Step-By-Step Configuration

Configure SD-WAN Component VMs

1. Navigate to your VMWare ESXI management interface, and select “Virtual Machines” then click
“Create/Register VM”
2. For vManage, click “Deploy a virtual machine from an OVF or an OVA file"
3. Enter a name for your vManage instance, and select the downloaded file for vManage

4. Select the datastore where the VM is going to be stored

5. Select the VM management network for the VM Network, and select “Thick Provisioning” for
Data Provisioning. Uncheck “Power on Automatically”
6. Click “Finish” to register the vManage VM
7. Navigate to the left pane and click on "Networking" to add an additional Network Adapter. Click
on "Add port group"
8. In the pop-up window, type "SD-WAN" as a name of the New Port Group and click on "Add"

9. Navigate to the Virtual Machines and right click the vManage VM and click “Edit Settings
10. Click “Add Network Adapter” and select the defined SD-WAN network for Network Adapter 2

11. Click "Add Hard Disk" and select "New Standard Hard Disk"
 12. Update Hard Disk 1's size to be 30GB, and update Hard Disk 2's size to be 100GB, so that
vManage has sufficient space to store all controller logs

13. Click "Save"

14. Repeat steps 1-8 fro vSmart and vBond, using the downloaded OVA file for each. When
configuring the VMs, ensure that the first network adapter is the VM management network, and
the second network adapter is the SD-WAN network

Configure Controller IP Addresses

1. Start all three VM instances for vManage, vBond, and vSmart

2. Log in to each VM instance using the default username/password: admin/admin
3. Type the following commands to setup vManage, vSmart and vBond system configurations:

Command Purpose

Step 1 vmanage# configure terminal Enters global configuration mode

Step 2 vmanage(config)# system System parameter information

vmanage(config-system)# host-
Step 2.a Specifies name of the device
name name
 An IP address used internally
by the network to identify each
device. This is similar to a
router ID. These must be
private addresses that are
unused anywhere else in the
network.
Step 3
vmanage(config-system)#
system-ip IP Address
Example:

vManage: 1.1.1.1

vSmart: 1.1.1.2

vBond:1.1.1.3
Name of your organization. It
must be identical on all the
devices in your overlay
network, and it must match the
vmanage(config-system)# name in the certificates for all
organization-name <Press network devices
Step 4 Enter>

(<Organization name>): name

Example:

(<Organization name>): Cisco

systems
Name of your service provider.
must be identical on all the
devices in your overlay
network, and it must match the
vmanage(config-system)# sp-
name in the certificates for all
network devices
organization-name
Step 5
<Press Enter>

(<Organization name>): name

Example:

(<Organization name>): My
Service Provider
 Numeric identifier of the site in
the overlay network. The site
ID must be the same for all
devices that reside in the same
site (i.e. site ID remains the
vmanage(config-system)# site-id same for vManage, vSmart &
Step 6 vBond).
number

Example:

site-id 100
IP address of the vBond
orchestrator. Must be a public
IP address.

vmanage(config-system)#
Step 7.a vbond IP address
Example:
(for vManage &vSmart only)
vbond 128.x.x.x

vmanage(config-system)#
Configure this device to act as
vbond IP address local vbond
the vBond orchestrator.
Step 7.b
(for vBond only)

Example:

vbond 128.x.x.x local vbond

Activate the commands in the
Step 8 vmanage(config-system)# commit
configuration

A summary of the above commands, with an example configuration:

configure terminal
hostname vmanage
system-ip 1.1.1.1
organization-name Cisco
sp-organization-name MyServiceProvider
site-id 100
vbond 128.0.0.3
commit

4. Once the controllers are setup, configure the transport VPN on vManage, vSmart and vBond
with the help of the following commands:

Command Purpose

vmanage# conf t This is the WAN facing interface

Step 1
i.e. transport VPN
vmanage(config)# vpn 0
vmanage(config-vpn-0)#
interface eth0

(for vManage and vSmart)

