Ordering, Validation, and Account Management


Note


To achieve simplification and consistency, the Cisco SD-WAN solution has been rebranded as Cisco Catalyst SD-WAN. In addition, from Cisco IOS XE SD-WAN Release 17.12.1a and Cisco Catalyst SD-WAN Release 20.12.1, the following component changes are applicable: Cisco vManage to Cisco Catalyst SD-WAN Manager, Cisco vAnalytics to Cisco Catalyst SD-WAN Analytics, Cisco vBond to Cisco Catalyst SD-WAN Validator, Cisco vSmart to Cisco Catalyst SD-WAN Controller, and Cisco Controllers to Cisco Catalyst SD-WAN Control Components. See the latest Release Notes for a comprehensive list of all the component brand name changes. While we transition to the new names, some inconsistencies might be present in the documentation set because of a phased approach to the user interface updates of the software product.


Role of Cisco Plug and Play

Cisco Plug and Play replaces the legacy process of Cisco Catalyst SD-WAN Salesforce (SFDC).

Refer to the following guide for information about Cisco Catalyst SD-WAN Plug and Play:

Provisioning of Cisco Catalyst SD-WAN Cloud-Hosted Controllers

The Cisco CloudOps system allows creation of the Cisco Catalyst SD-WAN cloud-hosted controllers for a sales order after the following conditions are met:

  1. The sales order that has the cloud subscription licenses for edge nodes and the controller SKU for the controller provisioning.

  2. Cisco Catalyst SD-WAN items in the sales order are marked as Shipped.

  3. The sales order is assigned to an active Smart Account (SA), and, within that SA, to a Virtual Account (VA).

Cisco PNP Configuration for Shared Overlay Deployments

The customer allows external management of their virtual account (VA). Cisco CloudOps accepts virtual account management to keep Cisco Digital Network Architecture (DNA) subscriptions still in the customer VA. It creates the overlay based on this mapping.

Figure 1. Customer Virtual Account Management

Ordering

License Types and Ordering Information

There are three types of licenses and contracts.

  • A La Carte: Customer purchases each Cisco Catalyst SD-WAN Controller stock keeping unit (SKU) separately.

  • Enterprise Agreement (EA): Customer purchases an EA bundle that includes Cisco Catalyst SD-WAN Controller SKUs. However, it is not available at present. A la carte license for controllers must be used for cloud controller provisioning along with an EA contract.

  • Managed Services License Agreement (MSLA): Customer purchases an MSLA contract that includes Cisco Catalyst SD-WAN Controller SKUs. However, it is not available at present.

EA Ordering

For provisioning a Cisco Catalyst SD-WAN cloud-hosted controller for an Enterprise Agreement (EA) customer, do the following:

  1. Place a request on the EA Workspace (EAWS).

  2. The Cisco CloudOps team validates the order details and provisions the overlay or directs you to Cisco Catalyst SD-WAN Portal for overlay provisioning.

Validation

Complimentary Cisco Catalyst SD-WAN Cloud Controller SKU

Cisco CloudOps validates complimentary controller provisioning based on controller stock keeping units (SKUs) by checking the following items:

  • Number of Cisco Digital Network Architecture (Cisco DNA) subscriptions that support the corresponding network scale (mandatory Cisco Catalyst SD-WAN subscription)

  • Correct selection of controller SKUs for the corresponding network scale (number of devices)

If both the items are available and if they are compatible, Cisco CloudOps contacts the customer to gather more details required for controller provisioning. For this, the Cisco CloudOps team uses the contact information provided in the new order. When the required information is received from the customer, Cisco CloudOps proceeds with provisioning the cloud controllers.

Figure 2. Complimentary Cisco Catalyst SD-WAN Cloud Controller SKU Workflow

Non-Complimentary Cisco Catalyst SD-WAN Controller SKU

Cisco CloudOps validates non-complimentary controller provisioning based on controller stock keeping units (SKUs) by checking the following item:

  • Correct selection of controller SKUs for the corresponding network scale (number of devices)

If the selected controller SKUs are compatible with the corresponding network scale, Cisco CloudOps contacts the customer to gather more details required for controller provisioning. For this, the Cisco CloudOps team uses the contact information provided in the new order. When the required information is received from the customer, Cisco CloudOps proceeds with provisioning the cloud controllers.

