Manage Overlay Networks

Create a Cisco SD-WAN Cloud-Pro Fabric

The Cisco Catalyst SD-WAN Portal provisions Cisco Catalyst SD-WAN fabrics according to the information that you provide as part of the following procedure.

Before You Begin

Ensure that you have the following:

  • An active Cisco Smart Account.

  • An active Cisco Virtual Account.

  • The SA-Admin role for your Cisco Smart Account. (Required to access the Cisco Catalyst SD-WAN Portal for the first time and to create a fabric. Not required thereafter.)

  • A valid order for control components on Cisco Commerce (formerly CCW).

Procedure

  1. Go to the URL that you received in the email from Cisco to access the Cisco Catalyst SD-WAN Portal, and log in.

  2. From the Cisco Catalyst SD-WAN Portal menu, choose Create Fabric.

    The Create Cisco SD-WAN Fabric page appears.

  3. From the Smart Account drop-down list, choose the name of the Cisco Smart Account to which you want to associate the fabric.


    Note


    If the Cisco Smart Account you want does not appear in the drop-down list, click to refresh the list and search for the Cisco Smart Account using its domain ID.


  4. From the Virtual Account drop-down list, choose the name of the Cisco Virtual Account to which you want to associate the fabric.

  5. Select a Cisco SD-WAN Cloud or Cisco SD-WAN Cloud-Pro Fabric. Creating a Cisco SD-WAN Cloud fabric is described in the Cisco SD-WAN Cloud Guide. If you select Cisco SD-WAN Cloud-Pro, a questionnaire dialog box appears, where you enter details about your request.

  6. Check the appropriate boxes if you intend to use any of the listed features on the fabric (required). Check the box for “None of the above options” if you aren’t using any additional features.

  7. Enter the number of devices you plan to add to the fabric (required).

  8. Enter the sales order number for any SD-WAN subscriptions you have (optional).

  9. Click Next.

    Based on your responses, you are directed to the Cisco SD-WAN Cloud or Cisco SD-WAN Cloud-Pro fabric creation workflow. Creating a Cisco SD-WAN Cloud fabric is described in the Cisco SD-WAN Cloud Guide. The remainder of these instructions apply to creating a Cisco SD-WAN Cloud-Pro fabric.

  10. Click Assign Control Components and perform the following actions in the Assign Control Components area:

    1. Configure the options for the number of control component types in a Cisco SD-WAN Cloud-Pro fabric, as described in the table.

      Option

      Description

      Assign (for the vManage control component type)

      Enter the number of Cisco SD-WAN Manager control components in your deployment.

      Valid values are 1, 3, or 6.

      Assign (for the vBond control component type)

      Enter the number of Cisco SD-WAN Validators in your deployment.

      The minimum value is 2.

      Assign (for the vSmart control component type)

      Enter the number of Cisco SD-WAN control components in your deployment.

      The minimum value is 2.

      Enable Cluster

      Applies only if you choose a value of 3 or 6 for the number of Cisco SD-WAN Manager controllers.

      Turn on this option to create a Cisco SD-WAN Manager cluster.

      Cluster Type

      Applies only if you turn on the Enable Cluster option.

      Choose Single Tenant Cluster to enable a single tenant cluster.

    2. Click Assign.

  11. In the Fabric field, enter a name for your fabric.

  12. Under Cloud Provider, choose AWS or Azure as the cloud provider at which you want Cisco to host the control components for your fabric.


    Note


    IPv6 provisioning is only supported for Single Tenant fabrics hosted on AWS.


  13. From the SD-WAN Version drop-down list, choose the version of Cisco Catalyst SD-WAN that you want to use on your control components.

    Choose the recommended version unless there are specific features that you need and these features are available only in another version. For information about recommended versions, go to Cisco Software Central. For information about Cisco Catalyst SD-WAN releases, see the Cisco Catalyst SD-WAN Release Notes in the Release Information area in User Documentation for Cisco IOS XE (SD-WAN) Release 17.

  14. Under Locations, perform these actions:

    1. From the Primary Location drop-down list, choose the geographical location where the Cisco SD-WAN Manager is provisioned.

