Cisco CloudOps Overview

Note

To achieve simplification and consistency, the Cisco SD-WAN solution has been rebranded as Cisco Catalyst SD-WAN. In addition, from Cisco IOS XE SD-WAN Release 17.12.1a and Cisco Catalyst SD-WAN Release 20.12.1, the following component changes are applicable: Cisco vManage to Cisco Catalyst SD-WAN Manager, Cisco vAnalytics to Cisco Catalyst SD-WAN Analytics, Cisco vBond to Cisco Catalyst SD-WAN Validator, Cisco vSmart to Cisco Catalyst SD-WAN Controller, and Cisco Controllers to Cisco Catalyst SD-WAN Control Components. See the latest Release Notes for a comprehensive list of all the component brand name changes. While we transition to the new names, some inconsistencies might be present in the documentation set because of a phased approach to the user interface updates of the software product.

Cisco offers a cloud-hosting subscription for Cisco Catalyst SD-WAN Controllers such as Cisco SD-WAN Manager, Cisco SD-WAN Validator, and Cisco SD-WAN Controller that simplifies and accelerates Cisco Catalyst SD-WAN deployment, while reducing the cost of running these controllers on their own. The cloud deployment model also includes monitoring services for the instances and advanced analytics.

About This Guide

This guide describes the Cisco-managed, cloud-hosted Cisco Catalyst SD-WAN Controller, as well as its capabilities and services. This guide details the cloud infrastructure hosting processes, responsibilities, and recommendations.

Audience

The audience for this document includes network design engineers and network operators who want to purchase or deploy the cloud-based subscription options for Cisco Catalyst SD-WAN.

Types of Fabric Network in Cisco Catalyst SD-WAN

Dedicated Fabric: In dedicated fabric, also known as single tenant fabric, the hosting of Cisco Catalyst SD-WAN controllers such as Cisco SD-WAN Manager, Cisco SD-WAN Validator, and Cisco SD-WAN Controller is dedicated only to the customer.
Shared Fabric: In shared fabric, the hosting of Cisco Catalyst SD-WAN controllers such as Cisco SD-WAN Manager, Cisco SD-WAN Validator, and Cisco SD-WAN Controller is shared across multiple customers.

Some of the salient features of this fabric are:
- The data plane, the control plane, and the management plane traffic for each customer are isolated.
- All fabric remain on the same long-lived release. Shared fabric always run on the latest long-lived star-marked release.
- Customer agrees to external management of their Virtual Account (VA).
- Cisco Software-Defined AVC (SD-AVC) and web certificates are available and managed by Cisco CloudOps.
- The only limitation with this type of fabric is that TrustSec, Lawful Intercept, and RADIUS/TACACS are not supported at present.

Dedicated Multitenant (MT) Fabric: In this type of fabric, the hosting of Cisco Catalyst SD-WAN Controllers such as Cisco SD-WAN Manager, Cisco SD-WAN Validator, and Cisco SD-WAN Controller is dedicated to the customer. A managed service provider hosts shared fabric for its end-customers.

Note

A dedicated multitenant fabric can be hosted only on AWS cloud.