Figure 3. Non-Complimentary Cisco Catalyst SD-WAN Controller SKU Workflow

New Controllers in an Existing Overlay

Cisco CloudOps validates adding more computing resources (scale horizontally or vertically) based on controller stock keeping units (SKUs) by checking the following items:

  • Correct selection of controller SKUs for the corresponding network scale (number of devices)

  • Number of Cisco Digital Network Architecture (Cisco DNA) subscription that supports the corresponding network scale (mandatory Cisco Catalyst SD-WAN subscription for complimentary SKUs)

  • The maintenance window because it requires downtime

Figure 4. New Controllers in an Existing Overlay Workflow

Controller in Certified Environment

Cisco CloudOps validates certified controller provisioning based on controller stock keeping units (SKUs) by checking the following items: :

  • Correct selection of certified controller SKUs for the corresponding network scale (number of devices).

  • CloudOps cross-checks for an order based on controller SKUs or existing controllers.

  • The maintenance window because it requires downtime.

If the selected certified controller SKUs are compatible with both the selected controller SKUs or the existing controller and the network scale, Cisco CloudOps contacts the customer to gather more details required for controller provisioning. For this, the Cisco CloudOps team uses the contact information provided in the new order. When the required information is received from the customer, Cisco CloudOps proceeds with provisioning the cloud controllers.

Figure 5. Controller in Certified Environment Workflow

Account Management

Transfer Overlay to Another Account

To move an overlay from one Smart Account (SA) or Virtual Account (VA) to another SA or VA:

  • Open a Cisco TAC support case for the migration request.

  • Specify the SA and VA details for both the source and destination in the Cisco TAC case.

There is no downtime expected for this migration.

You can move the device serial numbers to the new SA or VA using the PNP Transfer Selected button, or you can open a Cisco TAC support case for assistance.

The functionality and the following details of the overlay do not change during this migration:

  1. Organization name

  2. Cisco SD-WAN Validator, Cisco SD-WAN Manager, or Cisco SD-WAN Controller DNS name

  3. All current IPs assigned to all controllers

  4. The entire Cisco SD-WAN Manager configuration, including certificates

  5. Current allowed list of IP addresses

After the overlay migration, you may need to update the SA credentials configured in the Cisco SD-WAN Manager settings.

On-Premises to Cloud Migration Process Details

In the case, where an existing on-premise Cisco Catalyst SD-WAN overlay needs to be migrated to Cisco-provisioned cloud-hosted controllers, the process is outlined below:


Note


This migration process is only supported for on-premise single tenant overlays to a cloud-hosted single tenant overlay controller set. This migration is not supported for shared tenant or multi-tenant overlays.


Overall Process

  • Purchase Cisco DNA subscriptions for cloud and controller SKUs for cloud.

  • You must open a Cisco TAC support case with the Cisco CloudOps team and request for the on-premises to cloud migration.

  • You must provide details about the following:

    • Existing Smart Account (SA) and Virtual Account (VA) where the on-premises overlay controller profile is created.

    • The sales order number where cloud subscriptions were purchased.

    • Current on-premises configured organization name of overlay.

    • Choice of the required cloud type.

    • Choice of the required primary and secondary region of provisioning.

    • Single email address as contact for receiving alert notifications and other communications from the Cisco CloudOps team (team email address is preferred).

    • Optional choice of hostname for the FQDN of the Cisco SD-WAN Manager and the Cisco SD-WAN Validator to be provisioned.

    • Optional choice of custom private IP subnets required for TACACS/AAA/Syslog or other such use cases (provide a /24 IP prefix for each of the two regions of provisioning).

    • Current on-premises overlay fabric size in terms of number of edges deployed.

    • Current on-premises overlay Cisco SD-WAN Manager, Cisco SD-WAN Validator, and Cisco SD-WAN Controller instances running software versions.

    • Current on-premises overlay controller certificate source (Cisco/Symantec/Enterprise) root CA.

    • Configuration database backup copy from the current on-premises overlay Cisco SD-WAN Manager.


      Note


      You can either reset the Cisco SD-WAN Manager configuration database password to the default and then take the backup, or take the backup with your configured password and share that password on the Cisco TAC case.


    • Copy of the running configuration from the current on-premises overlay Cisco SD-WAN Manager

      .
    • Range of system-IP addresses to be used for cloud-hosted controllers (should be an unused range within the current on-premises Cisco Catalyst SD-WAN fabric).