Enters the configuration mode for
Step 2
an Ethernet WAN interface

vbond(config-vpn-0)#
interface ge0/0

(for vBond only)

vmanage(config-interface-
eth0)# ip address IP address
Sets the IP address for the
specified Ethernet interface
(enter IP address with a CIDR
prefix. Example: 128.0.0.5/24 )
Step 3
Enables the Ethernet interface,
changing its state from
administratively down to
administratively up
vmanage(config-interface-
eth0)# no shut
vmanage(config-interface-
Configure the interface to be a
eth0)# tunnel-interface
secure DTLS or TLS WAN
transport connection
Step 4
vmanage(config-tunnel-
interface)# allow-service all
Configure the services that are
allowed to run over the WAN
connection in VPN 0
 vmanage(config-tunnel-
interface)# commit

vmanage(config-tunnel-
interface)# exit

vmanage(config-interface-
eth0)# exit

For vBond:

vbond(config-interface-ge0/0)#
tunnel-interface

vbond(config-tunnel-
interface)# encapsulation ipsec

vbond(config-tunnel-
interface)# allow-service all

vbond(config-tunnel-
interface)# commit

vbond(config-tunnel-
interface)# exit

vbond(config-interface-ge0/0)#
exit
Establish a static route to the
gateway IP address
vmanage(config-vpn-0)# ip
route 0.0.0.0/0 IP address
Step 5
vmanage(config-vpn-0)# Example:
commit
ip route 0.0.0.0/0 128.0.0.1
 A summary of the above commands, with an example configuration:

configure terminal for vManage and vSmart

vpn 0
interface eth0
ip address 128.0.0.5/24
no shutdown
tunnel-interface
allow-service all
commit
exit
exit
ip route 0.0.0.0/0 128.0.0.1
commit
configure terminal for vBond
vpn 0
interface ge0/0
ip address 128.0.0.3/24
no shutdown
tunnel-interface
encapsulation ipsec
allow-service all
commit
exit
exit
ip route 0.0.0.0/0 128.0.0.1
commit

Configure Controller Certificates

1. Login to the vManage web console, by navigating to “https://<vManage Public IP

Address>:8443” in a web browser
2. Once the vManage Dashboard has loaded, navigate to the Administration menu on the right,
then select “Settings"

3. Configure the Organization Name to match the one that was configured on each controller
through the CLI
4. Enter the address that was configured for vBond, with the default port “12346” unless an
alternate port was configured
5. There are many certificate authorization options available, such as using a Cisco Smart Account
to automatically sign certificates. For the purposes of this configuration guide, we will select
“Enterprise” for Controller Certificate Authorization, to use a custom Root Certificate Authority
for signing controller certificates

6. To begin the process of creating a root certificate, access the certificate-signing server/software
on a compatible workstation that has network access to the three controllers

NOTE: There are many free options for creating and signing certificates, and each will
work with the SD-WAN controllers, however, this guide will cover how to do so using the
xca certificate-signing software, which is also available for free.
7. Select “File” > “New Database” and specify a name to create a new .xdb database. Click “Save"
8. Navigate to the “Certificates” tab in xca, then select “New Certificate” on the right
9. On the “Source” tab, In the field, “Template for the new certificate” select “[default] CA” then
click “Apply extensions,” “Apply subject,” and “Apply all”

10. On the Subject tab, enter the name “RootCA” in the field for Internal Name. Fill out the
remaining details in correspondence with your organization. The “organizationName” and
“organizationalUnitName” fields must be identical and should match the organization name
configured previously on each of the controllers, as well as the vManage web console
11. Click “Generate a new key” to generate the private key for the root certificate. Click “Create” to
generate the key

12. Click “OK” at the bottom right corner of the window to create the root certificate
13. After the certificate has been created, select it and click “Export” on the right to save the
certificate in PEM (.crt) format

14. Using a Terminal window, navigate to the directory where the exported root certificate was
stored
15. Open the certificate using vim by entering “vim rootca.crt” in the Terminal window. Copy all of
the certificate text, including the “Begin Certificate” and “End Certificate” line

16. Navigating back to the vManage console, paste the contents of the root certificate into the
setting for “Controller Certificate Authorization” and click “Import & Save”