      We recommend that you choose a location that is relatively close to your network.

    2. From the Secondary Location drop-down list, choose the geographical location for backed up data storage and load balancing. If you choose the same region for both primary and secondary, then SSP automatically places the instances in two different Zones within the same region.

      We recommend that you choose the location that is closest to the primary location.

    3. From the Data Location drop-down list, choose the geographical location for Cisco SD-WAN Analytics data storage.

      We recommend that you choose the location that is closest to the primary location.

  15. Enter the following information under Contacts:

    • In the Fabric Admins field, enter one or more comma separated email addresses or mailer list names to which the Cisco Catalyst SD-WAN Portal sends notifications about the fabric.

    • In the Cisco Contact Email field, enter the email address of a contact at Cisco that can be reached if there is an urgent issue and the administrator of the fabric cannot be reached.

    • In the Enter Contract number of service field, enter the number of your Cisco Catalyst SD-WAN Portal service contract.

    • In the Enter CCO ID of Service Requester field, enter the Cisco ID of the person who created the ticket for your Cisco Catalyst SD-WAN Portal.

    Alert Notifications: SSP sends alert notifications to customers for various reasons such as expiring subscription, maintenance windows, feature changes, etc. SSP notifications are sent to the registered 'Overlay Admin' contact email addresses configured under overlay details. It is customer responsibility to keep this email addresses updated. Customers can register multiple email addresses. Perform the following steps to update email addresses:

    1. Login to SSP at https://ssp.sdwan.cisco.com. You must have Cisco PNP Smart Account Administrator role to be able to login.

      Alternately, if your Smart Account Administrator has already set up IDP on SSP, then you can login with the role provided by your Administrator.

    2. Go to Overlay Details > Description > Overlay Admin

    3. Click on the pencil icon to edit.

    4. Type in your email address and hit Tab.

    5. Click on the check mark icon to save.

  16. Configure the following Advanced Options, as needed.

    For detailed information about these options, see Configure Advanced Options for a Cisco SD-WAN Cloud-Pro Fabric.

    • Custom Subnets: Configure private IP addresses to be used for control component interface IP addresses.

    • Custom Domain Settings: Configure custom domains for accessing Cisco SD-WAN Validator and Cisco SD-WAN Manager.

    • Snapshot Settings: Configure how often the system takes a snapshot of Cisco SD-WAN Manager instances in your deployment.

    • Custom Organization Name: Configure a unique organization name to identify your network.

    • Compliance: Select certification compliances for the fabric.

    • Dual Stack: Enable IPv6 dual stack.

  17. Click Click here to review and agree to Terms & Conditions before proceeding, and in the Terms and Conditions dialog box, review the information that is shown and click I Agree.

  18. Click Create Fabric.

    The request is submitted. For a Cisco SD-WAN Cloud-Pro fabric, manual approval can take up to 24 hours. Information about the progress of this request appears in the Requests area.

    In addition, a password appears in the Cisco Catalyst SD-WAN Portal Notification page. Use this password to access the fabric for the first time.

    To secure your environment, we recommend that you immediately change this password after logging in.


    Note


    The system-provided control component password is no longer visible in the Cisco Catalyst SD-WAN Portal after seven days. We recommend that you keep a copy of the password if you want to retain it.
  19. After you receive a notification that your fabric is ready:

Configure Advanced Options for a Cisco SD-WAN Cloud-Pro Fabric

Advanced options allow you to configure various settings for your fabric if the default settings are not what you need.

To configure advanced options for your fabric, click Advanced Options on the Cisco Catalyst SD-WAN Portal, then configure options that the following sections describe:

Custom Subnets

The Custom Subnets area includes options for configuring private IP addresses to be used for control component interface IP addresses.

For use cases such as connecting to an enterprise TACACS; connecting to an authentication, authorization, and accounting (AAA) server; sending messages to a syslog server; or management access to instances over the fabric, you may want to deploy the control components with their private IP addresses in specific prefixes. These prefixes are unique and unused elsewhere within your fabric.

Option

Description

Primary Subnet

VPC Subnet

Enter a private IP address block for the VPC for the primary region, For example, 192.168.0.0/24.

