menu

Building an SD-WAN Headend

Brandon Carroll
SHARE ON:

When working with SteelConnect EX an important concept to understand is that of a SD-WAN headend. You simply cannot operate a SteelConnect EX SD-WAN network without the headend. We covered the high-level overview of the headend in our Lightboard video and you can view it on the Riverbed YouTube Channel. However, for the sake of being thorough, let’s review what a SD-WAN headend is and the components involved.

Components of a Headend

There are three main components of a headend. These include:

  • SteelConnect Analytics
  • SteelConnect Director
  • Controller

These three entities are responsible for the management and control plane of the SteelConnect EX solution.

SteelConnect EX Director (Director)

SteelConnect Director is the Management interface that you work in. As you configure templates and settings here the Direction uses Netconf over SSH to provision the SteelConnect EX devices via the Controller.

SteelConnect EX Controller (Controller)

The controller establishes secure management tunnels to each SteelConnect EX. The Controller acts as a BGP route-reflector, reflecting overlay prefixes to each site to establish reachability between sites using the SD-WAN overlay.

SteelConnect EX Analytics (Analytics)

SteelConnect Analytics receives all telemetry information from the SteelConnect EX sites and provides you with that data by means of dashboards and log files.

Installing the SD-WAN Headend

There are several steps that must be followed to install a headend. One item to note is that the headend may live in the data center, but it is not part of the data plane. To establish connectivity from the SD-WAN overlay to the data center, a SteelConnect EX FlexVNF must be installed in the data center. Let’s walk through the configuration of the headend.

Step 1: Add headend components to topology

For the purpose of this article, I’m going to make the assumption that the network infrastructure is already configured to support the addition of our three new devices: Director, Controller, and Analytics. We will add them according to the following diagram.

Riverbed SD-WAN Headend

Riverbed SD-WAN Headend

To elaborate a bit further on the diagram, all devices define ethernet0 as the management interface and thus the Director, Controller, and Analytics are connected to the management network on ethernet. From the point of view of the SteelConnect Director, the GUI management performed by an admin is done via the Northbound interface. This is also where API calls happen. We use the Director southbound interface, in this case, ethernet1, as the control network.

Step 2: Perform the initial setup of the SteelConnect Director

The implement the Director, we must begin by following these steps:

  1. Open up the Director CLI
  2. Log in to the Director using the default credentials
  3. Perform the initial setup script.

Below is a CLI output of the Director. As you’ll note, upon initial login with the Administrator account we are automatically prompted to enter the setup. Answering yes to this prompt begins the setup script.

Ubuntu 14.04.6 LTS Director-1 ttyS0

Director-1 login: Administrator
Password: 
===============================================================================
WARNING!
This is a Proprietary System
You have accessed a Proprietary System

If you are not authorized to use this computer system, you MUST log off now.
Unauthorized use of this computer system, including unauthorized attempts or
acts to deny service on, upload information to, download information from,
change information on, or access a non-public site from, this computer system,
are strictly prohibited and may be punishable under federal and state criminal
and civil laws. All data contained on this computer systems may be monitored,
intercepted, recorded, read, copied, or captured in any manner by authorized
System personnel. System personnel may use or transfer this data as required or
permitted under applicable law. Without limiting the previous sentence, system
personnel may give to law enforcement officials any potential evidence of crime
found on this computer system. Use of this system by any user, authorized or
unauthorized, constitutes EXPRESS CONSENT to this monitoring, interception,
recording, reading, copying, or capturing, and use and transfer. Please verify
if this is the current version of the banner when deploying to the system.
===============================================================================

