Migration prerequisites

• Before opening a case, upgrade all your existing control components and edge nodes to one of the latest Cisco-suggested release versions. Verify that your data plane is stable.

• Attach all edge nodes to a template or agree to manually reconfigure the edge nodes for the migration.

• Make sure that all edge nodes have working NTP and DNS.

• If you are using enterprise certificates on the on-premises control components, provide the root certificate authority (CA).

• Ensure you have out-of-band access to edge nodes via console or an alternate way, in case the edge nodes need manual configuration for recovery.

Migration process

1. Purchase a DNA subscription and control component SKUs for cloud.

2. Open a TAC support case with the CloudOps team and request the on-premises to cloud migration.

3. Provide these details in the case:

   • The existing Smart Account (SA) and Virtual Account (VA) where the on-premises fabric control component profile is created.

   • The sales order number where the cloud subscriptions were purchased.

   • The current on-premises configured organization name of the fabric.

   • Your desired cloud type.

   • Your desired primary and secondary region of provisioning.

   • A single email address to receive alert notifications and other communications from the CloudOps team. Provide a team email address if possible.

   • An optional hostname for the FQDN of the Cisco SD-WAN Manager and the Cisco SD-WAN Validator to be provisioned.

   • Optional custom private IP subnets for TACACS, AAA, Syslog, or other such use cases. Provide a block of 256 IP addresses (a /24 prefix) for each region.

   • The current on-premises fabric size expressed as the number of edge devices deployed.

   • The software versions of the Cisco SD-WAN Manager, Cisco SD-WAN Validator, and Cisco SD-WAN Controller instances running on the current on-premises fabric.

   • The control component certificate source (Cisco, Symantec, or Enterprise) root CA of the current on-premises fabric.

   • A configuration database backup copy from Cisco SD-WAN Manager of the current on-premises fabric.

     Note	You can either reset the Cisco SD-WAN Manager configuration database password to the default and then take the backup or take the backup with your configured password and share that password in the TAC case.

   • A copy of the running configuration from the current on-premises fabric Cisco SD-WAN Manager

   • A range of system-IP addresses to be used for cloud-hosted control components. This should be an unused range within the current on-premises Cisco Catalyst SD-WAN fabric.

   When you have provided the necessary details, the CloudOps team provisions the cloud-hosted control component set, installs control component certificates, and shares details.

4. The CloudOps team applies the configuration database backup and the running configuration you provided from the on-premises Cisco SD-WAN Manager to the new cloud-hosted Cisco SD-WAN Manager instance.

5. You may need to update your enterprise firewalls with the new IPs of the cloud-hosted control components.

6. Set up and execute a pilot change window to migrate one or more test edge nodes to the cloud-hosted control components. Then roll back to the on-premises Cisco SD-WAN Manager.

7. Configure the new Cisco SD-WAN Validator FQDN on the edge node to begin the migration.

8. Prepare for the final change window as necessary.

9. Set up and execute a final change window to migrate all edge nodes from on-premises to cloud-hosted control component set.

10. If templates were created and applied for the on-premises Cisco SD-WAN Manager, Cisco SD-WAN Validators, and Cisco SD-WAN Controllers, review and correct them before applying them to the cloud-hosted control components after migration, with special attention to the interface configuration.

11. The edge templates created and applied for the on-premises Cisco SD-WAN Manager contain the pre-migration orchestrator FQDN when the database is restored to the new Cisco SD-WAN Manager. Update the target Cisco SD-WAN Manager to reflect the post-migration orchestrator FQDN.

Migration considerations and impact

• Work with your Account Team or Support to procure Cisco Catalyst SD-WAN cloud subscriptions and add them to the existing Smart Account (SA) and Virtual Account (VA) where the on-premises fabric control component profile is created.

• The Cisco SD-WAN Manager is provisioned only in the primary region. The Cisco SD-WAN Validator and Cisco SD-WAN Controller instances are provisioned in both the primary and the secondary regions.

• The CloudOps team creates a new control component profile in the same SA/VA as the existing on-premises fabric. This allows the cloud-hosted control component set to have the same organization name as the existing on-premises fabric, which makes it possible to transfer the configuration database from on-premises Cisco SD-WAN Manager to the cloud-hosted Cisco SD-WAN Manager.

  You cannot use the configuration database restore method if the source and destination Cisco SD-WAN Manager instances have different organization names configured. You cannot change the organization name on a cloud-hosted Cisco SD-WAN Manager instance once it is provisioned.

• Since the new Cisco SD-WAN Manager is configured using the configuration database restore method, the statistics database from the on-premises Cisco SD-WAN Manager will not be migrated.

• If Cisco SD-WAN Analytics is in use on the on-premises fabric, it will continue to work after the migration.

  Some data loss may occur when the migration happens because the new cloud Cisco SD-WAN Manager starts a fresh data collection and sends it to the Cisco SD-WAN Analytics servers.