17. Open a new Terminal window, and SSH into vManage "ssh admin@vManage IP Address", using
the same IP address and credentials used to login to the vManage GUI
18. Enter the “vshell” command to enter the virtual shell on vManage. Then, navigate to the admin
directory by entering the command “cd /home/admin”
19. Enter the command “vim root.crt” to enter VIM and create a new blank file, titled “root.crt” in
order to be able to install the root certificate chain on the controller
20. Enter Insert Mode in VIM by entering the command “i” then paste the contents of the RootCA
certificate, copied from Step 15, into this blank file. Save the file by hitting the escape key, and
then entering the command “:wq”
21. Enter the command “exit” to exit the virtual shell. Install the root certificate chain by entering
the command “request root-cert-chain install /home/admin/root.crt”
22. Repeat Steps 17-21 for establishing an SSH session with vSmart and vBond to install the root
certificate on each controller

23. Return to the vManage web console. Use the menu on the left to Navigate to “Configuration” >
“Certificates.” Select “Controllers” at the top of the page
24. Click the three dots at the right of the vManage line to open the options menu for the vManage
certificate. Click “Generate CSR” to generate the certificate signing request for vManage
25. Click “Download” to download the CSR. Rename the downloaded CSR file to match the name of
the controller the CSR is for: vManage.csr, vSmart.csr, or vBond.csr

26. Return to xca to sign the CSR. To begin, select the “Certificate Signing Requests” tab at the top
of the window. Then click “Import” on the right to import the CSR that was downloaded from
the vManage web GUI
27. Once imported, right click the name of the CSR inside of the xca window and click “Sign” to
begin signing the certificate

28. On the “Source” tab, under the field “Signing” ensure that the RootCA certificate that was
created previously is selected as the certificate to be used for signing
29. In the field, “Template for the new certificate” select “[default] HTTPS_client” then click “Apply
extensions,” “Apply subject,” and “Apply all”

30. On the “Extensions” tab, in order to ensure that the certificate becomes valid immediately once
installed on the controller, the time should be updated to be the current time on the respective
controller, at this time when the certificate is being signed
31. Utilizing the “show clock” command when accessing the controller through a CLI will show the
current time of the controller. Configure the time in xca, in the “Not before” field to be the
same time
32. Click “Apply” on the right to update the “Not after” field to reflect the updated time. Then click
“OK” at the bottom of the window to sign the certificate
33. After signing the certificate, select the “Certificates” tab at the top of the window in xca. Click
the drop-down arrow to the left of the RootCA certificate that was generated earlier. The
certificate that was just signed should now appear underneath the root certificate
34. Right click the certificate whose name corresponds to the controller for which the certificate is
being signed for (vManage, vSmart, vBond) and select “Export” > “Clipboard”

NOTE: In order to use a different workstation to sign certificates in the future, you must
export the original RootCA certificate as a “File” and then for the Export Option select
“PEM + Key” to get a single PEM file containing the certificate contents as well as the
private key

35. Returning to the Certificates page on the vManage web console, click “Install Certificate” in the
top right corner of the page
36. Paste the contents of the signed certificate that were just copied from xca and then click
“Install” to install the certificate for the controller

37. After the certificate installation has finished, there should be a message indicating that it was
successful

38. Next, use the menu on the left of the vManage console to navigate to “Configuration” >
“Devices”. Select “Controllers” at the top of the page
 39. Click “Add Controller” and select “vBond"

40. Enter vBond VPN0 IP address for vBond that was previously configured through the CLI, as well
as the credentials that are used for logging into vBond
41. Ensure that the “Generate CSR” box is NOT checked, then click “Add” to add the controller

42. Repeat steps 39-41 to add the vSmart controller as well

43. Repeat steps 23-37 to generate the CSRs, as well as sign and then install the certificates for both
vBond and vSmart

Verification
Upon completing the controller setup and certificate installation, the vManage web console
dashboard should indicate that each of the three controllers (vManage, vSmart, and vBond) are
up and reachable. Additionally, the dashboard should indicate that there are no invalid
certificates.

The Certificate Configuration page on the web console should also indicate that the certificate
has been installed on vBond and that vBond has been updated for vSmart and vManage. All
three controllers should have a certificate serial and their vEdge List Status should be in “Sync”.

Using the “show control connections” command while an SSH connection to one of the
controllers has been established can be useful in troubleshooting connection issues between
controllers. The command should return a list of successful connections to the other controllers.