Cisco CloudOps


Note

To achieve simplification and consistency, the Cisco SD-WAN solution has been rebranded as Cisco Catalyst SD-WAN. In addition, from Cisco IOS XE SD-WAN Release 17.12.1a and Cisco Catalyst SD-WAN Release 20.12.1, the following component changes are applicable: Cisco vManage to Cisco Catalyst SD-WAN Manager, Cisco vAnalytics to Cisco Catalyst SD-WAN Analytics, Cisco vBond to Cisco Catalyst SD-WAN Validator, Cisco vSmart to Cisco Catalyst SD-WAN Controller, and Cisco Controllers to Cisco Catalyst SD-WAN Control Components. See the latest Release Notes for a comprehensive list of all the component brand name changes. While we transition to the new names, some inconsistencies might be present in the documentation set because of a phased approach to the user interface updates of the software product.

Cisco provides a cloud-hosted subscription service for its Cisco Catalyst SD-WAN Control Components, such as Cisco SD-WAN Manager, Cisco SD-WAN Validator, and Cisco SD-WAN Controller. This service streamlines and speeds up deployment. It also lowers operational costs and includes instance monitoring and advanced analytics capabilities.

About This Guide

Network design engineers and network operators interested in purchasing or deploying Cisco Catalyst SD-WAN cloud-based subscription options can use this guide to learn about thec capabilities and services of the cloud-hosted Cisco Catalyst SD-WAN Control components managed by Cisco. It covers the hosting processes for the cloud infrastructure, assigned responsibilities, and pertinent recommendations.

Types of fabric network in Cisco Catalyst SD-WAN

  • Cisco SD-WAN Cloud fabric

    In a Cisco SD-WAN Cloud fabric, the control components are hosted and managed by Cisco. This fabric type is best for customers who prefer to focus on their edge device networking instead of cloud control component infrastructure operations.

    • Cisco SD-WAN Cloud fabrics always run on the long-lived recommended software releases, providing reliability and stability.

    • The Cloud fabric is mapped to the customer’s Smart Account and Virtual Account for easier device onboarding, utilizing the external management capabilities of their Virtual Account.

  • Cisco SD-WAN Cloud-Pro fabric

    In addition to the capabilities of a Cisco SD-WAN Cloud fabric, a Cisco SD-WAN Cloud-Pro fabric allows you to access these options:

    • Isolated/Private instance of SD-WAN Control Components.

    • Specific software versions.

    • AWS or Azure for a Cloud provider and specific location from available Cloud provider regions for deployment of Control Components.

    • Ability to choose your Control component software upgrade schedule.

    • Commercial certifications, such as PCI DSS, C5, ENS, CC, and TxRAMP.

  • Cisco SD-WAN Cloud-MSP fabric

    In this type of fabric, the hosting of control components (Cisco SD-WAN Manager, Cisco SD-WAN Validator, and Cisco SD-WAN Controller) is dedicated to Managed Service Providers (MSPs). The MSP hosts and manages tenants within this multitenant environment for their end-customers.


    Note

    A Cisco SD-WAN Cloud-MSP fabric can be hosted only on the AWS cloud provider.

Coverage Summary

Task

Cisco SD-WAN Cloud

Cisco SD-WAN Cloud-Pro

Cisco SD-WAN Cloud-MSP

Comments

Provision Fabric

Provisioning from Cisco Catalyst SD-WAN Portal

Customer

Customer

Cisco CloudOps

Monitor and Troubleshoot Cloud Control Components infrastructure

CPU and data disk utilization

Cisco CloudOps

Loss of connectivity to network interfaces

Failure to reach instances

Monitor Cisco Catalyst SD-WAN services

Expiry notification of control component SSL certificates

Cisco CloudOps

Availability of the Cisco SD-WAN Manager web server

Loss of control connection to the control components

Capacity management of Cisco Catalyst SD-WAN Controllers

Cisco CloudOps

Cisco CloudOps monitors and upgrades the instance capacity (including expansion to clusters) based on the number of devices on the fabric.

Disaster Recovery

Take periodic volume-based snapshots

Cisco CloudOps

Note that in multitenancy, the volume-based and config-based snapshot is for the entire multitenancy Cisco SD-WAN Manager cluster, not for any particular tenant.

Take periodic configuration-based backups

Take On-demand snapshots

Not Applicable

Customer

Customer

Restore fabric based on volume or configurations

Cisco CloudOps

Onboard to Cisco SD-WAN Analytics

*Not Applicable

Customer

Customer

Cisco SD-WAN Analytics is onboarded by default for all Cisco Catalyst SD-WAN deployments.

Assist on-premises to cloud migration assistance

Cisco CloudOps

For more details on the On-prem to cloud migration, see On-Premises to Cloud Migration Process Details.

