How to onboard a Cisco SD-WAN cEdge router.

This article will explain in detail how to onboard a Cisco SD-WAN router also known as a cEdge. If you’re running the Viptela platform, the idea is the same but using slightly different commands which will also be provided alongside. By the end we’ll have a fully onboarded device ready to take whatever configuration you push at it from the Manager.

In this instance we are onboarding a virtual C8K router running on Cisco Modelling Labs. The configuration is 99% the same compared to a physical device.

  1. Control components (Controller, Manager and Validator) are fully configured. Covered in this article.
  2. Connectivity between the router and control components.
  3. Valid devices list has been uploaded to the control components. Covered in this article.
  4. Basic understanding of some SD-WAN parameters theory recommended but not required. <INSERT GUIDE>
  5. If you’re using your own certificates, you’ll need the root CA.

Below is our simple topology. The devices beginning with the name ‘ccloud’ are meant to represent Cisco Cloud. The ISP device is my internet provider. Routing has been configured so every device can reach others to imitate the internet. The control components have the following IPs:

Validator: 203.0.0.10
Controller: 203.0.0.11
Manager: 203.0.0.12

  1. Configure the hostname and DNS.
  2. Configure WAN interface and default route.
  3. Configure basic system parameters.
  4. Configure TLOC.
  5. Import root cert (Only if using enterprise certificates).
  6. Observe the magic.

Summorised configuration can be found at the bottom if you don’t feel like reading the theory.

Boot up the router, enter ‘no’ if asked to about initial configuration, login and check whether its running in ‘Controller-Managed’ mode (default on Cisco Modelling Labs) using:

enable
show version

Controller-Managed mode means the router will be fully managed by the Manager but only after its been onboarded AND had a device template/configuration group attached to it. Until then, its managed via CLI. You’ll find the mode on the ‘Router operating mode’ line.

If the router is running in Autonomous mode, in exec mode run the following command. This will require a reboot:

controller-mode enable

Once the router boots back up, enter the configuration mode. This is the equivalent of ‘conf-t’ in SD-WAN.

config-transaction

Begin by giving the router a hostname, DNS server (optional), WAN interface and a default route out. DNS is optional in a lab environment or if you chose to host the control components yourself and want to use IPs for contacting your Validator. If your control components are hosted by Cisco you’ll need a DNS to resolve the FQDN they provide you.

hostname site1-edge1
ip name-server 8.8.8.8
interface GigabitEthernet 1
 ip address 203.0.1.2 255.255.255.0
 no shut
 exit
ip route 0.0.0.0 0.0.0.0 203.0.1.1

Provided your upstream routing to the control components is working, you should be able to ping them unless they are Cisco hosted in which case ping will fail.

Enter the ‘system’ sub-mode and configure basic SD-WAN parameters. Here is a brief rundown of what each means. For a more comprehensive explanation see <INSERT GUIDE HERE>.

  1. system-ip : A unique value to identify a router similar to BGP router ID.
  2. site-id : A unique ID for a location such as an office or cloud environment which is shared across all devices at that location.
  3. organization-name : The organization name you chose when generating a controller profile inside your smart account or were provided by Cisco. This value is case sensitive!
  4. vbond : FQDN or IP address of your Validator.
system
 system-ip 172.16.1.1
 site-id 1
 organization-name cml.lab
 vbond 203.0.0.10
exit

Next, enter the ‘sdwan’ sub-mode and configure the TLOC. I have a whole article dedicated to TLOCs here <INSERT ARTICLE>.

sdwan
 interface GigabitEthernet1
  tunnel-interface
   encapsulation ipsec
   color biz-internet
   allow-service all
   exit
  exit
 exit
interface Tunnel1
 no shut
 ip unnumbered GigabitEthernet1
 no ip redirects
 tunnel source GigabitEthernet1
 tunnel mode sdwan

On SD-WAN routers this config isn’t yet live, to apply and save it you need to commit.

commit
end

Complete configuration should look something like this:

