The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
SD-AVC operates in a service/agent configuration. For details, see SD-AVC Architecture.
Network Service: The SD-AVC Network Service is installed as a virtualized component on a Cisco device service container, and operates on the device as a service. See: System Requirements: SD-AVC Network Service Host
Agent: Other devices in the network are enabled as agents, and communicate with the SD-AVC Network Service. See: Configuring Network Devices to Use SD-AVC
High Availability: SD-AVC supports a high availability (HA) configuration, using more than one SD-AVC Network Service. See: SD-AVC High Availability
Connectivity: Operating SD-AVC requires connectivity between the SD-AVC Network Service and the SD-AVC agents that operate on devices in the network. See: Configuring Connectivity
The following table briefly describes the steps to set up SD-AVC:
Setup Task |
Section |
|
---|---|---|
1 |
Download the open virtual appliance (OVA) file for the SD-AVC Network Service, and install it on a host device accessible by other devices in the network. |
|
2 |
Enable the SD-AVC agent on Cisco devices in the network, pointing them to the SD-AVC Network Service set up in the previous step. (In a high availability setup, include more than one SD-AVC Network Service instance.) |
|
3 |
Configure connectivity, or optionally, secure connectivity. |
See: Configuring Connectivity, Configuring Secure Connectivity |
The following table describes platform requirements for hosting the SD-AVC Network Service.
Host |
Memory |
Storage |
OS |
CPU |
---|---|---|---|---|
Cisco ASR1001-X |
M-ASR1001X-16GB |
NIM-SSD and SSD-SATA-400G |
Cisco IOS XE Everest 16.6.1 or later |
— |
Cisco ASR1002-X |
M-ASR1002X-16GB |
MASR1002X-HD-320G |
Cisco IOS XE Everest 16.6.1 or later |
— |
Cisco ISR4431 |
RAM: MEM-4400-4GU16G Flash: MEM-FLASH-16G |
NIM-SSD and SSD-MSATA-400G |
Cisco IOS XE Everest 16.6.1 or later |
— |
Cisco ISR4451 |
RAM: MEM-4400-4GU16G Flash: MEM-FLASH-16G |
NIM-SSD and SSD-MSATA-400G |
Cisco IOS XE Everest 16.6.1 or later |
— |
Cisco Cloud Services Router CSR1000V |
Minimum: 8 GB Recommended: 8 GB |
20 GB |
Cisco IOS XE Everest 16.6.1 or later |
4 cores |
Operating SD-AVC requires connectivity between various components.
SD-AVC network service and host
SD-AVC network service and agents
Connectivity to the SD-AVC Dashboard
This section describes the connectivity requirements. If secure connectivity is required, see: Configuring Secure Connectivity
Connectivity is required between the SD-AVC network service, which operates as a virtualized service, and the device hosting it. The host platform requires connectivity with the service through a virtual interface called VirtualPortGroup. The virtual service communicates with the host over this virtual interface, using SSH on TCP port 22.
Network devices operating with SD-AVC use an SD-AVC agent, which operates in the background on the device, to communicate with the central SD-AVC network service. Connectivity is required between each of these network devices and the SD-AVC network service (more than one network service in SD-AVC high availability configurations).
Ports
Communication between agent and service uses the following protocols and ports:
UDP: Port 50000
TCP: Ports 20, 21, 50000-60000
Firewalls and Access Lists
Ensure that communication is possible in both directions (agent to SD-AVC Network Service, SD-AVC Network Service to agent) on these ports for the relevant traffic. For example:
Firewall policy must enable communication in both directions.
If a network device has an access control list (ACL) configured, the ACL must permit communication between the SD-AVC Network Service and SD-AVC agents.
Connecting to the SD-AVC Dashboard (see Using SD-AVC) requires access to the device hosting the SD-AVC Network Service, and involves TCP traffic through port 8443. Ensure that network policy (firewall, ACL, and so on) permits this connectivity for devices requiring access to the SD-AVC Dashboard.
