Summary of Setup

The following table briefly describes the steps to set up SD-AVC:

SD-AVC Network Service and Host

Connectivity is required between the SD-AVC network service, which operates as a virtualized service, and the device hosting it. The host platform requires connectivity with the service through a virtual interface called VirtualPortGroup. The virtual service communicates with the host over this virtual interface, using SSH on TCP port 22.

SD-AVC Network Service and Agents

Network devices operating with SD-AVC use an SD-AVC agent, which operates in the background on the device, to communicate with the central SD-AVC network service. Connectivity is required between each of these network devices and the SD-AVC network service (more than one network service in SD-AVC high availability configurations).

• Ports

  Communication between agent and service uses the following protocols and ports:

  • UDP: Port 50000

  • TCP: Ports 20, 21, 50000-60000

• Firewalls and Access Lists

  Ensure that communication is possible in both directions (agent to SD-AVC Network Service, SD-AVC Network Service to agent) on these ports for the relevant traffic. For example:

  • Firewall policy must enable communication in both directions.

  • If a network device has an access control list (ACL) configured, the ACL must permit communication between the SD-AVC Network Service and SD-AVC agents.

Connectivity to the SD-AVC Dashboard

Connecting to the SD-AVC Dashboard (see Using SD-AVC) requires access to the device hosting the SD-AVC Network Service, and involves TCP traffic through port 8443. Ensure that network policy (firewall, ACL, and so on) permits this connectivity for devices requiring access to the SD-AVC Dashboard.

Installation Procedure

The following procedure installs the SD-AVC Network Service as a virtualized service on a Cisco router.

1. Verify that the intended host device meets the system requirements. See System Requirements: SD-AVC Network Service Host.

2. Download the OVA container for the SD-AVC Network Service from Cisco.com, using the Download Software tool. Specify a platform that supports hosting the SD-AVC virtual service, then navigate to software downloads for the platform. Select the "SD AVC Router Virtual Service" option to display available OVA files for SD-AVC.

   Example filename: iosxe-sd-avc.1.1.0.ova

3. Copy the downloaded OVA file onto the device that will host the SD-AVC Network Service. Copy to one of the following locations, depending on the platform type:

   • CSR1000V: bootflash

   • ASR1000 Series or ISR4000 Series: harddisk

     harddisk refers to the SSD or HD specified in the system requirements for the platform (System Requirements: SD-AVC Network Service Host).

4. On the host device, execute the following command to extract the OVA package and install the SD-AVC Network Service. By default, it is installed on the same storage device where the OVA package was saved.

   service sd-avc install package disk-with-OVA:OVA-filename media location-for-OVA-expansion

   Table 4 Command Details

   CLI keyword/argument	Description
   disk-with-OVA	Specify one of the following, according to the platform type. The location refers to where the OVA was saved in a previous step. CSR: bootflash ASR1000 Series or ISR4000 Series: harddisk
   OVA-filename	Downloaded OVA file.
   location-for-OVA-expansion	Specify one of the following, according to the platform type: CSR: bootflash ASR1000 Series or ISR4000 Series: harddisk Note    On ASR1000 and ISR4000 platforms, the CLI may allow you to incorrectly specify the bootflash for the disk-with-OVA, but for these platforms, specifying the bootflash as the location will cause this step to fail. On these platforms, specify only the hard disk for disk-with-OVA location.

   Examples:

   • For CSR1000V router:

     service sd-avc install package bootflash:iosxe-sd-avc.1.1.0.ova media bootflash
     

   • For ASR1000 Series or ISR4000 Series routers:

     service sd-avc install package harddisk:iosxe-sd-avc.1.1.0.ova media harddisk
     

5. Configure the SD-AVC Network Service.

   • Specify the router gateway interface that the virtualized service uses for external access.

   • Specify a user-selected external-facing service IP address for the SD-AVC Network Service. This address must be within the same subnet as the gateway interface address.

   This step accomplishes the following:

   • Enables routers in the network to communicate with the SD-AVC Network Service.

