR, and sign in using the CSR certificate for deploying the control plane.
Once you deploy the control plane instances state are moved 'Up'.

Note

To select this option include ‘createCA: false' in the create control plane payload.
For the OpenStack network, use symantec as the default enterprise Root-Certificate Authentication (CA) to activate Viptela controller during the day0 configuration process.

To create a control plane on OpenStack environment, use curl command from Kubernetes-master mode.

The OS orchestrator requires authorization token, and to get the token use the following curl command:


curl -k https://<MSX fqdn>/idm/api/v1/login -XPOST -d '{"username": "username
", "password": "<password
>"}' -H 'content-type: application/json'

Enter authorization token as the value of the authorization parameter, as shown in the sample:

This is an sample curl command for creating and deleting VIM:


curl -H "Authorization: Bearer <token
>" http://osorch.service.consul:8080/osorch/v1/vims -X POST -H "Content-Type: application/json" -d '<payload>'
curl -H "Authorization: Bearer <token
>" http://osorch.service.consul:8080/osorch/v1/vims -X DELETE -H "Content-Type: application/json" -d '<payload>'

Note

You can enter the valid values in <token> and <payload>.

This table below various APIs used in managing SD-WAN control plane on OpenStack.

Request Type

API

Description

Create VIM


POST /osorch/v1/vims

You can choose either the Provider network or Tenant network based on the OpenStack cloud requirement.
Make API call using curl command. Ensure that you copy the ID that is obtained as response, as the ID is needed to create the CP payload.

Delete VIM


DELETE /osorch/v1/vims/{vimID}

Use the given API in the DELETE job and monitor the progress using the jobs API:


GET /osorch/v1/vims"

Receives request to delete VIM, initiates the cleanup activity, and finally deletes the VIM.

Note

To delete VIM, enter the vimID. The vimID is returned as a response for creating the VIM.

Create CP


POST /osorch/v1/cps

Receives request to prepare OpenStack cloud for creating a control plane.
Deploys CP instances and configures them to create the control plane on OpenStack.

Delete CP


DELETE /osorch/v1/cps/{cpID}

Use the following API in DELETE job and monitor the progress using the jobs API:


GET /osorch/v1/cps

Receives request to delete the control plane, this initiates the OpenStack cleanup activity. Finally deletes the control plane.

Note

To delete CP, enter the cpID. The cpID is returned from the create CP response.

Get the Create/Delete job status


GET/osorch/v1/jobs/{jobID}

Note

The jobID is the response from this API or “GET /osorch/v1/cps” to check the job status.

This API is used to check the create/delete transaction status.

Get all Templates


GET /osorch/v1/templates

Displays all the available templates in OS orchestration and allows you to edit the content of the templates.
Make the API call using the curl command.

Get Content of a Template


GET /osorch/v1/templates/{templateName}

Displays the content of a specific template.
You can edit the content of the specific template.

Change the Template


POST /osorch/v1/template

You can change the values of several template parameters using this API.

For information about the sample JSON files of the payloads that are involved in creating the control plane, see Sample Payloads for Creating Cisco SD-WAN Control Plane on Openstack.

Note

After the process is complete, an email is sent to the user whose email address was provided during the control plane creation process. The email includes the link to the vManage URL and the organization name. Attach the control plane to SD-WAN Tenant on Cisco MSX using the vManage URL. For more information, see Attaching Control Plane.

The control plane instance is blank and has a default admin user. Controllers in the Control Plane appears in the alarm state as the controllers are not enrolled with a certificate authority and also does not have secure control connections between the controllers. To fix the alarm state, complete all the post-deployment tasks. For more information, see Postdeployment Tasks for SD-WAN Control Plane.

Creating Cisco SD-WAN Control Plane on AWS

To create an SD-WAN control plane service on AWS:

Before you begin

You must configure the SD-WAN Orchestrator (vOrch) settings for your SD-WAN setup before you create an SD-WAN control plane service on AWS. For more information, see Configuring Cisco SD-WAN Orchestrator Settings.