  • The Cisco CloudOps team provisions the cloud-hosted controller set, installs controller certificates, and shares details.

  • The Cisco CloudOps team applies the configuration database backup and the running configuration provided from the on-premises Cisco SD-WAN Manager to the new cloud-hosted Cisco SD-WAN Manager instance.

  • You may need to update your enterprise firewalls as required, with the new IPs of the cloud-hosted controllers.

  • Set up and execute a pilot change window to migrate one or more test edge nodes to the cloud-hosted controllers and then roll back to the on-premises Cisco SD-WAN Manager.

  • Migration is triggered by configuring the new Cisco SD-WAN Validator FQDN on the edge node.

  • Take necessary measures to prepare for the final change window.

  • Set up and execute a final change window to migrate all edge nodes from on-premises to cloud-hosted controller set.

  • If templates were created and applied for the on-premises Cisco SD-WAN Manager, Cisco SD-WAN Validators, and Cisco SD-WAN Controllers, then they must be reviewed and corrected, before applying them to the cloud-hosted controllers, post migration. Special care must be taken with respect to the interface configuration.

Prerequisites

  • Before opening a case, you must upgrade all your existing controllers and edge nodes to one of the latest Cisco-suggested release versions and verify that your data plane is stable.

  • You must have all edge nodes attached to a template or agree to reconfigure the edge nodes manually for the migration.

  • You must have all edge nodes with working NTP and DNS.

  • You must provide the root CA to Cisco if in case you are using enterprise certificates on the on-premises controllers.

  • You must have out-of-band access to edge nodes via console or an alternate way in case the edge nodes need manual configuration for recovery.

Considerations and Impact

  • You must work with your Cisco Account Team or Cisco support to procure Cisco Catalyst SD-WAN cloud subscriptions and add them to the existing Smart Account (SA) and Virtual Account (VA) where the on-premises overlay controller profile is created.

  • The Cisco CloudOps team provisions Cisco SD-WAN Manager only in the primary region.

    There is a Cisco SD-WAN Validator and Cisco SD-WAN Controller instance provisioned in both the primary and the secondary regions.

  • The Cisco CloudOps team creates a new controller profile in the same SA/VA as the existing on-premises overlay.

    This allows the cloud-hosted controller set to have the same organization name as the existing on-premises overlay. This in turn makes it possible to transfer the configuration database from on-premises Cisco SD-WAN Manager to the cloud-hosted Cisco SD-WAN Manager.

    The configuration database restore method, otherwise, can't be used if the source and destination Cisco SD-WAN Manager instances have different organization name configured. Organization name on a cloud-hosted Cisco SD-WAN Manager instance can't be changed once provisioned.

  • As the new Cisco SD-WAN Manager is configured using the configuration database restore method, the statistics database from the on-premises Cisco SD-WAN Manager will not be migrated.

  • If Cisco SD-WAN Analytics is in use on the on-premises overlay, it continues to work.

    There may be some data loss when the migration happens, as the new cloud Cisco SD-WAN Manager starts fresh data collection and sends it to the Cisco SD-WAN Analytics servers.

  • As the Cisco SD-WAN Validator FQDN changes, the configuration on the edge nodes requires to be updated for the migration.

    This can be done via CLI templates from Cisco SD-WAN Manager applied to all the edge nodes. If no CLI templates exist on the on-premises Cisco SD-WAN Manager, you must create and apply them before starting the migration. If you do not prefer CLI templates, then you would need to manually reconfigure all the edge nodes individually via console or ssh.

  • If any issue occurs during the edge node migration, you may need to have an out-of-band management access to the edge nodes to make changes manually to switch over to new Cisco SD-WAN Validators.

  • At the time of migration, the control and data plane flaps for each edge node as it is pointed to the new Cisco SD-WAN Validator DNS and reconnects to the new cloud-hosted controllers.

  • It is mandatory that all edge nodes be configured with working NTP and DNS before the migration.

  • Rollback plan would involve Cisco SD-WAN Validator configuration to be changed back on the edge nodes to the on-premises Cisco SD-WAN Validator.

  • After successful migration, the controller profile that you hosted can be deleted from Cisco PNP SA/VA.

