π Welcome to SD-WAN in CML
This comprehensive lab guide walks you through building a Cisco SD-WAN environment using Cisco Modeling Labs (CML). You'll deploy controllers, onboard edge devices, and verify complete fabric operation.
π What You'll Learn
- Deploy and configure vManage (SD-WAN management controller)
- Set up vBond (orchestrator) and vSmart (controller) components
- Configure certificate-based authentication in SD-WAN fabric
- Onboard edge routers (cEdge) to the SD-WAN overlay
- Establish secure control plane and data plane connections
- Verify SD-WAN tunnel formation and BFD sessions
- Troubleshoot common SD-WAN deployment issues
π‘ Key Learning Point
SD-WAN deployment follows a specific sequence: vManage first (management), then vBond (orchestration), then vSmart (policy control), and finally edge devices. This order ensures proper certificate distribution and control plane establishment.
β
Ready to Begin!
Click through the tabs above to progress through the lab. Start with Topology to understand the network design, then move through Prerequisites, Deployment, and Configuration.
Click through the tabs above to progress through the lab. Start with Topology to understand the network design, then move through Prerequisites, Deployment, and Configuration.
πΊοΈ Network Topology
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β MANAGEMENT SEGMENT β
β β
β ββββββββββββ ββββββββββββ ββββββββββββ β
β β vManage β β vBond β β vSmart β β
β β192.168.1β β192.168.1β β192.168.1β β
β β .10/24 β β .11/24 β β .12/24 β β
β ββββββ¬ββββββ ββββββ¬ββββββ ββββββ¬ββββββ β
β β β β β
β βββββββββββββββββββ΄ββββββββββββββββββ β
β β β
ββββββββββββββββββββββββββββΌββββββββββββββββββββββββββββββββββββββ
β
ββββββββββββββββββ΄βββββββββββββββββ
β TRANSPORT NETWORK (WAN) β
β (Internet / MPLS Sim) β
ββββββββββββββββββ¬βββββββββββββββββ
β
ββββββββββββββββββββββββ΄βββββββββββββββββββββββ
β β
ββββββ΄βββββ ββββββ΄βββββ
β cEdge-1 β β cEdge-2 β
β Site β β Site β
β 100 β β 200 β
ββββββ¬βββββ ββββββ¬βββββ
β β
βββββββββββ΄ββββββββββ βββββββββββ΄ββββββββββ
β WAN: 10.1.1.1/24 β β WAN: 10.2.2.1/24 β
β LAN: 172.16.1.1 β β LAN: 172.16.2.1 β
βββββββββββ¬ββββββββββ βββββββββββ¬ββββββββββ
β β
[LAN Hosts] [LAN Hosts]
π’ Site Details
| Component | System IP | Site ID | Management IP | Role |
|---|---|---|---|---|
| vManage | 192.168.1.10 | 1000 | 192.168.1.10/24 | Management/Orchestration |
| vBond | 192.168.1.11 | 1000 | 192.168.1.11/24 | Orchestrator |
| vSmart | 192.168.1.12 | 1000 | 192.168.1.12/24 | Control Plane |
| cEdge-1 | 10.1.1.1 | 100 | 10.1.1.1/24 (WAN) | Edge Router - Site 100 |
| cEdge-2 | 10.2.2.1 | 200 | 10.2.2.1/24 (WAN) | Edge Router - Site 200 |
β οΈ Important: The transport network must provide IP reachability between all SD-WAN components. In CML, use either an external connector to your lab network or a simulated Internet cloud.
π Prerequisites & Requirements
π₯οΈ CML Platform Requirements
1
CML Version
- Version: 2.4.1 or higher
- RAM: ~14GB total
- Storage: 80GB for node images
- CPU: 8+ cores recommended
π¦ Required SD-WAN Images
| Component | Image File | Version |
|---|---|---|
| vManage | viptela-vmanage-*.qcow2 | 20.9.x or higher |
| vBond | viptela-edge-*.qcow2 | 20.9.x |
| vSmart | viptela-smart-*.qcow2 | 20.9.x |
| cEdge | c8000v-universalk9.*.qcow2 | 17.9.x or higher |
β οΈ Version Compatibility: Ensure all SD-WAN components run compatible versions. Controllers should be on the same version, edge devices at same or lower.
π Planning Information
2
Organization Name
Choose: wholestack-sdwan
This name must match exactly on all components for certificate validation.
π‘ Key Learning Point
SD-WAN initialization takes 15-30 minutes per device. vManage alone can take 20+ minutes on first boot. Plan your lab time accordingly.
βοΈ Initial Deployment
1
Create CML Topology
Build the topology with these nodes:
- vManage (RAM: 4096MB, CPU: 2)
- vBond (RAM: 2048MB, CPU: 1)
- vSmart (RAM: 2048MB, CPU: 1)
- Two cEdge routers (2048MB each)
- Two unmanaged switches
- External connector for transport
β οΈ Boot Order: Start devices in sequence: vManage β wait 20 min β vBond β wait 10 min β vSmart β wait 10 min β cEdge devices.
2
Boot vManage First
# Console into vManage via CML
# Wait for login prompt (15-20 minutes)
Username: admin
Password: admin
# Set new password: WholeStack123!
# Configure vManage
config
system
organization-name wholestack-sdwan
vbond 192.168.1.11
system-ip 192.168.1.10
site-id 1000
commit and-quit
# Configure management interface
config
vpn 512
interface eth0
ip address 192.168.1.10/24
no shutdown
commit and-quit
# Add default route
config
vpn 512
ip route 0.0.0.0/0 192.168.1.1
commit and-quit
3
Access vManage GUI
Open browser: https://192.168.1.10
Login: admin / WholeStack123!
