This section will begin our discussion on the Cisco SD-WAN design and deployment topics.
A sequence of steps needs to be performed to have a fully functional Cisco SD-WAN overlay fabric. Figure 1 illustrates a deployment workflow we will use as an example to explain all required steps.
- Deployment Planning - The first step in every Cisco SD-WAN deployment is always the planning phase. The better the planning the easier the deployment. For large-scale deployments, it is crucial to design a good site-list, system-IP, and hostname conventions. If it is a brownfield deployment, it is critical to put together a detailed migration plan that includes WAN edge placement, any firewall ports that need to be opened, and code versions.
- Deploying SD-WAN Controllers - The second step is always to deploy the Cisco SD-WAN controllers. vBond, vSmart, and vManage should have valid certificates and should be able to authenticate each other successfully. In the case of Cisco CloudOps deployment, this step would be already covered by Cisco.
- Configuring, updating, and tuning controllers - In Cisco SD-WAN, controllers are the hearth and brain of the solution. Therefore, before starting with the WAN edge deployments, we must verify that all controllers are fully operational, are running on the currently recommended software versions, and follow all configuration best practices.
- Uploading authorized WAN edge list - Once controllers are up and running, a network administrator must upload the authorized WAN edge list containing all chassis and serial numbers for all routers authorized to join the SD-WAN overlay. The file can be uploaded manually, or alternatively, vManage can be synched with the organization's Cisco Smart Account.
- Configuring feature and device templates - Once the authorized WAN edge list is present on vManage, each router must be attached to a device template with supplied variables to the necessary parameters (such as IP addresses, port numbers, etc.). Then when the router joins the overlay fabric, vManage pushes the full configuration to the devices. Generally, the order of WAN edge deployments is as follows:
- Deploy data centers and regional hubs first.
- Deploy branches and Soho second.
- Deploy IoT devices.
- Configuring Centralised Policies - At this point, the organization's topology, traffic engineering, and services requirements must be enforced via Centralised Control policies. The policies are configured on vManage, which pushes them to the vSmart controllers in the domain.
- Bring up WAN edge routers - Ideally, when all prior steps are successfully executed, devices would be able to authenticate and join the SD-WAN overlay. This could be accomplished either via Cisco PnP/ZTP (Plug and Play/Zero-touch Provisioning) process or via bootstrap configuration. During the onboarding process, depending on the attached device template, vManage may perform a software upgrade of the device.
- Configuring Localized Policies - Any localized policies that are specific for individual WAN edge routers are configured and attached last.
Notice that the deployment steps may not be exactly in this order. The process is fairly flexible, with the following exceptions:
- Deployment planning should always come first and is the most important step of all.
- Logically, Cisco SD-WAN controllers should be deployed before WAN edge routers. When upgrading, vManage should be upgraded first, then vSmart, and lastly vBond.
- The authorized WAN edge list must be uploaded to vManage before any vEdge routers can successfully join the SD-WAN overlay.
- Device templates must be attached to WAN edge routers on vManage before successful onboarding them via the PnP/ZTP process.