Procedure

Step 1	Log in to the Cisco MSX Portal.
Step 2	From the left pane, click Tenant Workspace > Services.
Step 3	From the SD-WAN service panel, click Setup to add a control plane.
Step 4	Click Get Started to launch the Add Control Plane wizard.
Step 5	Click the Create New Control Plane radio button to create a new control plane for the tenant.
Step 6	In the Control Plane Information section: Figure 3. Control Plane Information Fields While Creating Control Plane on AWS Enter the Virtual Account Name: The service provider creates a Virtual Account (VA) to manage the licenses and assets of the tenant. Select a Cisco SD-WAN Software version from the list of versions available. For more information, see Cisco SD-WAN and MSX Version Compatibility Matrix. Enter your email address, to receive an information about the creation process and an approved Certificate Signing Request (CSR) message.
Step 7	In the Control Plane Instances section: Enter the network size. Select the Primary AWS Region, which will be used as the primary region for all the SD-WAN Control Plane instances. Select the Secondary AWS Region, where a backup of the control plane is created for large-sized networks. If the secondary region is not selected, the instances are created in the primary region itself, and vManage backup process is not possible.
Step 8	In the Recommended Instances section: Figure 4. Recommended Number of Instances The SD-WAN Control Plane has three parts: vManage, vSmart, and vBond. Based on the desired size of the network, the Cisco MSX calculates and suggests the number of instances, and instance sizes. Cisco MSX automatically populates the instance name based on the Tenant name. If you find the recommended number of instances to be acceptable, click Submit. Cisco MSX starts to provision the Control Plane. To edit the recommended number of instances, click Edit Instances in the vManage, vSmart, and vBond sections. You can also edit the Instance Names, Regions, and Availability Zones. The Region and Backup Region are populated automatically based on your selection of Primary AWS region and Secondary AWS region. The Availability Zones (AZ) are different for different instances and are populated automatically. The vManage instances are deployed in the Region and backup is stored in the Backup Region. Usually, backup happens once in a day and the backup information is retained for ten days. If there are multiple vManage instances, then the Region should be the same for all the vManage instances. For example, the Region can be either us-east-1 or us-west-2 (retain the same Region for all the instances). For all the vManage instances, the Backup Region should be any region other than what was specified in Region. For example, if the Region is us-east-1, then the Backup Region can be us-west-2. Backup is possible only in the vManage and is specified in the vManage section. The backup information is stored in the Backup Region. The vSmart and vBond instances are evenly distributed across the Primary AWS region and the Secondary AWS region. For example, if there are six vSmart instances, then three vSmart instances are deployed in us-east-1 region and the other three vSmart instances are deployed in us-west-2 region.
Step 9	Click Submit to start the control plane creation process. A notification on the control plane creation process appears at the top of the SD-WAN home page for a few seconds. Even if there is an intermediate error in creating the Control Plane, the system continues to poll until the creation process is complete. The Control Plane creation process can take up to an hour or more. The progress is tracked in the Event Log. For information on accessing event logs, see Viewing Event Logs. After the process is complete, an email is sent to the user whose email address was provided during the control plane creation process. The email includes the link to the vManage URL and the organization name. Use this URL to login with default credentials. Click View Details to view the status of the control plane and the instances in the SD-WAN service panel. You can also click on the ellipsis (...) and click Control Plane Details. For more information, see Monitoring SD-WAN Control Plane Status.

What to do next

The control plane instance is blank and has a default admin user. Controllers in the Control Plane appear in the alarm state as the controllers are not enrolled with a certificate authority and also do not have secure control connections between the controllers. To fix the alarm state, complete all the post-deployment tasks. For more information, see Postdeployment Tasks for SD-WAN Control Plane.

Attaching Control Plane

Use this procedure to associate an existing control plane to a tenant:

Procedure

Step 1

Step 2

From the left pane, click Tenant Workspace > Services.

Step 3

From the SD-WAN service panel, click Setup to attach a control plane.

Step 4

Click Get Started to launch the Add Control Plane wizard.

Step 5

Click the Attach Existing Control Plane radio button to attach an existing control plane. Enter the SD-WAN Control Plane URL (Such as https://www.example.com), organization name, username, and password of the control plane.

Note

The username field must start with only lower case alphabets and can have only lower case alphabets, numeric values from 0 to 9, "-", and space.
The password field supports all alphanumeric characters except space.
Organization name cannot contain (),<>?{}[]`\"

Step 6

Click Submit to attach the control plane.

A notification appears after the control plane is attached.

Step 7

Click Close to view the status of the Add Control Plane wizard in the SD-WAN service panel.

Step 8

Click Done to view the Setup Complete notification.

Step 9

Click OK to view the status of the attached control plane and the instances in the SD-WAN service panel.

What to do next

After the sync with vManage, you can deploy a site or device for Cisco SD-WAN. For more information on deploying a device for Cisco SD-WAN, see Deploying a Site or Device for Cisco SD-WAN.

Cisco SD-WAN Predeployment Tasks

Available Languages

Download Options

Bias-Free Language

Setting Up Cisco SD-WAN Specific Configurations in Cisco MSX

Configuring Cisco SD-WAN Orchestrator Settings

Before you begin

Procedure

Configuring Serial Number Format for an ENCS Device

Procedure

Configuring Subnet Pools

Procedure

Managing Cisco SD-WAN vEdge Cloud TDE Templates

Uploading a vEdge Cloud Template

Procedure

Deleting a vEdge Cloud Template

Procedure

Managing vEdge Cloud Template Access for Tenants

Procedure

Setting Up Control Plane for Cisco SD-WAN

Prerequisites for Setting Up Control Plane

Control Plane Prerequisites for both AWS and OpenStack

Control Plane Prerequisites Applicable Only For AWS

Control Plane Prerequisites Applicable Only For OpenStack

Creating Control Plane on OpenStack

Creating Cisco SD-WAN Control Plane on AWS

Before you begin

Procedure

What to do next

Attaching Control Plane

Procedure

What to do next

Was this Document Helpful?

Contact Cisco