   • Enables access to the browser-based SD-AVC Dashboard.

   Note	Use this command only in scenarios in which the gateway interface is not attached to a VRF. If the gateway interface is attached to a VRF, use the steps described in Operating the SD-AVC Network Service with Host Interface Attached to a VRF.

   service sd-avc configure gateway interface interface service-ip service-ip-address [activate | preview]

   Table 5 Command Details

   CLI keyword/argument	Description
   activate	Activates the service immediately. It is not typically recommended to use this option during this configuration step. Execute the activate option in a separate step, as shown below.
   preview	Preview the configuration without configuring or activating the service. When using this option, the configuration is not sent to the device. Note: If the gateway interface is attached to a VRF, see Operating the SD-AVC Network Service with Host Interface Attached to a VRF. Example output: ! Virtual port configuration interface VirtualPortGroup31 description automatically created for sd-avc service by 'service sd-avc configure' exec command ip unnumbered gigabitEthernet1 end ! Virtual service configuration virtual-service SDAVC description automatically created for sd-avc service by 'service sd-avc configure' exec command vnic gateway VirtualPortGroup31 guest ip address 10.56.196.101 exit end ! Static route configuration ip route 10.56.196.101 255.255.255.255 VirtualPortGroup31
   interface	Gateway interface: The device interface that the virtualized service uses for external access. Note: If the interface is attached to a VRF, see Operating the SD-AVC Network Service with Host Interface Attached to a VRF for instructions for configuring the gateway.
   service-ip-address	External-facing IP address, must be in the same subnet as the IP of the gateway interface. Example: Gateway interface: 10.56.196.100 service-ip-address: 10.56.196.101

   Example:

   service sd-avc configure gateway interface gigabitEthernet1 service-ip 10.56.196.146
   
   

6. Activate the service.

   service sd-avc activate

   Example:

   service sd-avc activate
   

7. Verify that the status of the SD-AVC Network Service is activated.

   service sd-avc status

   If installation and activation were successful, the displayed status is:

   SDAVC service is installed, configured and activated
   
   

8. Save the new configuration.

   copy running-config startup-config

9. Ping the service IP configured in a previous step to verify that it is reachable.

10. Verify that SSH is enabled on the host device. Details vary according to different scenarios, but the following is a helpful reference: https:/​/​www.cisco.com/​c/​en/​us/​support/​docs/​security-vpn/​secure-shell-ssh/​4145-ssh.html

    Example (uses SSH local authentication):

    aaa new-model
    !
    aaa authentication login default local
    username cisco privilege 15 password cisco
    ip domain name cisco.com
    crypto key generate rsa
    
    

11. Wait several minutes for the service to become fully active, then use a Chrome browser to access the browser-based SD-AVC Dashboard, at the following URL, which uses the service-ip configured in an earlier step and port 8443. The SD-AVC Dashboard uses the same authentication as the platform hosting the SD-AVC Network Service.

    https://<service-ip>:8443

    Note	Accessing the SD-AVC Dashboard requires connectivity from the PC you are using to access the SD-AVC interface.

Installation Example for CSR1000V Router

The following is an example of the CLI steps used to install the SD-AVC Network Service on a Cisco CSR1000V Cloud Services Router. For this router, the first step includes “bootflash” as the location for extracting the OVA.

service sd-avc install package harddisk:iosxe-sd-avc.1.1.0.ova media bootflash
service sd-avc configure gateway interface gigabitEthernet1 service-ip 10.56.196.146
service sd-avc activate
service sd-avc status
copy running-config startup-config

Installation Example for ASR1000 Series or ISR4000 Series Routers

The following is an example of the CLI steps used to install the SD-AVC Network Service on a Cisco ASR1000 Series or ISR4000 Series Router. For these routers, the first step includes “harddisk” as the location for extracting the OVA.

service sd-avc install package harddisk:iosxe-sd-avc.1.1.0.ova media harddisk
service sd-avc configure gateway interface gigabitEthernet1 service-ip 10.56.196.146
service sd-avc activate
service sd-avc status
copy running-config startup-config