Custom subnets and TACACS

Not Applicable

Customer

Customer

For customers, setting up custom subnets and TACACS is only possible during Day-0 provisioning. For Day-N, customers can open a TAC case with Cisco CloudOps. TACACS is not available for Cisco SD-WAN Cloud-MSP fabrics at present.

Renew control component certificates

Cisco CloudOps

*Customer

*Customer

*CloudOps can help renew certificates on customer request.

Upgrade software

Control component software upgrade

Cisco CloudOps

*Cisco CloudOps

*Cisco CloudOps

*Cisco performs upgrades only to recommended releases.

Edge device/node software upgrade

Customer

Upload and manage Edge images in Cisco SD-WAN Manager Software Repository

Cisco CloudOps

Customer

Customer

Respond to Cisco CloudOps notifications to authorize the service window, instance reboot, review, or verify changes carried out by Cisco CloudOps

Customer

Create Smart Accounts (SA) or Virtual Accounts (VA) on software.cisco.com and attach Cisco Catalyst SD-WAN subscribed devices to the SA/VA

Customer

Allow external management of SA/VA on PNP Connect

Customer

Not Applicable

Not Applicable

Do not allow external management of SA/VA on PNP Connect before provisioning a fabric in Cisco Catalyst SD-WAN Portal. The provisioning workflow automatically enables the external management.

Accept external management of SA/VA and map tenant VA to customer SA/VA

Cisco CloudOps

Not Applicable

Not Applicable

Define device configuration templates and policies through Cisco SD-WAN Manager

Customer

Perform other activities that require logging in to Cisco SD-WAN Manager, such as template and policy configuration and edge device management

Customer

Manage web server certificates

Cisco CloudOps

*Customer

**Customer

*CloudOps can help renew certificates on customer request.

**CloudOps can renew web certificates if the Cisco SD-WAN Cloud-MSP fabric is deployed in the cisco.com domain.

Sync edge serials with credentials

*Not Applicable

Customer

Customer

*Cisco SD-WAN Cloud customers use their Cisco Connection On-line (CCO) login credentials for Single-Sign-On and syncing edge serials.

Managed Allowed IP access list

Not Applicable

Customer

Customer

Custom Identity Provider (IdP) Configuration

Not Applicable

Customer

Customer

Cisco SD-WAN Cloud only supports Cisco Connection On-line (CCO) as an identity provider. Customers can use Single-Sign-On to navigate among Catalyst SD-WAN applications such as Cisco SD-WAN Manager, Cisco SD-WAN Analytics, and Cisco Catalyst SD-WAN Portal.

Solution Design

About This Solution

When you choose a cloud-based subscription for your Cisco Catalyst SD-WAN Control Components, Cisco deploys Cisco SD-WAN Manager, Cisco SD-WAN Validator, and Cisco SD-WAN Controller on the public cloud. Cisco then provides you with administrator access. By default, a single Cisco SD-WAN Manager, Cisco SD-WAN Validator, and Cisco SD-WAN Controller are deployed in the primary cloud region and an additional Cisco SD-WAN Validator and Cisco SD-WAN Controller are deployed in the secondary or backup region.

Figure 1. Solution Architecture

Supported Clouds and Cloud Regions

The following clouds and cloud regions are supported for Cisco Catalyst SD-WAN Control Component deployments:

Table 1. Supported clouds and cloud regions for SD-WAN Cloud

Amazon Web Services

APAC

EU

US
Table 2. Supported clouds and cloud regions for Cisco SD-WAN Cloud-Pro

Amazon Web Services

Microsoft Azure

Asia Pacific—Jakarta | Indonesia

Asia Pacific—Mumbai | India

Asia Pacific—Hyderabad | India

Asia Pacific—Seoul | South Korea

Asia Pacific—Singapore | Singapore

Asia Pacific—Sydney | Australia

Asia Pacific—Melbourne | Australia

Asia Pacific—Tokyo | Japan

Africa—Cape Town

Canada Central—Montreal | Canada

Canada West—Calgary | Canada

EU—Frankfurt | Germany

EU—Ireland | Dublin

EU—London | UK

EU—Stockholm | Sweden

South America—Sao Paulo | Brazil

US East—Northern Virginia | USA

US West—Northern California | USA

US West—Oregon | USA

Asia Pacific | Australia East—Sydney | New South Wales

Asia Pacific | Australia Southeast—Melbourne | Victoria

Asia Pacific | Japan East—Tokyo

Asia Pacific | Southeast Asia—Singapore

Asia Pacific | West India—Mumbai

Asia Pacific | South India

UAE North—Dubai

Asia Pacific | Australia Central—Canberra

South Africa—North

Canada Central—Montreal | Canada

Canada East

Americas | Brazil South—Sao Paulo State

Europe | France Central—Paris

Europe | North Europe—Ireland

Europe | UK South—London

Europe | West Europe—Netherlands

Americas | East US—Virginia

Americas | West US—California

Americas | West US 2—Washington

Customer Responsibilities

  • Manage allowed access-list with your source public IP ranges for management access of control components.