• As the Cisco SD-WAN Validator FQDN changes, the configuration on the edge nodes must be updated for the migration.

  You can do this using command-line interface (CLI) templates from Cisco SD-WAN Manager applied to all the edge nodes. If no CLI templates exist on the on-premises Cisco SD-WAN Manager, you must create and apply them before starting the migration. If you do not prefer CLI templates, then you must manually reconfigure all the edge nodes individually via console or Secure Shell (ssh).

• If an issue occurs during the edge node migration, you may need to use out-of-band management access to manually update the edge nodes so they can switch over to new Cisco SD-WAN Validators.

• At the time of migration, the control and data plane flaps for each edge node as it is pointed to the new Cisco SD-WAN Validator DNS and reconnects to the new cloud-hosted control components.

• Configure all edge nodes with functioning NTP and DNS before the migration.

• Rolling back requires changing the Cisco SD-WAN Validator configuration on the edge nodes back to the on-premises Cisco SD-WAN Validator.

• After a successful migration, you can delete the control component profile that you hosted from the PNP SA/VA.

Control component certificates have expired

• Identification Stage: If your control component certificates have been expired for 15 days or more, and you have not renewed them, your cloud-hosted control component may be moved to a shutdown state. The expired control component certificates indicate that the cloud-hosted control component fabric and the connected devices are not being used.

• Final Termination: If your fabric stays in the shutdown state for at least 30 days, and you do not request to recover the control components, the control components are deleted, and your data cannot be recovered.

• Reprovisioning: After a fabric is removed, you must reprovision it. If you have an active Cisco Digital Network Architecture (Cisco DNA) license, you can request a new fabric.

Fabrics are abandoned

• Identification stage: If you have cloud-hosted control components that have been provisioned for six months or more without active edge devices, or if fabrics remain in the shutdown state for 30 days or more for reasons other than those described in the Cloud-Hosted Control Component Policy, your control components may be considered abandoned.

  If you do not have active edge devices or your fabrics are shut down, your Cisco Catalyst SD-WAN fabric and cloud-hosted control component devices are considered to be unused.

• Notification stage: We will send notifications to you communicating the fabric abandoned state along with a target shutdown date.

• Shutdown stage: If your fabric continues to remain unused even after the notifications, we will shut down the fabric on the specified date.

• Final termination: If you have not requested to recover Cisco Catalyst SD-WAN cloud-hosted control components within 30 days of the fabric shutdown, we will delete the control components, and your data cannot be recovered.

• Reprovisioning: Once an fabric has been deleted, it must be reprovisioned. You can request a new cloud-hosted control component fabric if you have an active Cisco Digital Network Architecture (Cisco DNA) license.

Cisco DNA subscription has expired

This policy applies to Cisco Digital Network Architecture (Cisco DNA) subscriptions for devices that were licensed before we made cloud control component subscriptions available separately. This is known as Pre-Controller Subscription Offering.

• Identification Stage: If all Cisco DNA subscriptions for your devices connected to the cloud-hosted control component have expired, your cloud-hosted control component is considered to have an expired subscription.

• Notification Stage: We will notify you about the expired subscription and provide a target shutdown date. Keep your contact information current to receive timely notifications.

• Shutdown Stage: If your fabric continues to run with the expired subscription after you receive notifications, your network fabric will be shut down on the specified date.

• Final Termination: If you do not recover your Cisco Catalyst SD-WAN cloud-hosted control components within 30 days after network fabric shutdown, we will delete the control components. Your data will not be recoverable.

• Reprovisioning: Once a fabric is deleted, you must reprovision it. To obtain a new cloud-hosted control component fabric, purchase the required stock-keeping units (SKUs).

A control component subscriptions has expired

A control component subscription is licensed separately from the Cisco Digital Network Architecture (DNA) subscriptions for devices.

• Identification Stage: If your cloud-hosted control component subscription has expired and you have not renewed it, your control component is considered subscription expired.

• Notification Stage: We will send notifications that communicate the expired subscription and specify a shutdown date. Keep your contact information current to receive timely notifications.

• Shutdown Stage: If you do not renew the control component subscription after the notifications, your network fabric will be shut down on the specified date.

• Final Termination: If you do not recover your Cisco Catalyst SD-WAN cloud-hosted control components within 30 days of the fabric shutdown, we will delete the control components. Your data will not be recoverable.

• Reprovisioning: Once a network fabric is deleted, you must reprovision it. You can purchase a new cloud-hosted control component fabric by purchasing the required stock-keeping units (SKUs).

Note	Failure to renew your DNA subscription for cloud-hosted control components may impact the functionality of the Cisco Catalyst SD-WAN features that are part of the Cisco DNA subscription for your devices, because these features depend on Cisco SD-WAN control components.