Cloud-Hosted Controller Deletion Policy

Cisco can delete a customer cloud-hosted controller overlay based on the following conditions:

Certificate Expiration

  • Identification Stage: If your controller certificates have expired for 15 days or more, and if you have not renewed the certificates, Cisco can move your cloud-hosted controller to a shutdown state. The expired controller certificates indicate that the cloud-hosted controller overlay and the connected devices are not being used.

  • Final Termination: If your overlay remains in the shutdown state for a period of at least three months, and if you have not made any communication to Cisco to recover the controllers, Cisco deletes the controllers. As a result, the customer data cannot be recovered.

  • Reprovisioning: Once an overlay is deleted, it needs to be reprovisioned. If you have an active Cisco Digital Network Architecture (Cisco DNA) license, you can request a new cloud-hosted controller overlay.

Abandoned Overlays

  • Identification Stage: If the cloud-hosted controllers are provisioned for six months or more and:

    1. if there are no active edge devices

    2. OR if the overlays are in the shutdown state for 30 days or more for reasons other than those set forth in this Cloud-Hosted Controller Policy

    then Cisco can deem your cloud-hosted controller as abandoned. Please note that no active edge devices or shutdown overlays indicate that the Cisco Catalyst SD-WAN overlay and the cloud-hosted controller devices are not being used.

  • Notification Stage: Cisco sends notifications to you communicating the overlay abandoned state along with a target shutdown date.

  • Shutdown Stage: If the customer overlay continues to remain unused even after the notifications, Cisco shuts down the overlay on the specified date.

  • Final Termination: If you have not communicated to Cisco to recover Cisco Catalyst SD-WAN cloud-hosted controllers within 30 days of the overlay shutdown, Cisco deletes the controllers. As a result, the customer data cannot be recovered.

  • Reprovisioning: Once an overlay is deleted, it needs to be reprovisioned. If you have an active Cisco Digital Network Architecture (Cisco DNA) license, you can request a new cloud-hosted controller overlay.

DNA Subscription Expired

This policy applies to Cisco Digital Network Architecture (Cisco DNA) subscriptions for the devices licensed before Cisco made the cloud controller subscription separately available. It is also known as Pre-Controller Subscription Offering.

  • Identification Stage: If all the Cisco DNA subscriptions for your devices connected to the cloud-hosted controller have expired, Cisco can deem your corresponding cloud-hosted controller as subscription expired.

  • Notification Stage: Cisco sends notifications to you communicating the overlay abandoned state along with a target shutdown date. Ensure that you keep your contact information up-to-date to receive timely notifications.

  • Shutdown Stage: If the customer overlay continues to run with the expired DNA subscriptions even after the notifications, Cisco shuts down the overlay on the specified date.

  • Final Termination: If you have not communicated to Cisco to recover your Cisco Catalyst SD-WAN cloud-hosted controllers within 30 days of the overlay shutdown, Cisco deletes the controllers. As a result, the customer data cannot be recovered.

  • Reprovisioning: Once an overlay is deleted, it needs to be reprovisioned. You can purchase a new cloud-hosted controller overlay by purchasing the required stock keeping units (SKUs).

Controller Subscription Expired

A controller subscription is licensed separately from the Cisco Digital Network Architecture (Cisco DNA) subscriptions for devices.

  • Identification Stage: If the subscription of your cloud-hosted controllers has expired, and if you have not renewed it, Cisco can deem your corresponding cloud-hosted controller as subscription expired.

  • Notification Stage: Cisco sends notifications to you communicating the overlay abandoned state along with a target shutdown date. Ensure that you keep your contact information up-to-date to receive timely notifications.

  • Shutdown Stage: If the controller subscription continues to remain unrenewed even after the notifications, Cisco shuts down the overlay on the specified date.

  • Final Termination: If you have not communicated to Cisco to recover your Cisco Catalyst SD-WAN cloud-hosted controllers within 30 days of the overlay shutdown, Cisco deletes the controllers. As a result, the customer data cannot be recovered.

  • Reprovisioning: Once an overlay is deleted, it needs to be reprovisioned. You can purchase a new cloud-hosted controller overlay by purchasing the required stock keeping units (SKUs).


Note


Failure to renew your DNA subscription for the Cisco cloud-hosted controllers may impact the functionality of the Cisco Catalyst SD-WAN features that are part of the Cisco DNA subscription for your devices. It is because these features are dependent on Cisco SD-WAN Controllers.