Building-up the control plane for Cisco SDWAN fabric

Cisco SDWAN fabric consists of primarily two types of components: one is controllers (vBond, vSmart, and vManage) and Edge routers (installed at remote and centralized locations).

Please refer SDWAN Controllers for more information about the controllers. Building the SDWAN fabric starts with bringing up the control plane. 

That includes installing the software image of the controllers in the cloud (automate by Cisco in case on-cloud deployment). Installing the signed certificates on the controllers. It is required, all the controllers are up and have authenticated one another (as the solution is built on Zero-Trust model – by default there is no trust between the components). 

Fig 1.1- SDWAN Architecture
Trust between the among the controllers and the routers is established through singed certificate, and this sign-certificate can be from enterprise CA, Symantec or Cisco PKI (recently introduced to ease the certificate generation/installations tasks).

Under the hood, tasks required to successfully bring up the control-plane of the solution include:
  • Generate the CSR for vBond and vSmart 
  • Submit the CSR, to CA with the required information 
  • A signed certificate against each CSR will the received from CA 
  • Install the signed certificate on the vBond and vSmart

The good part is vManage can automate tasks depending on the CAs (Symantec and Cisco PKI). vManage using inbuild APIs call to Symantec does these tasks. This automate process require below configuration on vManage. 

Certificate Authorization Settings 
  • Access the vManage Settings Page  Click Administration  Select Settings. 
  • Configure the Organization name. It needs to be common for all the devices configuration and is the one that is configured on vBond. Once done, specify the Certificate authorization settings. 
  • Expand Controller Certificate Authorization by clicking on Edit Button.
Fig 1.2

The Certificate Retrieve Internal above in snap-shot specifies, how often the vManage checks if the Symantec signing server has sent the certificate. Provide the required details and save the changes.  
Once the above settings are correctly configured, this will automate the certificate related tasks. 

vManage uses API calls to generate the CSR, submit the request for signing CSR to Symantec and install the received signed certificate to devices. 

Add the controllers to the vManage 
  • Click on the configuration menu and ---> select Devices 
  • Click Add Controller, and add a vBond orchestrator and vSmart controller to the overlay network 
  • Specify all the required information asked by Wizard. 

Fig 1.3

Note: Ensure that the Generate CSR checkbox is selected.

The vManage NMS sends the CSR to Symantec. It periodically checks with Symantec, and when the signed certificate is ready, the NMS retrieves it. Then, the vManage NMS installs the signed certificate on the device and sends it to the vBond orchestrator.

By default, the vManage NMS checks with Symantec once per hour. This interval allows time for Symantec to verify your device and network information with the cloud operations team. This is a configurable setting and can be fine-tuned. 
Hope you find it informative!