4
Deploy vBond
# Console into vBond
# Default: admin / admin
# Set password: WholeStack123!
config
system
organization-name wholestack-sdwan
vbond 192.168.1.11 local
system-ip 192.168.1.11
site-id 1000
commit and-quit
# Configure VPN 0 (transport)
config
vpn 0
interface eth0
ip address 192.168.1.11/24
tunnel-interface
no shutdown
commit and-quit
5
Deploy vSmart
# Console into vSmart
# Default: admin / admin
# Set password: WholeStack123!
config
system
organization-name wholestack-sdwan
vbond 192.168.1.11
system-ip 192.168.1.12
site-id 1000
commit and-quit
# Configure VPN 0
config
vpn 0
interface eth0
ip address 192.168.1.12/24
tunnel-interface
no shutdown
commit and-quit
β
Deployment Checkpoint: Controllers are now running and ready for certificate configuration.
π§ Controller and Edge Configuration
1
Add Controllers in vManage GUI
- Navigate to Configuration β Devices
- Click Controllers β Add Controller
- Add vBond (192.168.1.11) and vSmart (192.168.1.12)
- Use credentials: admin / WholeStack123!
2
Generate Certificates
- Go to Configuration β Certificates
- Click Generate CSR for vManage
- Generate and install certificates for vBond and vSmart
- Wait for "Certificate Installed" status
Verify Control Plane
# On vManage
show control connections
# Expected: Connections to vBond and vSmart "up"
# On vSmart
show control connections
# Expected: Connection to vBond "up"
3
Bootstrap cEdge-1
# Boot cEdge-1, console in
enable
configure terminal
hostname cEdge-1
# Configure WAN interface
sdwan
interface GigabitEthernet1
tunnel-interface
encapsulation ipsec
color biz-internet
allow-service all
exit
interface GigabitEthernet1
ip address 10.1.1.1 255.255.255.0
no shutdown
# Configure LAN
interface GigabitEthernet2
vrf forwarding 1
ip address 172.16.1.1 255.255.255.0
no shutdown
# System parameters
sdwan
system-ip 10.1.1.1
site-id 100
organization-name wholestack-sdwan
vbond 192.168.1.11
exit
write memory
4
Generate Bootstrap in vManage
- Go to Configuration β Devices β WAN Edge List
- Click Add WAN Edge Device
- Enter chassis/serial from:
show license udi - Generate bootstrap configuration
- Copy OTP and UUID to cEdge-1
# On cEdge-1, apply bootstrap
configure terminal
sdwan
otp [paste-otp-here]
uuid [paste-uuid-here]
exit
end
write memory
# Wait 5-10 minutes for onboarding
π‘ Key Learning Point
The OTP is valid for 48 hours and used only during initial certificate exchange. After successful authentication, the device receives a signed certificate from vManage.
β
Configuration Complete!
Repeat steps 3-4 for cEdge-2 with appropriate IPs (10.2.2.1, Site 200).
Repeat steps 3-4 for cEdge-2 with appropriate IPs (10.2.2.1, Site 200).
π Troubleshooting Common Issues
1
vBond Not Reachable
Symptoms: Edge devices cannot connect to vBond
# Verify vBond address
show sdwan system status | include vbond
# Test connectivity
ping vrf 0 192.168.1.11
# Check routing
show ip route vrf 0
# Reconfigure if needed
config-transaction
system
vbond 192.168.1.11
commit
2
Certificate Installation Failed
Symptoms: Device stuck in "Invalid" state
# Verify organization name
show sdwan system status | include organization
# Check certificate status
show sdwan certificate installed
show sdwan certificate status
# Regenerate if needed - delete device in vManage
# Re-add with new OTP/UUID
β οΈ Organization Mismatch: Most common cause of failures is organization name mismatch. Verify exact match on all devices with
show sdwan system status.
3
BFD Sessions Not Forming
# Check BFD status
show sdwan bfd sessions
# Verify IPsec tunnels
show sdwan ipsec outbound-connections
show sdwan ipsec inbound-connections
# Reset BFD if needed
request platform software sdwan bfd sessions reset
| Issue | Command | What to Check |
|---|---|---|
| Overall Status | show sdwan system status | System IP, site ID, organization |
| Control Plane | show sdwan control connections | vSmart/vBond connection state |
| Data Plane | show sdwan bfd sessions | BFD sessions to peers |
| Certificates | show sdwan certificate installed | Certificate validity |
β Verification & Testing
1
Verify Control Connections
# On edge devices
show sdwan control connections
# Expected: vSmart and vBond connections "up"
show sdwan control local-properties
# Verify system IP and site ID correct
2
Verify BFD Sessions
# Check BFD between sites
show sdwan bfd sessions
# From cEdge-1: expect session to 10.2.2.1 (cEdge-2) "up"
# From cEdge-2: expect session to 10.1.1.1 (cEdge-1) "up"
show sdwan bfd summary
3
Verify IPsec Tunnels
# Check IPsec status
show sdwan ipsec outbound-connections
show sdwan ipsec inbound-connections
# Verify tunnel statistics
show sdwan tunnel statistics
4
Test End-to-End Connectivity
# From cEdge-1, ping cEdge-2 LAN
ping vrf 1 172.16.2.1
# Should succeed with consistent latency
# Check routing table
show ip route vrf 1
# Should see 172.16.2.0/24 via OMP
β
Success Criteria:
- All control connections "up"
- BFD sessions established between sites
- IPsec tunnels formed
- Ping between sites successful
- No packet loss observed
vManage Dashboard Verification
- Login:
https://192.168.1.10 - Navigate to Monitor β Network
- Verify all devices show green status
- Check control connections and BFD sessions in device details
- View topology map showing all sites connected
π Deployment Complete!
Your SD-WAN fabric is now operational. You can now add more sites, configure policies, or implement application-aware routing.