  ____  _                _              _                                
 |  _ \(_)_   _____ _ __| |__   ___  __| |                               
 | |_) | \ \ / / _ \ '__| '_ \ / _ \/ _` |                               
 |  _ <| |\ V /  __/ |  | |_) |  __/ (_| |                               
 |_| \_\_| \_/ \___|_|  |_.__/ \___|\__,_|                               
  ____  _            _  ____                            _     _______  __
 / ___|| |_ ___  ___| |/ ___|___  _ __  _ __   ___  ___| |_  | ____\ \/ /
 \___ \| __/ _ \/ _ \ | |   / _ \| '_ \| '_ \ / _ \/ __| __| |  _|  \  / 
  ___) | ||  __/  __/ | |__| (_) | | | | | | |  __/ (__| |_  | |___ /  \ 
 |____/ \__\___|\___|_|\____\___/|_| |_|_| |_|\___|\___|\__| |_____/_/\_\
 Release     : 16.1R2
Release date: 20191101
Package ID  : 117dde1
------------------------------------
VERSA DIRECTOR SETUP
-bash: /var/log/vnms/setup.log: Permission denied
------------------------------------
Do you want to enter setup? (y/n)? y
[sudo] password for Administrator: 
------------------------------------
Running /opt/versa/vnms/scripts/vnms-startup.sh ...
------------------------------------
Do you want to setup hostname for system? (y/n)? y
Enter hostname: Director-1
Added new hostname entry to /etc/hosts
Added new hostname entry to /etc/hostname
Restarting network service ...
Do you want to setup network interface configuration? (y/n)? y
------------------------------------
Setup Network Interfaces
------------------------------------
Enter interface name [eg. eth0]: eth0
Existing IP for eth0 is 192.168.122.174
Configuration present for eth0, do you want to re-configure? (y/n)? 192.168.122.174
Answer not understood
Configuration present for eth0, do you want to re-configure? (y/n)? y
Re-configuring interface eth0
Enter IP Address: 192.168.122.174
Enter Netmask Address: 255.255.255.0
Configure Gateway Address? (y/n)? y
Enter Gateway Address: 192.168.122.1
------------------------------------
Adding default route - route add default gw 192.168.122.1
Added interface eth0
Configure another interface? (y/n)? y
Enter interface name [eg. eth0]: eth1
Existing IP for eth1 is 10.100.3.10
Configuration present for eth1, do you want to re-configure? (y/n)? y
Re-configuring interface eth1
Enter IP Address: 10.100.3.10
Enter Netmask Address: 255.255.255.0
------------------------------------
Added interface eth1
Configure another interface? (y/n)? n
Configure North-Bound interface (If not configured, default 0.0.0.0 will be accepted) (y/n)? y
------------------------------------
Select North-Bound Interface 
------------------------------------
Enter interface name [eg. eth0]: eth0
------------------------------------
Select South-Bound Interface(s) 
------------------------------------
Enter interface name [eg. eth0]: eth1
Configure another South-Bound interface? (y/n)? n
Restarting network service ...
Enable secure mode for Director HA ports? (y/n)? n
 => Clearing VNMSHA iptables rules
 => Persist iptable rules and reload..
 => Done.
Secure Director HA communication? (y/n)? n
 => Clearing strongSwan ipsec configuration..
 => Restarting ipsec service..
 => Done.
Prompt to set new password at first time UI login? (y/n)? n
Restarting versa director services, please standby ...
------------------------------------
Stopping VNMS service
------------------------------------
Stopping VNMS:TOMCAT.............[Stopped]
Stopping VNMS:KARAF..............[Stopped]
Stopping VNMS:REDIS..............[Stopped]
Stopping VNMS:POSTGRE............[Stopped]
Stopping VNMS:SPRING-BOOT........[Stopped]
Stopping VNMS:SPACKMGR...........[Stopped]
Stopping VNMS:NCS................[Stopped]
 * Stopping daemon monitor monit
   ...done.
  ____  _                _              _                                
 |  _ \(_)_   _____ _ __| |__   ___  __| |                               
 | |_) | \ \ / / _ \ '__| '_ \ / _ \/ _` |                               
 |  _ <| |\ V /  __/ |  | |_) |  __/ (_| |                               
 |_| \_\_| \_/ \___|_|  |_.__/ \___|\__,_|                               
  ____  _            _  ____                            _     _______  __
 / ___|| |_ ___  ___| |/ ___|___  _ __  _ __   ___  ___| |_  | ____\ \/ /
 \___ \| __/ _ \/ _ \ | |   / _ \| '_ \| '_ \ / _ \/ __| __| |  _|  \  / 
  ___) | ||  __/  __/ | |__| (_) | | | | | | |  __/ (__| |_  | |___ /  \ 
 |____/ \__\___|\___|_|\____\___/|_| |_|_| |_|\___|\___|\__| |_____/_/\_\
 Starting VNMS service
------------------------------------
Starting VNMS:NCS................[Started]
Starting VNMS:POSTGRE............[Started]
Starting VNMS:SPRING-BOOT........[Started]
Starting VNMS:REDIS..............[Started]
Starting VNMS:KARAF..............[Started]
Starting VNMS:TOMCAT.............[Started]
------------------------------------
Completed Setup
------------------------------------
Press ENTER to continue
------------------------------------
To run setup manually: /opt/versa/vnms/scripts/vnms-startup.sh
------------------------------------

Once you’ve finished the script you’ll need to reboot the server.  I’ll do that in the following output.

Ubuntu 14.04.6 LTS Director-1 ttyS0

Director-1 login: Administrator
Password: 
Last login: Mon Mar 16 22:23:09 UTC 2020 on ttyS0
===============================================================================
WARNING!
This is a Proprietary System
You have accessed a Proprietary System

If you are not authorized to use this computer system, you MUST log off now.
Unauthorized use of this computer system, including unauthorized attempts or
acts to deny service on, upload information to, download information from,
change information on, or access a non-public site from, this computer system,
are strictly prohibited and may be punishable under federal and state criminal
and civil laws. All data contained on this computer systems may be monitored,
intercepted, recorded, read, copied, or captured in any manner by authorized
System personnel. System personnel may use or transfer this data as required or
permitted under applicable law. Without limiting the previous sentence, system
personnel may give to law enforcement officials any potential evidence of crime
found on this computer system. Use of this system by any user, authorized or
unauthorized, constitutes EXPRESS CONSENT to this monitoring, interception,
recording, reading, copying, or capturing, and use and transfer. Please verify
if this is the current version of the banner when deploying to the system.
===============================================================================