Coverage Summary


Task	Single-Tenant	Multitenant (MT)	Shared (Cisco Hosted Cloud SD-WAN)	Cloud-delivered Cisco Catalyst SD-WAN	Comments
Fabric provisioning
Provisioning from Cisco Catalyst SD-WAN Portal	Customer	Cisco CloudOps	Customer	Customer
Monitoring and troubleshooting of Cisco Catalyst SD-WAN Cloud controller infrastructure
CPU and data disk utilization	Cisco CloudOps	Cisco CloudOps	Cisco CloudOps	Cisco CloudOps
Loss of connectivity to network interfaces	Cisco CloudOps	Cisco CloudOps	Cisco CloudOps	Cisco CloudOps
Failure to reach instances	Cisco CloudOps	Cisco CloudOps	Cisco CloudOps	Cisco CloudOps
Monitoring of Cisco Catalyst SD-WAN services
Expiry notification of controller SSL certificates	Cisco CloudOps	Cisco CloudOps	Cisco CloudOps	Cisco CloudOps
Availability of the Cisco SD-WAN Manager web server	Cisco CloudOps	Cisco CloudOps	Cisco CloudOps	Cisco CloudOps
Loss of control connection to the controllers	Cisco CloudOps	Cisco CloudOps	Cisco CloudOps	Cisco CloudOps
Capacity management of Cisco Catalyst SD-WAN Controllers	Cisco CloudOps	Cisco CloudOps	Cisco CloudOps	Cisco CloudOps	Cisco CloudOps monitors and upgrades the instance capacity and expansion to clusters based on the number of devices on the fabric.
Disaster recovery
Take periodic volume-based snapshots	Cisco CloudOps	Cisco CloudOps	Cisco CloudOps	Cisco CloudOps	Note that in multitenancy, the volume-based and config-based snapshot is for the entire multitenancy Cisco SD-WAN Manager cluster, not for a particular tenant.
Take periodic configuration-based backups	Cisco CloudOps	Cisco CloudOps	Cisco CloudOps	Cisco CloudOps
On-demand snapshots	Customer	Customer	Not Applicable	Not Applicable
Restore fabric based on volume or configurations	Cisco CloudOps	Cisco CloudOps	Cisco CloudOps	Cisco CloudOps
Onboard to Cisco SD-WAN Analytics	Customer	Customer	Customer	Not Applicable	Cisco SD-WAN Analytics is by default onboarded for cloud-delivered Cisco Catalyst SD-WAN customers
On-premises to cloud migration assistance	Cisco CloudOps	Not Applicable	Not Applicable	Not Applicable	Limited support - For more details on the On-prem to cloud migration, see On-Premises to Cloud Migration Process Details.
Custom subnets and TACACS	Customer	Not Applicable	Not Applicable	Not Applicable	For customers, setting up custom subnets and TACACS is only possible during Day-0 provisioning. For Day-N, customers can open TAC with Cisco CloudOps. TACACS is not available for multitenant fabric at present.
Renew controller certificates (before expiration)	Customer	Customer	Cisco CloudOps	Cisco CloudOps
Upgrade software
Controller software upgrade	Customer	Customer	Cisco CloudOps	Cisco CloudOps
Edge device/node software upgrade	Customer	Customer	Customer	Customer
Upload and manage Edge images in Cisco SD-WAN Manager Software Repository	Customer	Customer	Cisco CloudOps	Cisco CloudOps
Respond to Cisco CloudOps notifications to authorize the service window, instance reboot, review, or verify changes carried out by Cisco CloudOps	Customer	Customer	Customer	Customer
Create Smart Accounts (SA) or Virtual Accounts (VA) on software.cisco.com and attach Cisco Catalyst SD-WAN subscribed devices to the SA/VA	Customer	Customer	Customer	Customer
Allow external management of SA/VA on PNP Connect	Not Applicable	Not Applicable	Cisco CloudOps	Cisco CloudOps	Do Not allow external management of SA/VA on PNP Connect before provisioning fabric in Cisco Catalyst SD-WAN Portal. The provisioning workflow automatically enables the external management.
Accept external management of SA/VA and map tenant VA to customer SA/VA	Not Applicable	Not Applicable	Cisco CloudOps	Cisco CloudOps
Define device configuration templates and policies through Cisco SD-WAN Manager	Customer	Customer	Customer	Customer
Perform other activities that require logging in to Cisco SD-WAN Manager. For example, template and policy configuration, and edge device management	Customer	Customer	Customer	Customer
Web server certificates	Customer	Customer	Cisco CloudOps	Cisco CloudOps	This is not applicable for multi-tenant fabric with custom domain option.
Edge serial sync with credentials	Customer	Customer	Customer	Not Applicable	Cloud-delivered Cisco Catalyst SD-WAN customers can use their Cisco Connection On-line (CCO) login credentials for Single-Sign-On and sync edge serials.
Managed Allowed IP access list	Customer	Customer	Customer	Not Applicable
Custom Identity Provider (IdP) Configuration	Customer	Customer	Customer	Not Applicable	Cloud-delivered Cisco Catalyst SD-WAN only supports Cisco Connection On-line (CCO) as identity provider. Customers can use Single-Sign-On feature to navigate among Catalyst SD-WAN applications such as Cisco SD-WAN Manager, Cisco SD-WAN Analytics, and Cisco Catalyst SD-WAN Portal.