Text version for your copy and paste needs:

config-transaction
hostname site1-edge1
ip name-server 8.8.8.8
interface GigabitEthernet 1
 ip address 203.0.1.2 255.255.255.0
 no shut
 exit
ip route 0.0.0.0 0.0.0.0 203.0.1.1
system
 system-ip 172.16.1.1
 site-id 1
 organization-name cml.lab
 vbond 203.0.0.10
exit
sdwan
 interface GigabitEthernet1
  tunnel-interface
   encapsulation ipsec
   color biz-internet
   allow-service all
   exit
  exit
 exit
interface Tunnel1
 no shut
 ip unnumbered GigabitEthernet1
 no ip redirects
 tunnel source GigabitEthernet1
 tunnel mode sdwan
 commit
end
config
system
 host-name site1-edge1
 system-ip 172.16.1.1
 site-id 1
 organization-name cml.lab
 vbond 203.0.0.11
 exit
vpn 0
 ip route 0.0.0.0/0 203.0.0.1
 interface ge0/0
  ip add 203.0.1.2/24
  tunnel-interface
   allow-service all
   encapsulation ipsec
   exit
  no shut
commit

If you are using a physical device using the default Cisco CA it is now onboarded and you can skip to the verification section.

You don’t need to worry about this section if you are using Cisco hosted controllers and don’t plan on using enterprise certificates. Your physical router came with the Cisco root CA as well as the device cert burnt into its chip. If you’re deploying a cloud router in AWS or Azure from a marketplace subscription it will also have the root CA preinstalled but no device certificate which is not a problem as they use OTP (One-Time Password) tokens as shown later on.

If you are running a lab, are self hosting control components or have opted to use the enterprise CA, your router is likely now throwing a certificate verification error.

ERR_CERT_VER_FAIL

This can also be seen in the output of the following command.

show sdwan control connection-history

In the background the router is trying to establish a DTLS (TLS over UDP) tunnel to the Validator from its TLOC. Because this is a TLS connection, our router (client) needs to trust the certificate presented by the control components (server). We need to upload and install the root CA which signed the control components certificates to the router before it’s successful.

In this case, I configured my Manager to be the signing server as per the following article. This means I can just pull the root CA using SCP.

copy scp://[email protected]/root-ca.crt bootflash:

If that’s not an option, you can run the following commands from exec mode to create a PEM file in bootflash. Not all routers support tclsh.

tclsh
 puts [open "bootflash:root-ca.crt" w+] {
 <PASTE ROOT CERT IN HERE>
 }
 exit

Verify the file is there with:

dir

In exec mode install the root cert.

request platform software sdwan root-cert-chain install bootflash:root-ca.crt

View the installed root CA to confirm.

show sdwan certificate root-ca-cert

You can skip this if you’re using a physical router.

Because we are using a virtual router we are now getting a different error related to a missing serial number.

If you’ve correctly uploaded your valid device list to the Manager you’ll be able to find the serial numbers and tokens on the Configuration > Certificates > WAN Edge List page.

In exec mode run the following command to apply the serial number and token to the router.

request platform software sdwan vedge_cloud activate chassis-number C8K-A78D901D-4189-833A-XXXX-XXXXXXXXXXXX token de723a9f422e46a8XXXXXXXXXXXXXXXX

You should notice a lot of logs saying vmanage-admin has logged in, vSmart peer is up and so on. This means the device has been onboarded

You should see the control connections to all 3 control components in the ‘up’ state.

show sdwan control connections

Your OMP peering to the Controller should also be up.

show sdwan omp peers

In the Manager dashboard you’ll see your device under Monitor > Devices. Your GUI might look slightly different as mine is one of latest releases but should be similar enough.

You’ll notice as part of the onboarding Manager installed a couple of new root CAs on the box.

show sdwan certificate root-ca-cert | i OU

As well as a device certificate it automatically generated for the router using the Cisco Systems CA.

show sdwan certificate installed

If you want to use your enterprise CA to issue your device certs you can change this on the Many > Settings > WAN Edge Cloud Certificate Authorization page:

You’ll need to generate a CSR on the router, get it signed by the same root CA you installed on the control components and the router and install the cert on the device.

I hope this article has been helpful!