Cisco SD-WAN Overview

With the acquisition of Viptela by Cisco in 2017 I’ve spent quite a bit of time learning about their platform and the various components that comprise their SD-WAN solution. Below is a brief overview of the solution elements and their roles in creating an SD-WAN network.

vBond – Orchestrates control and management plane. vBond provides the first point of authentication (white-list model), facilitates NAT traversal, and distributes a list of vSmarts & vManage to all vEdge routers.

vSmart – vSmart coordinates fabric discovery, distributes control plane information between vEdges, disseminates date plane data plane and application-aware routing policies to the vEdge routers, implements control plane policies (including service chaining, multi-topology, and multi-hop), dramatically reduces control plane complexity.

vEdge – vEdge is a full-featured WAN router supporting VRRP, OSPF, and BGP. vEdge provides a secure data plane between other vEdge routers and establishes secure control plane connections with the vSmart controller. Implements data plane and application-aware routing policies and exports information and statistics. Support for zero-touch provisioning. vEdge is available in both physical and virtual form factors.

vManage – vManage is the management plane for Cisco SD-WAN and acts as the user interface for initial configuring and ongoing maintenance activities. vManage supports multitenancy, centralized provisioning, policies and templates, troubleshooting, monitoring, and software upgrades. vManage provides a rich set of REST and NETCONF APIs.

Terminology

  • Overlay Management Protocol (OMP) – Control plane protocol distributing reachability, security, and policies throughout the fabric
  • Transport Locator (TLOC) – Transport attachment point and next hop route attribute
  • Color – Control plane tag used for IPSec tunnel establishment logic
  • Site ID – Unique per-site numeric identifier used in policy application
  • System IP – Unique per-device (vEdge and controllers) IPv4 notation identifier. Also used as Router ID for BGP and OSPF
  • Organization Name – Overlay identifier common to all elements of the fabric
  • VPN (VRF) – Device-level and network-level segmentation

This is a very basic introduction to the pieces and parts of the solution. I plan to follow this up with additional content on how these pieces work together to provide a flexible architecture allowing for nearly any network topology to be created.

Cisco ISR 4K Product Numbering

Here’s a secret decoder ring for the part numbers of the 4000 series of the Cisco Integrated Services Routers.

First digit = the family, all are 4

Second digit = the sub-family with 4 (highest performance), 3 (middle performance), and 2 (lowest performance)

The third digit = total number of slots, the sum of NIM and SM

The fourth digit = 1, identifying the first in that series. Allows for incrementing for the subsequent platforms in the series.

Here’s a link to the ISR 4000 model platform comparison 

AnyConnect Copyright Message

I was recently helping a client try to change a very basic setting for their remote access VPN users. This setting is known as the “Copyright Panel” and is displayed just below the username and password fields as shown below. The client wanted to simply remove the “Copyright 2018” text completely.

To my surprise this setting is located under the “Clientless SSL VPN Access” section of the “Remote Access VPN” configuration within ASDM. Clientless SSL VPN normally refers to using the browser based VPN portal and not the AnyConnect client. See below for a screen shot of where this setting can be changed.

To find this within ASDM navigate to:

Configuration -> Clientless SSL VPN Access -> Portal -> Customization -> Select the appropriate customization assigned to your VPN connection on the right pane -> Click Edit -> Under Logon Page go to Copyright Panel -> Enable or disable Display copyright panel, and enter your copyright message in the text box.

MacOS No Longer Allowing You to SSH to Older Devices?

If you are you seeing error messages like

Unable to negotiate with "xxx" port "xxx": no matching cipher found. Their offer: aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, arcfour, aes192-cbc, aes256-cbc, rijndael-cbc @ serve<em>r

You can either upgrade the SSH server to support these newer, more secure, algorithms or you can enable these older ciphers on your Mac by performing the following:

sudo nano /etc/ssh/ssh_config

Find the section beginning with and remove the leading # to uncomment these disabled ciphers

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc

Another option is to edit the per user ssh configuration file like this

nano ~/.ssh/config

Host *
SendEnv LANG LC_*
Ciphers +aes256-cbc

Built.io Flow Brings Automation and Integration to Everyone

One of the many hats I wear as a sales engineer is to work on proof of concept and conceptual efforts. These activities are usually leveraged to help answer the question “can we do that?” or “will this work with OUR business process?”.

Recently a lot of my efforts have been focused on integrating collaboration tools with business processes. One simple example of this is for someone running a trade show booth and looking to connect with potential clients. Exchanging business cards is so 1995, and there are way better ways to do this. One quick way I created was to have the potential client simply text their email address to a defined SMS number (short code if you want) and then kick off a process to add them to a Cisco Spark space and also update the CRM system with a new contact. This provides an immediate way to have rich interaction with your potential client as Cisco Spark supports not only text, file sharing, but also full audio and video calling and meeting functionality. And to top it off Cisco Spark is free (with some scale limitations).