  ____  _                _              _                                
 |  _ \(_)_   _____ _ __| |__   ___  __| |                               
 | |_) | \ \ / / _ \ '__| '_ \ / _ \/ _` |                               
 |  _ <| |\ V /  __/ |  | |_) |  __/ (_| |                               
 |_| \_\_| \_/ \___|_|  |_.__/ \___|\__,_|                               
  ____  _            _  ____                            _     _______  __
 / ___|| |_ ___  ___| |/ ___|___  _ __  _ __   ___  ___| |_  | ____\ \/ /
 \___ \| __/ _ \/ _ \ | |   / _ \| '_ \| '_ \ / _ \/ __| __| |  _|  \  / 
  ___) | ||  __/  __/ | |__| (_) | | | | | | |  __/ (__| |_  | |___ /  \ 
 |____/ \__\___|\___|_|\____\___/|_| |_|_| |_|\___|\___|\__| |_____/_/\_\
 Release     : 16.1R2
Release date: 20191101
Package ID  : 117dde1
[Administrator@Director-1: ~] $ sudo reboot
[sudo] password for Administrator: 

Broadcast message from Administrator@Director-1
        (/dev/ttyS0) at 22:29 ...

The system is going down for reboot NOW!
[Administrator@Director-1: ~] $ 
Ubuntu 14.04.6 LTS Director-1 ttyS0

Director-1 login:

Step 3: Perform the initial setup of Analytics

The next step in bringing up a headend is to configure the Analytics server. Analytics and Director will need to communicate securely so we are going to setup the network configuration first, then we are going to sync certificates between the two. Perform the following tasks to implement the Analytics server.

  1. Double click on the Analytics icon to open up the CLI
  2. Log into Analytics with the credentials “versa/versa123
  3. Edit the /etc/network/interfaces file with static IP addressing.

Use sudo nano /etc/network/interfaces for task 3 above.

 GNU nano 2.2.6         File: /etc/network/interfaces                Modified  

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static 
address 192.168.122.175
netmask 255.255.255.0
gateway 192.168.122.1

auto eth1
iface eth1 inet static
address 10.100.3.11
netmask 255.255.255.0

Next, bounce each interface.

[versa@versa-analytics: ~] $ sudo ifdown eth0
[versa@versa-analytics: ~] $ sudo ifdown eth1                
ifdown: interface eth1 not configured
[versa@versa-analytics: ~] $ sudo ifup eth0
[versa@versa-analytics: ~] $ sudo ifup eth1                  
[versa@versa-analytics: ~] $

Once the interfaces have been bounced we need to confirm the IP addressing and ping the Director. I’ll do that in the following output.

[versa@versa-analytics: ~] $ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 0c:5d:40:dd:78:00 brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.175/24 brd 192.168.122.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::e5d:40ff:fedd:7800/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 0c:5d:40:dd:78:01 brd ff:ff:ff:ff:ff:ff
    inet 10.100.3.11/24 brd 10.100.3.255 scope global eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::e5d:40ff:fedd:7801/64 scope link 
       valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 0c:5d:40:dd:78:02 brd ff:ff:ff:ff:ff:ff
[versa@versa-analytics: ~] $ ping 192.168.122.174
PING 192.168.122.174 (192.168.122.174) 56(84) bytes of data.
64 bytes from 192.168.122.174: icmp_seq=1 ttl=64 time=1.38 ms
64 bytes from 192.168.122.174: icmp_seq=2 ttl=64 time=0.895 ms
^C
--- 192.168.122.174 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.895/1.140/1.385/0.245 ms
[versa@versa-analytics: ~] $

Now that I have the basic connectivity from Analytics I need to add resolution for Director–1. This step is important because later on, I need to register the Director with the Analytics server in the GUI interface and this is done by name. That name must be resolvable.

[versa@versa-analytics: ~] $ sudo nano /etc/hosts
  1 127.0.0.1   localhost
  2 127.0.1.1   versa-analytics
  3 192.168.122.174 Director-1
  4 
  5 # The following lines are desirable for IPv6 capable hosts
  6 ::1     localhost ip6-localhost ip6-loopback
  7 ff02::1 ip6-allnodes
  8 ff02::2 ip6-allrouters

Now we need to navigate to the scripts directory so we can run the vansetup script.

[versa@versa-analytics: ~] cd /opt/versa/scripts/van-scripts

Now that I’m in the van-scripts directory I can execute the vansetup python script

[versa@versa-analytics: van-scripts] $ sudo ./vansetup.py 
[sudo] password for versa: 
/usr/local/lib/python2.7/dist-packages/cassandra_driver-2.1.3.post-py2.7-linux-x86_64.egg/cassandra/util.py:360: UserWarning: The blist library is not available, so a pure python list-based set will be used in place of blist.sortedset for set collection values. You can find the blist library here: https://pypi.python.org/pypi/blist/
VAN Setup configuration start
<-- output omitted -->

Update config files

As the script runs you will be asked to delete the database. We want to do this so that it’s rebuilt from scratch with no existing data. Basically, we want a fresh start.