This IP address block must be reachable from your private network.

Primary Location

Shows the primary region for the fabric.

Management Subnet

Enter a private IP address block for the management subnet for the primary region.

This address must be within the IP address block that you enter for the VPC.

The minimum size of the IP address block is 16.

Control Subnet

Enter a private IP address block for the control subnet for the primary region.

This address must be within the IP address block that you entered for the VPC.

The minimum size of the IP address block is 16.

Cluster Subnet

Enter a private IP address block for the cluster subnet for the primary region.

This address must be within the IP address block that you entered for the VPC.

The minimum size of the IP address block is 16.

Secondary Subnet
VPC Subnet

Enter a private IP address block for the VPC for the secondary region, for example, 192.168.1.0/24.

This IP address block must be reachable from your private network.

Primary Location

Shows the secondary region for the fabric.

Management Subnet

Enter a private IP address block for the management subnet for the secondary region.

This address must be within the IP address block that you entered for the VPC.

The minimum size of the IP address block is 16.

Control Subnet

Enter a private IP address block for the control subnet for the secondary region.

This address must be within the IP address block that you entered for the VPC.

The minimum size of the IP address block is 16.

Cluster Subnet

Enter a private IP address block for the cluster subnet for the secondary region.

This address must be within the IP address block that you entered for the VPC.

The minimum size of the IP address block is 16.

Custom Domain Settings

The Custom Domain Settings area includes options for configuring custom domains for accessing Cisco SD-WAN Validator and Cisco SD-WAN Manager.

By default, the domain name is cisco.com. You can specify another domain, if needed, for your deployment.

If you specify a custom domain, you must create your own domain name systems for the Cisco SD-WAN Validator and Cisco SD-WAN Manager because Cisco does not have access to your domains.

After you configure a custom domain, make the following mappings to allow control component certificates to come up:

  • Map the Cisco SD-WAN Validator DNS to all VPN 0 IP addresses.

  • Map the Cisco SD-WAN Manager DNS to all VPN 512 IP addresses.

Option

Description

vBond

Enter the name of the DNS for the Cisco SD-WAN Validator.

vManage

Enter the name of the DNS for the Cisco SD-WAN Manager.

Snapshot Settings

The Snapshot Settings area includes an option for configuring how often the system takes a snapshot of Cisco SD-WAN Manager instances in your deployment.

By default, the network overlay configuration is backed up once a day and seven snapshots are stored.

For more detailed information about snapshots, see Information About Snapshots.

Option

Description

Frequency

Choose how often the system takes a snapshot of Cisco SD-WAN Manager instances. Options are:

  • Once a day

  • Once in 2 days

  • Once in 3 days

  • Once in 4 days

Custom Organization Name

The Custom Organization Name area includes an option for configuring a unique organization name to identify your network.

Option

Description

Custom Organization Name

Enter a unique name for your organization.

You can enter a name of up to 56 characters.

To ensure that an organization name is unique, theCisco Catalyst SD-WAN Portal automatically appends a hyphen (-) followed by your virtual account ID at the end of the name that you enter.

Certification Compliance Modes

The Compliance Configuration area includes certification compliance options for the fabric. These compliance modes are available:

Table 1. Supported Certifications
Option Description
PCI-DSS Payment Card Industry Data Security Standard, Service Provider, Level 1
SOC2 System and Organization Controls
ISO27001, ISO27017, ISO27018, ISO27701 International Organization for Standardization
C5 Cloud Computing Compliance Controls Catalog (Germany)
ENS Esquema Nacional de Seguridad (Spain)
Tx-RAMP Texas Risk and Authorization Management Program Level 2

Dual Stack

The Dual Stack area includes an option for enabling IPv6 for control components on AWS hosted fabrics. IPv6 provisioning is only supported for Single Tenant fabrics hosted on AWS.

Enabling this option is required if your enterprise network is configured with IPv6. After this option is enabled, the fabric subnets are configured with both IPv4 and IPv6. IPv6 addresses are assigned by your cloud service provider.


Note


After this option is enabled for a fabric, it cannot be disabled.

