Cisco CloudOps Overview


Note


To achieve simplification and consistency, the Cisco SD-WAN solution has been rebranded as Cisco Catalyst SD-WAN. In addition, from Cisco IOS XE SD-WAN Release 17.12.1a and Cisco Catalyst SD-WAN Release 20.12.1, the following component changes are applicable: Cisco vManage to Cisco Catalyst SD-WAN Manager, Cisco vAnalytics to Cisco Catalyst SD-WAN Analytics, Cisco vBond to Cisco Catalyst SD-WAN Validator, Cisco vSmart to Cisco Catalyst SD-WAN Controller, and Cisco Controllers to Cisco Catalyst SD-WAN Control Components. See the latest Release Notes for a comprehensive list of all the component brand name changes. While we transition to the new names, some inconsistencies might be present in the documentation set because of a phased approach to the user interface updates of the software product.


Cisco offers a cloud-hosting subscription for Cisco Catalyst SD-WAN Controllers such as Cisco SD-WAN Manager, Cisco SD-WAN Validator, and Cisco SD-WAN Controller that simplifies and accelerates Cisco Catalyst SD-WAN deployment, while reducing the cost of running these controllers on their own. The cloud deployment model also includes monitoring services for the instances and advanced analytics.

About This Guide

This guide describes the Cisco-managed, cloud-hosted Cisco Catalyst SD-WAN Controller, as well as its capabilities and services. This guide details the cloud infrastructure hosting processes, responsibilities, and recommendations.

Audience

The audience for this document includes network design engineers and network operators who want to purchase or deploy the cloud-based subscription options for Cisco Catalyst SD-WAN.

Types of Fabric Network in Cisco Catalyst SD-WAN

  • Dedicated Fabric: In dedicated fabric, also known as single tenant fabric, the hosting of Cisco Catalyst SD-WAN controllers such as Cisco SD-WAN Manager, Cisco SD-WAN Validator, and Cisco SD-WAN Controller is dedicated only to the customer.

  • Shared Fabric: In shared fabric, the hosting of Cisco Catalyst SD-WAN controllers such as Cisco SD-WAN Manager, Cisco SD-WAN Validator, and Cisco SD-WAN Controller is shared across multiple customers.

    Some of the salient features of this fabric are:

    • The data plane, the control plane, and the management plane traffic for each customer are isolated.

    • All fabric remain on the same long-lived release. Shared fabric always run on the latest long-lived star-marked release.

    • Customer agrees to external management of their Virtual Account (VA).

    • Cisco Software-Defined AVC (SD-AVC) and web certificates are available and managed by Cisco CloudOps.

    • The only limitation with this type of fabric is that TrustSec, Lawful Intercept, and RADIUS/TACACS are not supported at present.

  • Dedicated Multitenant (MT) Fabric: In this type of fabric, the hosting of Cisco Catalyst SD-WAN Controllers such as Cisco SD-WAN Manager, Cisco SD-WAN Validator, and Cisco SD-WAN Controller is dedicated to the customer. A managed service provider hosts shared fabric for its end-customers.


    Note


    A dedicated multitenant fabric can be hosted only on AWS cloud.


Coverage Summary

Task

Single-Tenant

Multitenant (MT)

Shared (Cisco Hosted Cloud SD-WAN)

Cloud-delivered Cisco Catalyst SD-WAN

Comments

Fabric provisioning

Provisioning from Cisco Catalyst SD-WAN Portal

Customer

Cisco CloudOps

Customer

Customer

Monitoring and troubleshooting of Cisco Catalyst SD-WAN Cloud controller infrastructure

CPU and data disk utilization

Cisco CloudOps

Cisco CloudOps

Cisco CloudOps

Cisco CloudOps

Loss of connectivity to network interfaces

Cisco CloudOps

Cisco CloudOps

Cisco CloudOps

Cisco CloudOps

Failure to reach instances

Cisco CloudOps

Cisco CloudOps

Cisco CloudOps

Cisco CloudOps

Monitoring of Cisco Catalyst SD-WAN services

Expiry notification of controller SSL certificates

Cisco CloudOps

Cisco CloudOps

Cisco CloudOps

Cisco CloudOps

Availability of the Cisco SD-WAN Manager web server

Cisco CloudOps

Cisco CloudOps

Cisco CloudOps

Cisco CloudOps

Loss of control connection to the controllers

Cisco CloudOps

Cisco CloudOps

Cisco CloudOps

Cisco CloudOps

Capacity management of Cisco Catalyst SD-WAN Controllers

Cisco CloudOps

Cisco CloudOps

Cisco CloudOps

Cisco CloudOps

Cisco CloudOps monitors and upgrades the instance capacity and expansion to clusters based on the number of devices on the fabric.

Disaster recovery

Take periodic volume-based snapshots

Cisco CloudOps

Cisco CloudOps

Cisco CloudOps

Cisco CloudOps

Note that in multitenancy, the volume-based and config-based snapshot is for the entire multitenancy Cisco SD-WAN Manager cluster, not for a particular tenant.