Delete the database? (y/N) y

Proceeding to delete the database in 5 seconds

Next, we will reboot when prompted to do so.

Reboot the node(recommended)? (y/N) y

After the reboot, we want to identify if the database successfully restarted after we deleted it. To perform this task you need to scroll up into the output text and find the statement that identifies a successful restart of the Cassandra database. You can see an example of the output you’re looking for below.

DSE daemon starting with Solr enabled (edit /etc/default/dse to disable)
   ...done.
Waiting for host 127.0.0.1 to come up 
0
UN  127.0.0.1  53.6 KB    ?       fa7139b0-77c1-4b0f-a967-6d754ea7aa28  -3572760821973264000                     RAC1


We can also check the state of the database after reboot by logging back in and using the nodetool status command. Specifically, look for the UN that indicates the database is UP and NORMAL. This is the same output that you would have f0und by scrolling back up through the script output.

[versa@versa-analytics: ~] $ nodetool status
Datacenter: Search-Analytics
============================
Status=Up/Down
|/ State=Normal/Leaving/Joining/Moving
--  Address    Load       Owns    Host ID                               Token                                    Rack
UN  127.0.0.1  287.27 KB  ?       fa7139b0-77c1-4b0f-a967-6d754ea7aa28  -3572760821973264000                     RAC1

Note: Non-system keyspaces don't have the same replication settings, effective ownership information is meaningless
[versa@versa-analytics: ~] $

Now we are going to enter the CLI of Analytics. You access the CLI by entering the command cli. You can see this below.

[versa@versa-analytics: ~] $ cli

versa connected from 127.0.0.1 using console on versa-analytics
versa@versa-analytics>

Next, we will enter the configuration mode using the configure command.

versa@versa-analytics> configure
Entering configuration mode private
[ok][2019-07-14 15:42:01]

[edit]
versa@versa-analytics%

Now that we are in configuration mode, we want to set the analytics node to the southbound interface IP address. This will also include defining the port to use for communication, the storage directory, and the format. Here’s the information we need:

  • Use Port 1234
  • Set the storage directory to /var/tmp/log
  • Use the syslog format
versa@versa-analytics% set log-collector-exporter local collectors VAN address 10.100.3.11 port 1234 storage directory /var/tmp/log format syslog
[ok][2019-07-14 15:48:24]

Now we need to commit the changes and exit. You can see that in the following output.

versa@versa-analytics% commit
Commit complete.
[ok][2019-07-14 15:49:24]

[edit]
versa@versa-analytics% exit
[ok][2019-07-14 15:49:26]
versa@versa-analytics> exit
[versa@versa-analytics: ~] $

Step 4: Connect to the Director Web Interface

My next step will be to connect to the Director GUI. We browse to the northbound interface IP address, which is the address we set on eth0 earlier. The screenshot below is not using the same IP address that we configured, but hopefully, you get the point. It’s an HTTPS connection and we are going to be warned about the self-signed certificate. Once you accept the certificate you can log in with the Administrator credentials.

Accept the certificate

Accept the certificate

Next, log in to the Director with the default credentials.

Director Login

SteelConnect Director Login

You’ll be asked to reset the password for the GUI.  Follow those instructions and click change.

Director Password Reset

SteelConnect Director Password Reset

Now we need to log in a second time with the new credentials.

The new password is only used for the GUI.

Second Login

Second Login

Step 5: Define the Analytics Cluster

After we’ve logged into the Director GUI we need to define our analytics cluster. To do so, navigate to Administration>Connectors>Analytics Cluster and click the + button to add a new Analytics Cluster. The northbound IP of our analytics cluster is 192.168.122.175 and the southbound IP is 10.100.3.110 (Yes, there is a type in my screenshot).

Add Analytics Cluster

Add Analytics Cluster

You’ll also notice that we give the cluster a name, in this case, Analytics, and we also name the northbound IP Analytics-1. Also, the connector port is left at the default value of 8080. We will use this port to connect to the Analytics GUI later on.

Analytics Cluster details

Analytics Cluster Details

Step 6: Generate and Sync certificates between Director and Analytics

Now that the Analytics cluster has been defined in the Director GUI we need to sync certificates between the two. To do so we will generate the certificate from the CLI of the Director. This is seen in the following output from the director CLI.