Option

Description

IPv6 Dual Stack

Check this check box to enable IPv6 dual stack for control components.

Delete an Overlay Network

To delete an overlay network, contact Cisco Catalyst SD-WAN Technical Support. You cannot delete an overlay network.

Specify the Allowed List of IP Addresses for Managing Controller Access

For Cisco SD-WAN Cloud-Pro overlay networks, you can specify trusted IP addresses, including prefixes, from which you can manage control component access. To enable management access, specify a rule type, protocol, port range, and source IP (IP addresses and prefixes) for which you require access.


Note


You do not need to add the IP addresses of WAN edge devices for them to join the overlay. Devices with any IP address can join the overlay, using Datagram Transport Layer Security (DTLS) or Transport Layer Security (TLS) tunnels, as long as Cisco SD-WAN Manager allows the device serial numbers.


  • You can add up to 200 rules per overlay.

  • Each rule is uniformly applied to all Cisco SD-WAN Cloud-Pro control components within the overlay.

  • The same rules are automatically applied when new Cisco SD-WAN Cloud-Pro instances are added, or existing instances are replaced. The rule can be either a single IP address or a larger IP prefix.

  1. From the Cisco Catalyst SD-WAN Portal dashboard, navigate to your overlay network.

  2. In the List View tab, click the name of your overlay network.

  3. Click Inbound Rules.

  4. Click Add Inbound Rule.

  5. Specify the following parameters for your IP address or prefix:

    • Rule type: Choose one of the following: All, SSH, HTTPS, Custom TCP rule, or Custom UDP rule.

    • Port range: For custom TCP and UDP rules, specify a port range.

    • Source: Specify one or more IP addresses or IP address prefixes. For multiple entries, press tab to enter the next IP address or prefix.

    • Descriptions: Enter a description of the inbound rule.

  6. Click Add Rule.

  7. (Optional) Click Add New Inbound Rule and add other IP addresses or IP address prefixes that you want to allow.

Create Predefined Inbound Rules

Table 2. Feature History

Feature Name

Release Information

Description

Predefined Inbound Rules

March 2023 Release

With this feature you can specify trusted IP addresses. These IP addresses are applied to any new overlay that you create under the Smart Account for which you configure this feature. These IP addresses can also be applied to existing overlays under the Smart Account for which you configure this feature.

Information About Predefined Inbound Rules

With this feature you can create inbound rules, each of which specifies trusted IP addresses. These IP addresses are applied to any new overlay that you create under the Smart Account for which you configure this feature. These IP addresses can also be applied to existing overlays under the Smart Account for which you configure this feature.

An inbound rule includes the rule name, protocol and port range to which the rule applies, and source IP address or prefix information. You can create up to 200 inbound rules.

Use Cases for Predefined Inbound Rules

Predefined inbound rules provide a convenient way to add the same group of trusted IP addresses to existing and new overlays. By creating predefined inbound rules, you avoid having to configure trusted IP address for each overlay manually.

Configure Predefined Inbound Rules

  1. From the Cisco Catalyst SD-WAN Portal menu, choose Admin Settings.

  2. Click adjacent to the Smart Account for which you want to configure a predefined inbound rule and click Manage Predefined Inbound Rules.

    A list of the inbound rules that have been configured appears.

  3. Click Add Predefined Inbound Rules.

  4. In the Add Inbound Rule area, perform these actions:

    1. In the Name field, enter a unique name for the rule.

    2. From the Rule Type drop-down list, choose the type of protocol to which the rule applies (All, SSH, HTTPS, Custom TCP rule, or Custom UDP rule).

    3. If you choose a rule type of Custom TCP rule or Custom UDP rule, in the Port Range field, enter a port range to which the rule applies.

    4. In the Source field, enter an IP address or IP address prefix.

    5. In the Description field, enter a descriptions of the predefined inbound rule.

    6. (Optional) Click Automatically add this rule to ALL overlays to add this new rule to existing overlays under this Smart Account, in addition to future overlays that are created under this Smart Account.

      If you do not click this option, this rule is added to future overlays only.

    7. Click Add.