When operating SD-AVC in a Cisco IWAN environment, the SD-AVC Network Service may be hosted on the hub master controller (MC) or on a router dedicated for the purpose of hosting the service.
In either case, verify that the host device meets the system requirements for hosting the SD-AVC Network Service (see System Requirements: SD-AVC Network Service Host). For information about installing the SD-AVC Network Service, see Installing the SD-AVC Network Service.
The SD-AVC Network Service operates as a virtualized service on a Cisco router. It is installed as an open virtual appliance (OVA) virtual machine container, and requires a few steps of configuration on the host router. After configuration is complete, you can check service status using the browser-based SD-AVC Dashboard.
Task |
Steps |
---|---|
System requirements |
Step 1 |
Installation |
Steps 2 to 4 |
Configuration |
Step 5 |
Activation |
Step 6 |
Verification |
Steps 7 to 10 |
Connecting to SD-AVC Dashboard |
Step 11 |
Examples follow the steps below.
The following procedure installs the SD-AVC Network Service as a virtualized service on a Cisco router.
Verify that the intended host device meets the system requirements. See System Requirements: SD-AVC Network Service Host.
Download the OVA container for the SD-AVC Network Service from Cisco.com, using the Download Software tool. Specify a platform that supports hosting the SD-AVC virtual service, then navigate to software downloads for the platform. Select the "SD AVC Router Virtual Service" option to display available OVA files for SD-AVC.
Example filename: iosxe-sd-avc.1.1.0.ova
Copy the downloaded OVA file onto the device that will host the SD-AVC Network Service. Copy to one of the following locations, depending on the platform type:
CSR1000V: bootflash
ASR1000 Series or ISR4000 Series: harddisk
harddisk refers to the SSD or HD specified in the system requirements for the platform (System Requirements: SD-AVC Network Service Host).
On the host device, execute the following command to extract the OVA package and install the SD-AVC Network Service. By default, it is installed on the same storage device where the OVA package was saved.
service sd-avc install package disk-with-OVA:OVA-filename media location-for-OVA-expansionExamples:
For CSR1000V router:
service sd-avc install package bootflash:iosxe-sd-avc.1.1.0.ova media bootflash
For ASR1000 Series or ISR4000 Series routers:
service sd-avc install package harddisk:iosxe-sd-avc.1.1.0.ova media harddisk
Configure the SD-AVC Network Service.
Specify the router gateway interface that the virtualized service uses for external access.
Specify a user-selected external-facing service IP address for the SD-AVC Network Service. This address must be within the same subnet as the gateway interface address.
This step accomplishes the following:
Enables routers in the network to communicate with the SD-AVC Network Service.
Enables access to the browser-based SD-AVC Dashboard.
Note | Use this command only in scenarios in which the gateway interface is not attached to a VRF. If the gateway interface is attached to a VRF, use the steps described in Operating the SD-AVC Network Service with Host Interface Attached to a VRF. |
CLI keyword/argument |
Description |
---|---|
activate |
Activates the service immediately. It is not typically recommended to use this option during this configuration step. Execute the activate option in a separate step, as shown below. |
preview |
Preview the configuration without configuring or activating the service. When using this option, the configuration is not sent to the device. Note: If the gateway interface is attached to a VRF, see Operating the SD-AVC Network Service with Host Interface Attached to a VRF. Example output: ! Virtual port configuration interface VirtualPortGroup31 description automatically created for sd-avc service by 'service sd-avc configure' exec command ip unnumbered gigabitEthernet1 end ! Virtual service configuration virtual-service SDAVC description automatically created for sd-avc service by 'service sd-avc configure' exec command vnic gateway VirtualPortGroup31 guest ip address 10.56.196.101 exit end ! Static route configuration ip route 10.56.196.101 255.255.255.255 VirtualPortGroup31 |
interface |
Gateway interface: The device interface that the virtualized service uses for external access. Note: If the interface is attached to a VRF, see Operating the SD-AVC Network Service with Host Interface Attached to a VRF for instructions for configuring the gateway. |
service-ip-address |
External-facing IP address, must be in the same subnet as the IP of the gateway interface. Example: Gateway interface: 10.56.196.100 service-ip-address: 10.56.196.101 |
Example:
service sd-avc configure gateway interface gigabitEthernet1 service-ip 10.56.196.146
Activate the service.