Director-1 login: Administrator 
Password: 
Last login: Mon Mar 16 22:28:56 UTC 2020 on ttyS0
===============================================================================
WARNING!
This is a Proprietary System
You have accessed a Proprietary System

If you are not authorized to use this computer system, you MUST log off now.
Unauthorized use of this computer system, including unauthorized attempts or
acts to deny service on, upload information to, download information from,
change information on, or access a non-public site from, this computer system,
are strictly prohibited and may be punishable under federal and state criminal
and civil laws. All data contained on this computer systems may be monitored,
intercepted, recorded, read, copied, or captured in any manner by authorized
System personnel. System personnel may use or transfer this data as required or
permitted under applicable law. Without limiting the previous sentence, system
personnel may give to law enforcement officials any potential evidence of crime
found on this computer system. Use of this system by any user, authorized or
unauthorized, constitutes EXPRESS CONSENT to this monitoring, interception,
recording, reading, copying, or capturing, and use and transfer. Please verify
if this is the current version of the banner when deploying to the system.
===============================================================================

  ____  _                _              _                                
 |  _ \(_)_   _____ _ __| |__   ___  __| |                               
 | |_) | \ \ / / _ \ '__| '_ \ / _ \/ _` |                               
 |  _ <| |\ V /  __/ |  | |_) |  __/ (_| |                               
 |_| \_\_| \_/ \___|_|  |_.__/ \___|\__,_|                               
  ____  _            _  ____                            _     _______  __
 / ___|| |_ ___  ___| |/ ___|___  _ __  _ __   ___  ___| |_  | ____\ \/ /
 \___ \| __/ _ \/ _ \ | |   / _ \| '_ \| '_ \ / _ \/ __| __| |  _|  \  / 
  ___) | ||  __/  __/ | |__| (_) | | | | | | |  __/ (__| |_  | |___ /  \ 
 |____/ \__\___|\___|_|\____\___/|_| |_|_| |_|\___|\___|\__| |_____/_/\_\
 Release     : 16.1R2
Release date: 20191101
Package ID  : 117dde1
[Administrator@Director-1: ~] $ cd /opt/versa/vnms/scripts/
[Administrator@Director-1: scripts] $ sudo su versa
[sudo] password for Administrator: 
orepass versa123 --overwritevnms/scripts$ ./vnms-certgen.sh --cn Director-1 --st 
 => Generating certificate for domain: Director-1
 => Generating ca_config.cnf
 => Generated CA key and CA cert files
 => Generating SSO certificates
 => Generating websockify certificates
 => Saving storepass and keypass

This must be done from the user account versa. After generating the certificate be sure to exit this user and return to Administrator.

Next, we will sync the certificate with Analytics. This is done using the vnms-cert-sync.py script. The script SCP’s the certificate to the correct location on Analytics.

versa@Director-1:/opt/versa/vnms/scripts$ exit
exit
[Administrator@Director-1: scripts] $ ./vnms-cert-sync.sh --sync
Syncing Director certificates to VAN CLuster
Enter VAN Cluster Name:
Analytics
VAN Clusters IPs: 192.168.122.175 
Attempting Key Based Auth..
Can we pick Private Key from ~/.ssh/id_rsa[y/n]y    
Enter password for Versa User for sudo:
Password: 
[Errno 2] No such file or directory: '/home/Administrator/.ssh/id_rsa'
Looks like SSH Key exchange not setup, falling back to password
Please Enter password for User - versa: 
Password: 
/usr/lib/python2.7/dist-packages/Crypto/Cipher/blockalgo.py:141: FutureWarning: CTR mode needs counter parameter, not IV
  self._cipher = factory.new(key, *args, **kwargs)
Connected to 192.168.122.175
[sudo] password for versa: rm: cannot remove '/opt/versa/var/van-app/certificates/versa_director_client.cer': No such file or directory

[sudo] password for versa: rm: cannot remove '/opt/versa/var/van-app/certificates/versa_director_truststore.ts': No such file or directory

DEleted Existing Certificate
SFTPed certificate File
Locate keytool utility:

/usr/lib/jvm/jre1.8.0_231/bin/keytool

Copy certificate:

Certificate: /opt/versa/var/van-app/certificates/versa_director_client.cer

 * Stopping versa-confd

 * Stopping versa-lced

 * -n  ... waiting for versa-lced to exit

 * Stopping versa-analytics-app

 * -n  ... waiting for versa-analytics-app to exit

 * Stopping daemon monitor monit

   ...done.

 * Versa Analytics Stopped

   ...done.

   ...done.

 * Restarting daemon monitor monit

   ...done.

 * Starting versa-analytics-app

 * Versa Analytics Started



             .---.,

            (      ``.

       _     \        )    __      ________ _____   _____

      (  `.   \      /     \ \    / /  ____|  __ \ / ____|  /\

       \    `. )    /       \ \  / /| |__  | |__) | (___   /  \

        \     |    /         \ \/ / |  __| |  _  / \___ \ / /\ \

         \    |   /           \  /  | |____| | \ \ ____) / ____ \

          \   |  /             \/   |______|_|  \_\_____/_/    \_\

           \  | /

            \_|/                   _   _  _   _   _ __   _______ ___ ___ ___

                                  /_\ | \| | /_\ | |\ \ / /_   _|_ _/ __/ __|

                                 / _ \| .` |/ _ \| |_\ V /  | |  | | (__\__ \

                                /_/ \_\_|\_/_/ \_\____|_|   |_| |___\___|___/





[sudo] password for versa: cp: '/opt/versa/var/van-app/certificates/versa_director_client.cer' and '/opt/versa/var/van-app/certificates/versa_director_client.cer' are the same file

Certificate was added to keystore

Certificate Installed

Next, we need to reboot the server.

