By default, Cisco-managed cloud-hosted control components are closed for management access. You cannot access cloud-hosted control components unless permitted IP prefixes are configured. For security, you cannot use the universal IP address range (0.0.0.0/0).

You must use specific public IP prefixes within your enterprise VPN for access. You can only open those prefixes. You may request that only HTTPS and SSH are permitted on the allow list for your source IP prefixes.

The allow list applies to all network interfaces on control components with public IP addresses.

Your Cisco SD-WAN Cloud-Pro control components have private IP addresses on their interfaces. Each private IP address maps one-to-one to to a public IP address on the cloud. These addresses stay the same, whether the interface uses static IP or DHCP. The addresses change only if you recover or replace the instances.

If you are the Smart Account administrator, you can access the Cisco Catalyst SD-WAN Portal to view and perform operational tasks related to your control component infrastructure, such as viewing IP addresses and modifying the control components' IP access lists.

To remove Smart Account administrator privileges, go to Manage Smart Account in Cisco Software Central. You can also use the IDP (identity provider) onboarding feature to grant trusted users access to the Cisco Catalyst SD-WAN Portal.

Update inbound rules

You can update the allow list for your Cisco SD-WAN Cloud-Pro control component set, depending on the fabric type.

For a shared tenant fabric, open a case with TAC support to update or view the allow list for your control component set. You can request support to either allow up to five IP prefixes on the access list, or allow only HTTP access to the IP prefixes for web login to the Cisco SD-WAN Manager Portal.

For single-tenant dedicated fabric control components, use one of these options to add, delete, or update cloud security group allow lists:

• Log in to the Cisco Catalyst SD-WAN Portal at https://ssp.sdwan.cisco.com to manage the access list. You must be the Cisco PNP Smart Account administrator for the Smart Account where the fabric control component profile resides.

• Provide up to 200 IP prefixes to include on the allow list.

• Contact TAC and provide this information:

  • Fabric and VA name

  • Cisco SD-WAN Manager IP address or FQDN

  • IP address

  • Indicate whether to mark the IP address as allowed for all traffic or allowed for only selected traffic (for example, HTTPS, SSH, or other protocols).

Network interface allocation and configuration for SD-WAN Control Components

For SD-WAN Manager instances, we allocate three network interfaces:

• eth0

• eth1

• eth2

For SD-WAN Validator and SD-WAN Controller instances, we allocate two network interfaces:

• eth0

• eth1

Public and private IP addresses assigned to the network interfaces remain static. If you replace or move an SD-WAN Control Component instance to a new region, these addresses may change.

Note	You can view the static IP address using the Catalyst SD-WAN Portal, from Overlay Details > Controller view > Private IP.

Interface configuration

Review the recommended configurations for each interface in the table.

Note 1: A cloud gateway deployed using the Catalyst SD-WAN Portal can access this address. For details, refer to the Custom IP prefixes for cloud-hosted SD-WAN Control Components section in this guide.

Note 2: The interface always receives the same private IP on every DHCP renewal, even when DHCP is used for IP assignment.

Edge device access to SD-WAN Control Components

Use the VPN 0 tunnel interface to connect edge devices to SD-WAN Control Components.

Configure edge devices to communicate with SD-WAN Control Components using Transport Layer Security (TLS) or Datagram Transport Layer Security (DTLS) ports.

If your deployment includes an on-premises firewall, enable traffic on any IP address, such as 0.0.0.0, for these TLS or DTLS ports. Alternatively, enable traffic to the current public IP addresses of the cloud-based SD-WAN Control Components.

Note	To find the assigned public IP address, log in to the Catalyst SD-WAN Portal and navigate to: Overlay Details > Controller view > Public IP.

For more information about TLS and DTLS ports, refer to the Ports Used by Cisco Catalyst SD-WAN Devices Running Multiple vCPUs section in the Cisco Catalyst SD-WAN Getting Started Guide.

Management access to SD-WAN Manager

Connect to SD-WAN Manager for management access using fully qualified domain names (FQDNs) mapped to the VPN 512 public IP.


If the fabric is provisioned with a three-node or six-node SD-WAN Manager cluster, then the FQDN resolves to the public IP addresses of all of the SD-WAN Manager instances.

HTTPS access for SD-WAN Manager

You can access SD-WAN Manager using HTTP or HTTPS. You cannot access other SD-WAN Control Components by HTTP or HTTPS.

Domain names for SD-WAN Manager and SD-WAN Validator

In a Cloud-hosted SD-WAN environment, domain names are assigned only to SD-WAN Manager and SD-WAN Validator for cloud hosting.

Access SD-WAN Validator by domain name

When you configure nodes in the SD-WAN fabric, use the FQDN of the SD-WAN Validator. Do not use the IP address. Using the domain name ensures continued reliable operation in case the SD-WAN Validator IP addresses change or more SD-WAN Validators are added to the fabric.