Take periodic configuration-based backups

Cisco CloudOps

Cisco CloudOps

Cisco CloudOps

Cisco CloudOps

On-demand snapshots

Customer

Customer

Not Applicable

Not Applicable

Restore fabric based on volume or configurations

Cisco CloudOps

Cisco CloudOps

Cisco CloudOps

Cisco CloudOps

Onboard to Cisco SD-WAN Analytics

Customer

Customer

Customer

Not Applicable

Cisco SD-WAN Analytics is by default onboarded for cloud-delivered Cisco Catalyst SD-WAN customers

On-premises to cloud migration assistance

Cisco CloudOps

Not Applicable

Not Applicable

Not Applicable

Limited support - For more details on the On-prem to cloud migration, see On-Premises to Cloud Migration Process Details.

Custom subnets and TACACS

Customer

Not Applicable

Not Applicable

Not Applicable

For customers, setting up custom subnets and TACACS is only possible during Day-0 provisioning. For Day-N, customers can open TAC with Cisco CloudOps. TACACS is not available for multitenant fabric at present.

Renew controller certificates (before expiration)

Customer

Customer

Cisco CloudOps

Cisco CloudOps

Upgrade software

Controller software upgrade

Customer

Customer

Cisco CloudOps

Cisco CloudOps

Edge device/node software upgrade

Customer

Customer

Customer

Customer

Upload and manage Edge images in Cisco SD-WAN Manager Software Repository

Customer

Customer

Cisco CloudOps

Cisco CloudOps

Respond to Cisco CloudOps notifications to authorize the service window, instance reboot, review, or verify changes carried out by Cisco CloudOps

Customer

Customer

Customer

Customer

Create Smart Accounts (SA) or Virtual Accounts (VA) on software.cisco.com and attach Cisco Catalyst SD-WAN subscribed devices to the SA/VA

Customer

Customer

Customer

Customer

Allow external management of SA/VA on PNP Connect

Not Applicable

Not Applicable

Cisco CloudOps

Cisco CloudOps

Do Not allow external management of SA/VA on PNP Connect before provisioning fabric in Cisco Catalyst SD-WAN Portal. The provisioning workflow automatically enables the external management.

Accept external management of SA/VA and map tenant VA to customer SA/VA

Not Applicable

Not Applicable

Cisco CloudOps

Cisco CloudOps

Define device configuration templates and policies through Cisco SD-WAN Manager

Customer

Customer

Customer

Customer

Perform other activities that require logging in to Cisco SD-WAN Manager. For example, template and policy configuration, and edge device management

Customer

Customer

Customer

Customer

Web server certificates

Customer

Customer

Cisco CloudOps

Cisco CloudOps

This is not applicable for multi-tenant fabric with custom domain option.

Edge serial sync with credentials

Customer

Customer

Customer

Not Applicable

Cloud-delivered Cisco Catalyst SD-WAN customers can use their Cisco Connection On-line (CCO) login credentials for Single-Sign-On and sync edge serials.

Managed Allowed IP access list

Customer

Customer

Customer

Not Applicable

Custom Identity Provider (IdP) Configuration

Customer

Customer

Customer

Not Applicable

Cloud-delivered Cisco Catalyst SD-WAN only supports Cisco Connection On-line (CCO) as identity provider. Customers can use Single-Sign-On feature to navigate among Catalyst SD-WAN applications such as Cisco SD-WAN Manager, Cisco SD-WAN Analytics, and Cisco Catalyst SD-WAN Portal.

Solution Design

About This Solution

When you choose a cloud-based subscription for your Cisco Catalyst SD-WAN Controllers, Cisco deploys Cisco SD-WAN Manager, Cisco SD-WAN Validator, and Cisco SD-WAN Controller on the public cloud. Cisco then provides you with administrator access. By default, a single Cisco SD-WAN Manager, Cisco SD-WAN Validator, and Cisco SD-WAN Controller are deployed in the primary cloud region and an additional Cisco SD-WAN Validator and Cisco SD-WAN Controller are deployed in the secondary or backup region.

Figure 1. Solution Architecture

Supported Clouds and Cloud Regions

The following clouds and cloud regions are supported for Cisco Catalyst SD-WAN Controller deployments:

Amazon Web Services

Microsoft Azure

Asia Pacific—Jakarta | Indonesia

Asia Pacific | Australia East—Sydney | New South Wales

Asia Pacific—Mumbai | India

Asia Pacific | Australia Southeast—Melbourne | Victoria

Asia Pacific – Hyderabad | India

Asia Pacific | Japan East—Tokyo

Asia Pacific—Seoul | South Korea

Asia Pacific | Southeast Asia—Singapore

Asia Pacific—Singapore | Singapore

Asia Pacific | West India—Mumbai

Asia Pacific | South India

Asia Pacific—Sydney | Australia

UAE North—Dubai

Asia Pacific – Melbourne | Australia

Asia Pacific | Australia Central—Canberra

Asia Pacific—Tokyo | Japan

South Africa—North

Africa—Cape Town

Canada Central—Montreal | Canada

Canada Central—Montreal | Canada

Canada East

EU—Frankfurt | Germany

Americas | Brazil South—Sao Paulo State

EU—Ireland | Dublin

Europe | France Central—Paris

EU—London | UK

Europe | North Europe—Ireland

EU—Stockholm | Sweden

Europe | UK South—London

South America—Sao Paulo | Brazil

Europe | West Europe—Netherlands

US East—Northern Virginia | USA

Americas | East US—Virginia

US West—Northern California | USA

Americas | West US—California

US West—Oregon | USA

Americas | West US 2—Washington

Customer Responsibilities

  • Manage allowed access-list with customer’s source public IP ranges for management access of controllers.

  • Renew controller certificates on time.

  • Before making any changes in the Cisco Catalyst SD-WAN Portal, take the on-demand snapshot using the procedure, Take an On-Demand Snapshot and configuration backup using Back Up the Active Cisco SD-WAN Manager procedure.

  • Upgrade the software.

    • You can open a TAC case for the following:

      • If you face any issues with software upgrade.

      • If you want any rollback.

    • The Cisco SD-WAN Validator and Cisco SD-WAN Controller are stateless services. Therefore, you do not need to take backups for these services. Cisco SD-WAN Manager automatically pushes the configurations once they are attached to templates.

      We recommend that customers create and attach templates to the Cisco SD-WAN Validators and Cisco SD-WAN Controller instead, so the Cisco SD-WAN Manager backups automatically include the configuration backup of the controllers.

    • The Cisco Catalyst SD-WAN support teams may cover the software upgrade for complex deployments such as clusters and multitenant tenant fabric. However, this support is not available for single-tenant single-node fabric.

    • It is the responsibility of a customer to upgrade the software version of an edge device. For the compatible versions of edge devices based on controller versions, see Cisco SD-WAN Controller Compatibility Matrix.

  • Respond to the notifications sent by Cisco CloudOps to authorize the service window, instance reboot, review, or verify changes carried out by Cisco CloudOps.

  • In case of dedicated fabric, configure the third interface on Cisco SD-WAN Manager with static IP or DHCP based IP to use it for SD-AVC feature. By default the third interface is in shut state.

  • Open a TAC case to arrange a service window when you receive a notification from Cisco CloudOps. Some operations can be performed only with the consent of the customer.

  • Create Smart Accounts (SA) or Virtual Accounts (VA) on software.cisco.com and attach Cisco Catalyst SD-WAN subscribed devices to the SA or VA.

  • Define device configuration templates and policies through Cisco SD-WAN Manager.

  • Perform other activities that require logging in to Cisco SD-WAN Manager.

  • For shared-tenant fabric, open a Cisco TAC support case if you need specific software versions to be added in the Cisco SD-WAN Manager software repository.

Your failure to meet the responsibilities outlined in this section will invalidate the SD-WAN Cloud SLA, including any guaranteed service uptimes.

Responsibilities of Cisco CloudOps

Fabric Provisioning

  • Provision cloud-hosted controllers for your Cisco Catalyst SD-WAN fabric, configure a unique admin password with an expiry time of a week, and hand over Cisco SD-WAN Manager to the customer.

  • Configure Cisco SD-WAN Manager with a default template and policy, when customers choose the default template and policy push option on the sales order.

  • Create and manage single-tenant and multitenant clusters as needed.

  • Manage tenants on multitenant fabric (direct enterprise customers).

Monitor and Troubleshoot

Cisco CloudOps monitors the health of cloud-hosted fabric and troubleshoots if there are any issues.

  • Cisco CloudOps is backed by a real-time monitoring system that checks the health of Cisco Catalyst SD-WAN controllers and generates alerts. The check includes the health of Cisco SD-WAN Manager, application or web server, other micro services, and configuration or statistics databases.

  • Take proactive action for cloud infrastructure issues, which are beyond the control of the users. Else, notify the customer about the potential issues and request the customer to open a Cisco TAC support case for further investigation.

  • Manage alerts based on notifications from the cloud provider environments on instance up or down states and CPU, network inactivity status.

  • Resolve the alerts proactively if it doesn’t require a down time of the services. Notify the customer when services flap.

  • Send 30-, 15-, and 5-day notices to the customers to renew expiring certificates on Cisco SD-WAN Manager. Cisco Catalyst SD-WAN controller certificates have a validity of one year.

Cloud Infrastructure Support

  • Carry out disaster recovery workflows, including snapshot volumes or configurations. Restore Cisco SD-WAN Manager clusters based on volumes or configurations.

  • Provision custom subnetting to extend customer premises network into cloud-hosted fabric network.

  • Manage on-premises to cloud migrations.

Capacity Management

  • Monitor the growth of devices per fabric along with the controller instance capacity parameters such as CPU, disk, and memory utilizations. Follow a pre-set guideline to increase the capacity of the service instances as needed.