[Administrator@Director-1: scripts] $ sudo reboot

Broadcast message from Administrator@Director-1
        (/dev/ttyS0) at 22:50 ...

The system is going down for reboot NOW!

Ubuntu 14.04.6 LTS Director-1 ttyS0

Director-1 login: 

Step 7: Log in to the Analytics GUI

Now we log into the Analytics GUI using the northbound interface and port 8080.

Analytics GUI login

SteelConnect Analytics GUI Login

Step 8: Add the Director hostname

After logging into the Analytics GUI we need to add the Director hostname. Recall earlier when we set up Analytics from the CLI we created a resolution for the Director hostname. To complete this step we need to navigate to Admin>Authentication and add the Director hostname.

This will match the entry placed in /ect/hosts.

Register the Director

Register the Director

To finish this step, don’t forget to click Register.

Step 9: Add the first organization

Now we are going to return to the Director GUI and add our first organization. We need a top-level “Parent” organization before we can add any controllers.

  1. Return to the Director GUI.
  2. Navigate to Administrator>Organization and click the + button.
  3. Provide the following values:
Name Subscription Profile
Riverbed Default-All-Services-Plan
  1. Click on the Analytics Cluster tab.
  2. Add the Analytics Cluster as seen below.
Add an Organization

Add an Organization

After the analytics cluster has been added we need to navigate to the Supported User Roles tab and add all roles for the parent organization.

  1. Click on the Supported Users Role tab.
  2. Click Add All.
Update User Roles

Update User Roles

Finish up by clicking OK.

 

Step 10: Configure the Controller IP

Well, we’re getting close to having a functional headend. If you’re still following along you may be thinking that this is a lot of work. In reality, what we’ve done here is not significant. We’ve brought two of the three devices in our headend up and the process has taken us less than an hour. To add to that, this is something you will only do once. After the headend is up and running you’ll mostly work with templates to apply configurations to onboarded branches. We’ll cover that in another article. However, I digress. Let’s return to the process.

The next step is to deploy the controller. To do so, we need to enable the eth0 interface on the controller itself. Remember that the controller runs SteelConnect EX software, which is the same software as what you will run in the branch. The difference is that it’s defined as a controller in the initial setup. So, let’s follow these steps to bring the controller into the headend deployment.

  1. Connect to the console of the Controller.
  2. Login to the controller using the username and password admin/versa123.
  3. Edit the /etc/network/interfaces file.
[admin@versa-flexvnf: ~] $ sudo nano /etc/network/interfaces
[sudo] password for admin:

In the interfaces file, set the IP address for the controller based on the table below.

IP address Netmask Gateway
192.168.122.176 255.255.255.0 192.168.122.1

You can see an example of the configuration file below.

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
address 192.168.122.176
netmask 255.255.255.0
gateway 192.168.122.1

Now we need to bounce the interface.

[admin@versa-flexvnf: ~] $ sudo ifdown eth0 
RTNETLINK answers: No such process
[admin@versa-flexvnf: ~] $ sudo ifup eth0   
[admin@versa-flexvnf: ~] $

And of course, we want to ping the Director to make sure we have connectivity. Once this is done we can move on to deploy the controller in the Director GUI.

[admin@versa-flexvnf: ~] $ ping 192.168.122.174
PING 192.168.122.174 (192.168.122.174) 56(84) bytes of data.
64 bytes from 192.168.122.174: icmp_seq=1 ttl=64 time=1.28 ms
64 bytes from 192.168.122.174: icmp_seq=2 ttl=64 time=0.782 ms
^C
--- 192.168.122.174 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.782/1.034/1.286/0.252 ms
[admin@versa-flexvnf: ~] $ 

Step 11: Deploy the Controller in the Director GUI

The next step is to deploy the controller in the Director GUI. We’re going to deploy the controller in the Riverbed organization. Remember that this was our parent organization. We can use this organization as our only organization or we can deploy multiple tenants with SteelConnect EX. For our examples in this blog series, we will use a single-tenant, Riverbed. Follow these steps to deploy the controller.

  1. Return to the Director GUI.
  2. Navigate to Workflows>Infrastructure>Controllers
  3. Click the + button to add a workflow.
  4. Provide the following elements to the General page.
  5. Name.
  6. Provider Organization.
  7. Check Staging Controller.
  8. Enter the IP address that you applied in the previous step.
  9. Select the Analytics cluster.
  10. Click Continue
Controller General Settings

Controller General Settings

When you enter the IP address of the controller it will test connectivity. You will see this in the window in the form of a spinning image, although it may be brief.

Next, enter location information. This requires City, State, Country and then clicking Get Coordinates, in which the Lattitude and Longitude will be populated. Then you can click Continue.

Controller Location Settings

Controller Location Settings

On the next tab, you need to enter the Control Network information, which includes the Network Name, interface, and IP address, as seen in the image below. Click Continue when the values have been entered.