  • Renew control component certificates on time.

  • Before making any changes in the Cisco Catalyst SD-WAN Portal, take the on-demand snapshot using the procedure, Take an On-Demand Snapshot and configuration backup using Back Up the Active Cisco SD-WAN Manager procedure.

  • Upgrade the software.

    • You can open a TAC case for the following:

      • If you face any issues with software upgrade.

      • If you want any rollback.

    • The Cisco SD-WAN Validator and Cisco SD-WAN Controller are stateless services. Therefore, you do not need to take backups for these services. Cisco SD-WAN Manager automatically pushes the configurations once they are attached to templates.

      We recommend that you create and attach templates to the Cisco SD-WAN Validator and Cisco SD-WAN Controller instead, so the Cisco SD-WAN Manager backups automatically include the configuration backup of the control components.

    • The Cisco Catalyst SD-WAN support teams can assist with the control component software upgrade for all deployment types.

    • It is your responsibility to upgrade the software version of an edge device. For the compatible versions of edge devices based on control component versions, see Cisco SD-WAN Controller Compatibility Matrix.

  • Respond to the notifications sent by Cisco CloudOps to authorize the service window, instance reboot, review, or verify changes carried out by Cisco CloudOps.

  • For a Cisco SD-WAN Cloud-Pro fabric, configure the third interface on Cisco SD-WAN Manager with static IP or DHCP based IP to use it for SD-AVC. By default the third interface is in shut state.

  • Open a TAC case to arrange a service window when you receive a notification from Cisco CloudOps. Some operations can be performed only with the consent of the customer.

  • Create Smart Accounts (SA) or Virtual Accounts (VA) on software.cisco.com and attach Cisco Catalyst SD-WAN subscribed devices to the SA or VA.

  • Define device configuration templates and policies through Cisco SD-WAN Manager.

  • Perform other activities that require logging in to Cisco SD-WAN Manager.

  • For a Cisco SD-WAN Cloud fabric, open a Cisco TAC support case if you need specific software versions to be added in the Cisco SD-WAN Manager software repository.

Your failure to meet the responsibilities outlined in this section will invalidate the SD-WAN Cloud SLA, including any guaranteed service uptimes.

Responsibilities of Cisco CloudOps

Fabric Provisioning

  • Provision cloud-hosted control components for your Cisco Catalyst SD-WAN fabric, configure a unique admin password with an expiry time of a week, and hand over Cisco SD-WAN Manager to you.

  • Configure Cisco SD-WAN Manager with a default template and policy when you choose the default template and policy push option on the sales order.

  • Create and manage Cisco SD-WAN Cloud, Cisco SD-WAN Cloud-Pro, and Cisco SD-WAN Cloud-MSP clusters as needed.

  • Manage tenants on Cisco SD-WAN Cloud-MSP fabrics (for direct enterprise customers).

Monitor and Troubleshoot

Cisco CloudOps monitors the health of cloud-hosted fabric and troubleshoots if there are any issues.

  • Cisco CloudOps is backed by a real-time monitoring system that checks the health of Cisco Catalyst SD-WAN control components and generates alerts. The check includes the health of Cisco SD-WAN Manager, application or web server, other micro services, and configuration or statistics databases.

  • Take proactive action for cloud infrastructure issues, which are beyond your control. Else, notify you about the potential issues and request you to open a Cisco TAC support case for further investigation.

  • Manage alerts based on notifications from the cloud provider environments on instance up or down states and CPU or network inactivity status.

  • Resolve the alerts proactively if it doesn’t require a down time of the services. Notify you when services flap.

  • Send 30-, 15-, and 5-day notices to you to renew expiring certificates on Cisco SD-WAN Manager. Cisco Catalyst SD-WAN control component certificates have a validity of one year.

Cloud Infrastructure Support

  • Carry out disaster recovery workflows, including snapshot volumes or configurations. Restore Cisco SD-WAN Manager clusters based on volumes or configurations.

  • Provision custom subnetting to extend your on-premises network into the cloud-hosted fabric network.

  • Manage on-premises to cloud migrations.

Capacity Management

  • Monitor the growth of devices per fabric along with the control component instance capacity parameters such as CPU, disk, and memory utilizations. Follow a pre-set guideline to increase the capacity of the service instances as needed.