Enough about why Cisco Spark is wonderful and can solve all of the problems you are facing and onwards to how I achieved building this simple integration in less than a work day. I cheated or at least it feels like I cheated. I have been using a platform named Built.io Flow which provides an easy to use, but very powerful integration as a service offering that is completely hosted. It features many pre-built integrations in to common enterprise applications (Cisco Spark, Dropbox, Twilio, Tropo, MongoDB, Google Apps, Office 365, ServiceNow, PagerDuty, etc.). If their pre-built integrations aren’t adequate you can write some node.js code and run it on their cloud platform as well. And for those of you saying “my data lives in my data center and I’m not ready to send everything to the cloud” you can leverage their Enterprise Gateway which provides a secure bridge between the cloud and and your on-premises environment giving you the best of both worlds. Oh, and before I forget, their technical support is phenomenal (shout out to Pramod Mishra)!

Here’s a screen shot of the application I described above where a simple text message containing an email which will join the user to a Cisco Spark space and also log their information to a Google Sheet (that’s my attempt at a simple CRM system).Built.io SMS Bot

And don’t think Built.io is only designed for small scale testing or proof of concept activities. Many large organizations are using this very platform for production level workloads.

 

Video Endpoints and Cisco Spark

I’ve recently spent more time testing video endpoints with Cisco Spark (SX10, SX20, Spark Board, Spark Room Kit, DX80, etc.) with my customers and have run in to several things that I think many others probably encounter as well.

  1. Check support Spark endpoints – https://help.webex.com/docs/DOC-4205
  2. Is your endpoint running the right software version to avoid certificate validation errors when attempting to register for the first time? (To activate your room device on Cisco Spark, the device must run software version CE8.2.0 or later.) https://help.webex.com/docs/DOC-7709
    1. To upgrade the codec it’s a simple process of downloaded CE software 8.2 or higher and then logging in to the web interface of the codec to complete the manual upgrade.
  3. If you plan to use a Touch 10 with any endpoint you must pair it to the codec BEFORE you register it to Spark – https://help.webex.com/docs/DOC-11657

Before I upgraded my SX20 to CE 8.2 I was seeing errors in the logs similar to

2017-12-09T09:51:08.966-06:00 a8 appl[1796]: 762.54 Wx2Http W: HTTP(2) Error: NetworkError (Peer certificate cannot be authenticated with given CA certificates)

The basic issue is that in releases of CE software prior to 8.2 the necessary CA certificates were not installed so the certificates presented by the Cisco Spark registration system weren’t able to be validated.

Enabling SNMP on VMware ESXi

I always struggle to remember the steps to enable SNMP on ESXi hosts so this post can not help me, but might be useful to others.

How to enable SNMP on ESXi 5.5

  1. Ensure that SSH is enabled on your host(s)
  2. SSH to your host using the root credentials
  3. Once connected run the following commands which will set the community string (as specified by COMMUNITY-STRING, enable SNMP, update the host firewall rules, and finally restart the SNMP service

esxcli system snmp set --communities COMMUNITY-STRING
esxcli system snmp set --enable true
esxcli network firewall ruleset set --ruleset-id snmp --allowed-all true
esxcli network firewall ruleset set --ruleset-id snmp --enabled true
/etc/init.d/snmpd restart

How to enable SNMP on ESXi 6.0

  1. Ensure that SSH is enabled on your host(s)
  2. SSH to your host using the root credentials
  3. Once connected run the following commands which will first reset the SNMP configuration. set the community string (as specified by COMMUNITY-STRING, set the SNMP port number, set the SNMP location information, set the SNMP contact information and finally enable SNMP

esxcli system snmp set -r
esxcli system snmp set -c COMMUNITY-STRING
esxcli system snmp set -p 161
esxcli system snmp set -L "Location (City, State, Country)"
esxcli system snmp set -C email@domain.com
esxcli system snmp set -e yes

Cisco CWS and OpenDNS Data Center Locations

Cisco Cloud Web Security (CWS) and OpenDNS both provide cloud based security services. CWS offers an HTTP/HTTPS proxy and OpenDNS provides security and visibility at the DNS resolution layer. I’ve been asked many times where both CWS and OpenDNS host their services as this can make a big impact in end user experience if the hosting location is far away from the user and could lead to high latency and a lousy experience.

CWS Proxy Location and Status Page: http://servicestatus.sco.cisco.com/status

OpenDNS Location and Status Page: https://www.opendns.com/data-center-locations/