Solution Design

About This Solution

When you choose a cloud-based subscription for your Cisco Catalyst SD-WAN Controllers, Cisco deploys Cisco SD-WAN Manager, Cisco SD-WAN Validator, and Cisco SD-WAN Controller on the public cloud. Cisco then provides you with administrator access. By default, a single Cisco SD-WAN Manager, Cisco SD-WAN Validator, and Cisco SD-WAN Controller are deployed in the primary cloud region and an additional Cisco SD-WAN Validator and Cisco SD-WAN Controller are deployed in the secondary or backup region.

Supported Clouds and Cloud Regions

The following clouds and cloud regions are supported for Cisco Catalyst SD-WAN Controller deployments:


Amazon Web Services	Microsoft Azure
Asia Pacific—Jakarta \| Indonesia	Asia Pacific \| Australia East—Sydney \| New South Wales
Asia Pacific—Mumbai \| India	Asia Pacific \| Australia Southeast—Melbourne \| Victoria
Asia Pacific – Hyderabad \| India	Asia Pacific \| Japan East—Tokyo
Asia Pacific—Seoul \| South Korea	Asia Pacific \| Southeast Asia—Singapore
Asia Pacific—Singapore \| Singapore	Asia Pacific \| West India—Mumbai Asia Pacific \| South India
Asia Pacific—Sydney \| Australia	UAE North—Dubai
Asia Pacific – Melbourne \| Australia	Asia Pacific \| Australia Central—Canberra
Asia Pacific—Tokyo \| Japan	South Africa—North
Africa—Cape Town
Canada Central—Montreal \| Canada	Canada Central—Montreal \| Canada Canada East
EU—Frankfurt \| Germany	Americas \| Brazil South—Sao Paulo State
EU—Ireland \| Dublin	Europe \| France Central—Paris
EU—London \| UK	Europe \| North Europe—Ireland
EU—Stockholm \| Sweden	Europe \| UK South—London
South America—Sao Paulo \| Brazil	Europe \| West Europe—Netherlands
US East—Northern Virginia \| USA	Americas \| East US—Virginia
US West—Northern California \| USA	Americas \| West US—California
US West—Oregon \| USA	Americas \| West US 2—Washington

Cisco Catalyst SD-WAN Cloud Provisioning

Note

By default, Cisco provisions one Cisco SD-WAN Manager, two Cisco SD-WAN Validators and two Cisco SD-WAN Controllers for a fabric of size <1500.

For information on recommended computing resources, see Recommended Computing Resources for Cisco Catalyst SD-WAN Control Components.

Customer Responsibilities

Manage allowed access-list with customer’s source public IP ranges for management access of controllers.
Renew controller certificates on time.
Before making any changes in the Cisco Catalyst SD-WAN Portal, take the on-demand snapshot using the procedure, Take an On-Demand Snapshot and configuration backup using Back Up the Active Cisco SD-WAN Manager procedure.
Upgrade the software.
- You can open a TAC case for the following:
  - If you face any issues with software upgrade.
  - If you want any rollback.
- The Cisco SD-WAN Validator and Cisco SD-WAN Controller are stateless services. Therefore, you do not need to take backups for these services. Cisco SD-WAN Manager automatically pushes the configurations once they are attached to templates.
  
  We recommend that customers create and attach templates to the Cisco SD-WAN Validators and Cisco SD-WAN Controller instead, so the Cisco SD-WAN Manager backups automatically include the configuration backup of the controllers.
- The Cisco Catalyst SD-WAN support teams may cover the software upgrade for complex deployments such as clusters and multitenant tenant fabric. However, this support is not available for single-tenant single-node fabric.
- It is the responsibility of a customer to upgrade the software version of an edge device. For the compatible versions of edge devices based on controller versions, see Cisco SD-WAN Controller Compatibility Matrix.
Respond to the notifications sent by Cisco CloudOps to authorize the service window, instance reboot, review, or verify changes carried out by Cisco CloudOps.
In case of dedicated fabric, configure the third interface on Cisco SD-WAN Manager with static IP or DHCP based IP to use it for SD-AVC feature. By default the third interface is in shut state.
Open a TAC case to arrange a service window when you receive a notification from Cisco CloudOps. Some operations can be performed only with the consent of the customer.
Create Smart Accounts (SA) or Virtual Accounts (VA) on software.cisco.com and attach Cisco Catalyst SD-WAN subscribed devices to the SA or VA.
Define device configuration templates and policies through Cisco SD-WAN Manager.
Perform other activities that require logging in to Cisco SD-WAN Manager.
For shared-tenant fabric, open a Cisco TAC support case if you need specific software versions to be added in the Cisco SD-WAN Manager software repository.