Controller Control Network Settings

Controller Control Network Settings

On the controller, eth0 is connected to the management network. eth1 is connected to the control network but within the cli of the controller it is identified as vni–0/0/. This means eth2 will be identified in the controller cli as vni–0/1 and is connected to the MPLS network via the MPLS_SWITCH.

Next, configure the WAN interfaces. This task has multiple substeps as seen below. You need to repeat the following process for MPLS.

  1. Click on the +WAN Interface link on the top right side of the interface.
  2. Create an interface names Internet and select Internet as the Transport Domain.
  3. Click OK.

Create a WAN interface

Create a WAN Interface

Now select the VNI interfaces that connect to Internet and MPLS.

Selecting VNI Interfaces

Selecting VNI Interfaces

In our topology, VNI–0/1 is eth2 and VNI–0/2 is eth3. This is important because eth0 is connected to the management network, the northbound side of Director, and eth1 is connected to the control network, the southbound side of Director.

Select the appropriate network names, and provide the IP address and gateway for each. There’s a table below to show you the values I used.

Addressing VNI interfaces

Addressing VNI interfaces

 

Network Name IP address Mask Gateway Public IP
MPLS 10.100.21.3 /24 10.100.21.1
Internet 10.100.19.2 /30 10.100.19.1 192.168.122.25

Also, an important step for us here is that we need to advertise a public IP address for the Internet-Only branches to reach the controller. If we fail to add the public IP address here when an Internet-only branch is onboarded they will not be able to reach the controller. That being said, we also need to make sure that Static NAT and Access Rules are configured on the perimeter firewall (I’m not showing that in this article).

To finish things up you need to click Deploy. When you click deploy you should see a popup asking you to create the overlay scheme. Be careful here to allocate this addressing based on the sizing of your organization. Using a /24 would limit you to 256 branch sites as this space is used to address each site in the SD-WAN fabric.

In the following output, I have entered the IPv4-Prefix for the overlay addressing pool, as well as the maximum number of organizations as seen below. Therefore each organization has around 65K branch sites that we can address, not that we would have that many.

IPv4-Prefix Maximum Organizations
10.254.0.0/16 16

Create Overlay Addressing Scheme

Create Overlay Addressing Scheme

I’ll wrap this up by clicking Update.

Note in the bottom of the Director GUI that the controller workflow is immediately deployed.

View progress

View Progress

Step 12: View the progress of the controller deployment

There is a tasks view that we can open to see the progress. You can access this in the Director GUI by clicking the Tasks icon. This is the icon on the top right-hand side of the interface that looks like a checklist. This will open a list of tasks that you can expand and view as seen below. In the following output, you can see that the controller was deployed and in the running messages, you can see what happened at each step of the deployment that took place behind the scenes.

Progress details

Progress Details

Step 13: Log in to the Controller CLI and confirm the deployment.

Next, we are going to connect to the command line of the controller and have a look at how to verify the deployment there.

In the following output, you can see that I have accessed the CLI.

[admin@Controller-1: ~] $ cli


             .---.,
            (      ``.
       _     \        )    __      ________ _____   _____
      (  `.   \      /     \ \    / /  ____|  __ \ / ____|  /\
       \    `. )    /       \ \  / /| |__  | |__) | (___   /  \
        \     |    /         \ \/ / |  __| |  _  / \___ \ / /\ \
         \    |   /           \  /  | |____| | \ \ ____) / ____ \
          \   |  /             \/   |______|_|  \_\_____/_/    \_\
           \  | /
            \_|/                   _  _ ___ _______      _____  ___ _  _____
                                  | \| | __|_   _\ \    / / _ \| _ \ |/ / __|
                                  | .` | _|  | |  \ \/\/ / (_) |   / ' <\__ \
                                  |_|\_|___| |_|   \_/\_/ \___/|_|_\_|\_\___/



admin connected from 127.0.0.1 using console on Controller-1
admin@Controller-1-cli>

Once I’m in the CLI, I can use the show interfaces brief | tab command to view the interfaces that have been configured. You can see a sample of that output below. Let’s dig into what we’re seeing here.

admin@Controller-1-cli> show interfaces brief | tab
NAME         MAC                OPER  ADMIN  TENANT  VRF                    IP                  
------------------------------------------------------------------------------------------------
eth-0/0      0c:5d:40:be:eb:00  up    up     0       global                 192.168.122.176/24  
tvi-0/2      n/a                up    up     -       -                                          
tvi-0/2.0    n/a                up    up     1       Riverbed-Control-VR    10.254.16.1/32      
tvi-0/3      n/a                up    up     -       -                                          
tvi-0/3.0    n/a                up    up     1       Riverbed-Control-VR    10.254.24.1/32      
tvi-0/602    n/a                up    up     -       -                                          
tvi-0/602.0  n/a                up    up     1       Riverbed-Control-VR    169.254.0.2/31      
tvi-0/603    n/a                up    up     -       -                                          
tvi-0/603.0  n/a                up    up     1       Analytics-VR           169.254.0.3/31      
vni-0/0      0c:5d:40:be:eb:01  up    up     -       -                                          
vni-0/0.0    0c:5d:40:be:eb:01  up    up     1       Riverbed-Control-VR    10.100.3.12/24      
vni-0/1      0c:5d:40:be:eb:02  up    up     -       -                                          
vni-0/1.0    0c:5d:40:be:eb:02  up    up     1       MPLS-Transport-VR      10.100.21.3/24      
vni-0/2      0c:5d:40:be:eb:03  up    up     -       -                                          
vni-0/2.0    0c:5d:40:be:eb:03  up    up     1       Internet-Transport-VR  10.100.19.2/30      
vni-0/3      0c:5d:40:be:eb:04  down  down   -       -                                          
vni-0/4      0c:5d:40:be:eb:05  down  down   -       -                                          