DNS server

We recommend configuring a Domain Name System (DNS) server accessible in VPN 0 for each node in the fabric, including hardware edge devices, software edge devices, and the SD-WAN Control Components.

Example:

vpn 0 
   dns 208.67.222.222 primary
   dns 208.67.220.220 secondary

Request cloud gateways after fabric provisioning

Open a case for CloudOps at TAC-CSOne. Provide this information:

• To enable AAA or TACACS, provide IP prefixes that are unused within your existing fabric. These prefixes are used to create the control components. The original control components are shut down, then snapshotted, and finally cloned back.

• Each region with control components uses one /24 unique custom subnet across the Cisco Catalyst SD-WAN fabric. Since each fabric includes two regions, you need two subnets.

• Admin credentials to the Cisco SD-WAN Validator, Cisco SD-WAN Controller and Cisco SD-WAN Manager devices are required. You can provide credentials at the start of the change window.

• You can schedule an eight-hour maintenance window after the pre-approval and pre-checks are completed by the CloudOps engineer.

• Before starting the process, enable DNS for Cisco SD-WAN Validator and configure all control components.

• Ensure that GR is set to a default of twelve hours or higher on Cisco Catalyst SD-WAN or Cisco SD-WAN Controller devices.

• Reserve two available Cloud Cisco Catalyst SD-WAN UUIDs through Plug and Play (PNP) and attach them to Cisco SD-WAN Manager.

• We recommend attaching Cisco SD-WAN Manager templates to Cisco SD-WAN Validator, Cisco SD-WAN Controller, and any existing cloud Cisco Catalyst SD-WAN devices from Cisco.

You can use this feature only with single-tenant single-node Cisco SD-WAN Manager fabrics, single-tenant cluster-node Cisco SD-WAN Manager fabrics for provisioned control components, and all new control component sets to be provisioned. You cannot use this feature with multitenant Cisco SD-WAN Manager cluster fabrics.

Configure cloud gateways after provisioning

Once CloudOps has completed the provisioning of the cloud gateways next to the cloud-hosted control components, they provide the public and private IP assignments for each cloud gateway. These are in the format (VPN 512, VPN 0, and VPN X).

CloudOps also provides the credentials for the newly provisioned cloud gateways. The cloud gateways have VPN 512 and VPN X interfaces in the same subnet as the VPN 512 of the control components in that region. CloudOps sets up the cloud gateways for AAA TACACS in this network layout.

If you encounter reachability issues with the cloud gateway, they usually result from problems with the interface IP address or route configurations.

Public and private IPs are assigned one-to-one to the cloud gateway interfaces using NAT. Although the gateway interface uses DHCP, it receives the same IP address from the cloud each time.

For VPN X interfaces, configure the static IP identical to the one shared by CloudOps. Do not use random IP addresses within the subnet.

The cloud gateways are subject to the same Inbound access list as the control components, since they are provisioned in the same unique environment per fabric.

Perform these steps to complete the configuration:

1. Log in via SSH to the gateway public IPs using the provided credentials.

2. Configure the new cloud gateways with the necessary configurations. For example, site-id, system IP, organization name, Cisco SD-WAN Validator DNS or IP, and so on.

3. If you are using Enterprise root-ca, also upload and install the same on the cloud gateways.

4. You may configure AAA or TACACS on the Cisco SD-WAN Manager with authentication fallback to local mode. The local mode must have the viptelatac, ciscotacro, or ciscotacrw users enabled. This configuration allows support teams to log in and resolve issues when necessary.

5. Acquire one unused cloud gateway UUID from the device list of the Cisco SD-WAN Manager per cloud gateway provisioned.

   If you do not have any cloud gateway UUID available in the WAN Edge Device list on your Cisco SD-WAN Manager, log in to the Cisco PNP portal on the fabric's associated Smart Account and Virtual Account. Perform Add Software Devices (C8000V), then Sync Smart Account on the Cisco SD-WAN Manager.

6. Activate the UUID on the cloud gateways so they can be authenticated by the Cisco SD-WAN Manager and join the Cisco Catalyst SD-WAN fabric.

7. For a fabric that we host on Azure, open a TAC case and provide the specific enterprise subnet prefixes from which the connectivity to the VPN 512 of the control components is required.

   The Azure subnet default gateway is your default gateway, even if you configure the gateway service VPN IP to be the gateway for your enterprise subnets. Therefore, in addition to your configuration on VPN 512 on the control components, there is additional configuration needed on the Azure side.

   Important

   We will help apply an Azure Route Table (RT) entry for each of the necessary Enterprise subnets and also enable IP forwarding on the cloud gateway interfaces.