Your failure to meet the responsibilities outlined in this section will invalidate the SD-WAN Cloud SLA, including any guaranteed service uptimes.

Responsibilities of Cisco CloudOps

Fabric Provisioning

Provision cloud-hosted controllers for your Cisco Catalyst SD-WAN fabric, configure a unique admin password with an expiry time of a week, and hand over Cisco SD-WAN Manager to the customer.
Configure Cisco SD-WAN Manager with a default template and policy, when customers choose the default template and policy push option on the sales order.
Create and manage single-tenant and multitenant clusters as needed.
Manage tenants on multitenant fabric (direct enterprise customers).

Monitor and Troubleshoot

Cisco CloudOps monitors the health of cloud-hosted fabric and troubleshoots if there are any issues.

Cisco CloudOps is backed by a real-time monitoring system that checks the health of Cisco Catalyst SD-WAN controllers and generates alerts. The check includes the health of Cisco SD-WAN Manager, application or web server, other micro services, and configuration or statistics databases.
Take proactive action for cloud infrastructure issues, which are beyond the control of the users. Else, notify the customer about the potential issues and request the customer to open a Cisco TAC support case for further investigation.
Manage alerts based on notifications from the cloud provider environments on instance up or down states and CPU, network inactivity status.
Resolve the alerts proactively if it doesn’t require a down time of the services. Notify the customer when services flap.
Send 30-, 15-, and 5-day notices to the customers to renew expiring certificates on Cisco SD-WAN Manager. Cisco Catalyst SD-WAN controller certificates have a validity of one year.

Cloud Infrastructure Support

Carry out disaster recovery workflows, including snapshot volumes or configurations. Restore Cisco SD-WAN Manager clusters based on volumes or configurations.
Provision custom subnetting to extend customer premises network into cloud-hosted fabric network.
Manage on-premises to cloud migrations.

Capacity Management

Monitor the growth of devices per fabric along with the controller instance capacity parameters such as CPU, disk, and memory utilizations. Follow a pre-set guideline to increase the capacity of the service instances as needed.

Amazon Web Services	Microsoft Azure
Asia Pacific—Jakarta \| Indonesia	Asia Pacific \| Australia East—Sydney \| New South Wales
Asia Pacific—Mumbai \| India	Asia Pacific \| Australia Southeast—Melbourne \| Victoria
Asia Pacific – Hyderabad \| India	Asia Pacific \| Japan East—Tokyo
Asia Pacific—Seoul \| South Korea	Asia Pacific \| Southeast Asia—Singapore
Asia Pacific—Singapore \| Singapore	Asia Pacific \| West India—Mumbai Asia Pacific \| South India
Asia Pacific—Sydney \| Australia	UAE North—Dubai
Asia Pacific – Melbourne \| Australia	Asia Pacific \| Australia Central—Canberra
Asia Pacific—Tokyo \| Japan	South Africa—North
Africa—Cape Town
Canada Central—Montreal \| Canada	Canada Central—Montreal \| Canada Canada East
EU—Frankfurt \| Germany	Americas \| Brazil South—Sao Paulo State
EU—Ireland \| Dublin	Europe \| France Central—Paris
EU—London \| UK	Europe \| North Europe—Ireland
EU—Stockholm \| Sweden	Europe \| UK South—London
South America—Sao Paulo \| Brazil	Europe \| West Europe—Netherlands
US East—Northern Virginia \| USA	Americas \| East US—Virginia
US West—Northern California \| USA	Americas \| West US—California
US West—Oregon \| USA	Americas \| West US 2—Washington

Cisco Catalyst SD-WAN CloudOps

Bias-Free Language

Book Title

Cisco Catalyst SD-WAN CloudOps

Chapter Title