[ok][2020-03-16 17:06:45]
admin@Controller-1-cli>

In the above output, the IP address assigned to the Riverbed-Control-VR on vni–0/0.0 10.10.254.16.1. This is from the subnet that we defined as the overlay network when we deployed the controller (remember the popup?). The IP address applied to the MPLS-Transport-VR is 10.100.21.3. This was the IP address that you applied to the MPLS interface vni–0/1. The IP address applied to the Internet-Transport-VR is 10.100.19.2. This is the IP address that you assigned to vni–0/2 when you deployed the controller in the Director interface.

Now, this output brings up a very good question. We know what the vni’s are. We assigned IP addresses to them when we onboarded the controller. VNI stands for Virtual Network Interface, and they are virtual in the sense that the controller software maps them to a physical interface on the hardware. For example, since eth0 is used for management, the SteelConnect EX software maps eth1 to vni-0/0 which is the control network, and eth2 gets mapped to vni-0/1. Eth3 then gets mapped to vni-0/2. But what are these TVI’s? We will save the discussion of that topic for another article, however, so that we understand what we are looking at here, a TVI is a Tunnel Virtual Interface. A TVI is not mapped to a physical interface. There are two of each TVI because SteelConnect EX sets up an unencrypted channel as well as an encrypted channel.

tvi-0/2      n/a                up    up     -       -                                      
tvi-0/2.0    n/a                up    up     1       Riverbed-Control-VR    10.254.16.1/32  
tvi-0/3      n/a                up    up     -       -                                      
tvi-0/3.0    n/a                up    up     1       Riverbed-Control-VR    10.254.24.1/32  
tvi-0/602    n/a                up    up     -       -                                      
tvi-0/602.0  n/a                up    up     1       Riverbed-Control-VR    169.254.0.2/31  
tvi-0/603    n/a                up    up     -       -                                      
tvi-0/603.0  n/a                up    up     1       Analytics-VR           169.254.0.3/31

Step 14: Configure a static route for Director

We are so close! This is the final step of my headend deployment and this step is important! We now have to tell the Director how to reach SteelConnect EX Control-VRs or we will not be able to onboard our branches. Recall that the Director has two interfaces: Management and Control. The default route points to the management interface, but the 10.254.0.0/16 overlay network is reachable on the control site or southbound side. This is how the Director connects to the branches via SSH and delivers netfonf connamds. If you miss this step then it just doesn’t work. So, let’s wrap this up. Follow these steps:

  1. From the director command line edit the /etc/network/interfaces file.
  2. Add the following line under eth1, the Southbound/Control network.

SSH to Director

SSH to Director

Enter the following command.  You can see an example in the image below.

post-up route add -net 10.254.0.0 netmask 255.255.0.0 gw 10.100.3.12
Add route to overlay
After you save the interfaces file with the route added, you need to bounce the eth1 interface.

 

sudo ifdown eth1
sudo ifup eth1

Next, we make sure that the route has been applied.

admin@Director-1:~$ netstat -rn
Kernel IP routing table
Destination     Gateway            Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.122.1      0.0.0.0         UG        0 0          0 eth0
10.100.2.0      0.0.0.0            255.255.255.0   U         0 0          0 eth0
10.100.3.0      0.0.0.0            255.255.255.0   U         0 0          0 eth1
10.254.0.0      10.100.3.12        255.255.0.0     UG        0 0          0 eth1
admin@Director-1:~$

And just like that, we have a headend ready to onboard. Let’s take a minute to review what we’ve done here.

Wrap up

We’ve covered a lot of ground in this article. The good news is that this is the most difficult part of the deployment (and it wasn’t even that difficult). But here is what we’re left with at the end of this article:

  • The Director has been configured.
  • Analytics has been configured.
  • We have GUI access to the Director and Analytics.
  • The Controller has been configured.
  • VNI’s and TVI’s are up on the controller.

Please stay tuned for more articles in this series as we onboard branches, configure routing and traffic steering, and explore the many, many technical features of SteelConnect EX.

1 Response to “Building an SD-WAN Headend”

Leave a Reply

Your email address will not be published. Required fields are marked *

Feng Chen 12-Aug-2020 at 2:38 pm

Awesome post, that is thorough 🙂
Thanks Brandon !

Reply

top.name