service sd-avc activate
Example:
service sd-avc activate
Verify that the status of the SD-AVC Network Service is activated.
service sd-avc status
If installation and activation were successful, the displayed status is:
SDAVC service is installed, configured and activated
Save the new configuration.
copy running-config startup-configPing the service IP configured in a previous step to verify that it is reachable.
Verify that SSH is enabled on the host device. Details vary according to different scenarios, but the following is a helpful reference: https://www.cisco.com/c/en/us/support/docs/security-vpn/secure-shell-ssh/4145-ssh.html
Example (uses SSH local authentication):
aaa new-model ! aaa authentication login default local username cisco privilege 15 password cisco ip domain name cisco.com crypto key generate rsa
Wait several minutes for the service to become fully active, then use a Chrome browser to access the browser-based SD-AVC Dashboard, at the following URL, which uses the service-ip configured in an earlier step and port 8443. The SD-AVC Dashboard uses the same authentication as the platform hosting the SD-AVC Network Service.
https://<service-ip>:8443
Note | Accessing the SD-AVC Dashboard requires connectivity from the PC you are using to access the SD-AVC interface. |
The following is an example of the CLI steps used to install the SD-AVC Network Service on a Cisco CSR1000V Cloud Services Router. For this router, the first step includes “bootflash” as the location for extracting the OVA.
service sd-avc install package harddisk:iosxe-sd-avc.1.1.0.ova media bootflash service sd-avc configure gateway interface gigabitEthernet1 service-ip 10.56.196.146 service sd-avc activate service sd-avc status copy running-config startup-config
The following is an example of the CLI steps used to install the SD-AVC Network Service on a Cisco ASR1000 Series or ISR4000 Series Router. For these routers, the first step includes “harddisk” as the location for extracting the OVA.
service sd-avc install package harddisk:iosxe-sd-avc.1.1.0.ova media harddisk service sd-avc configure gateway interface gigabitEthernet1 service-ip 10.56.196.146 service sd-avc activate service sd-avc status copy running-config startup-config
Use the following procedure to upgrade the SD-AVC Network Service on the router hosting the service.
Deactivate the service. This step stops the service but does not erase the database of compiled application data.
service sd-avc deactivate
Verify that the service has been deactivated.
service sd-avc status
The following output confirms that the service has been deactivated:
Service SDAVC is installed, configured and deactivated
On the host router, execute the following command to extract and install the OVA package. By default, it is installed on the same storage device where the OVA package is stored.
service sd-avc upgrade package disk-with-OVA:OVA-filename media location-for-OVA-expansion
CLI keyword/argument |
Description |
||
---|---|---|---|
disk-with-OVA |
Specify one of the following, according to the platform type. The location refers to where the OVA was stored in a previous step.
|
||
OVA-filename |
Downloaded OVA file. |
||
location-for-OVA-expansion |
Specify one of the following, according to the platform type:
|
Examples:
For Cisco CSR1000V router:
service sd-avc upgrade package bootflash:iosxe-sd-avc.1.1.0.ova media bootflash
For Cisco ASR1000 Series or ISR4000 Series routers:
service sd-avc upgrade package harddisk:iosxe-sd-avc.1.1.0.ova media harddisk
(Optional) During the upgrade process, view the service status.
service sd-avc status
During the upgrade, the following output indicates that the service is being installed:
Service SDAVC is installing..., configured and deactivated
The following output indicates that the upgrade is complete:
Service SDAVC is installed, configured and deactivated
Activate the service.
service sd-avc activate
Example:
service sd-avc activate
Verify that the status of the SD-AVC Network Service is activated.
service sd-avc status
If upgrade and activation were successful, the displayed status is:
SDAVC service is installed, configured and activated