Deploying NaC for SDWAN

To this point we have completed the following steps:

1. Setup Environment: We have set up the environment for Network as Code SD-WAN, including installing Terraform and configuring the necessary files.
2. Build Data Model: We have built the data model for the SD-WAN fabric using the structured YAML files containing device templates, feature templates, policies, and site configurations.

The SD-WAN as Code solution uses Terraform as the deployment engine, which provides declarative infrastructure management. Unlike imperative approaches, Terraform allows you to describe the desired state of your SD-WAN infrastructure, and it automatically determines and executes the steps needed to reach that state.

The SD-WAN deployment uses the Cisco SD-WAN Terraform Provider which includes multiple resources capable of managing any SD-WAN objects. The provider communicates directly with the SD-WAN Manager (vManage) REST API to configure the overlay network.

The solution leverages SD-WAN Terraform Modules which provide abstraction layers that map your data model to the corresponding SD-WAN configuration objects. The modules handle the complexity of translating high-level intent into detailed SD-WAN configurations.

All configurations are deployed through the SD-WAN Manager (vManage), which acts as the centralized control point for the SD-WAN fabric. The Terraform provider manages:

• Device Templates: Complete device configurations combining multiple feature templates
• Feature Templates: Individual configuration components (System, VPN, Interface, etc.)
• Policy Objects: Reusable components like SLA classes and application groups
• Centralized Policies: Control policies, AAR (Application Aware Routing), Data policies
• Localized Policies: Route policies, ACLs, QoS policies applied at device level

Before deploying your SD-WAN configuration, you must initialize Terraform and set up the necessary environment variables.

Navigate to your SD-WAN project directory and initialize Terraform:

cd ~/network-as-code/nac-sdwan
terraform init

This command will:

• Download the required Terraform providers (SD-WAN, Utils, Local)
• Download the SD-WAN Terraform modules from the NetAsCode repository
• Create the .terraform directory with provider binaries
• Generate the terraform.lock.hcl lock file

Expected output:

Initializing the backend...
Initializing modules...
Downloading git::https://github.com/netascode/terraform-sdwan-nac-sdwan.git for sdwan...
- sdwan in .terraform/modules/sdwan

Initializing provider plugins...
- Finding ciscodevnet/sdwan versions matching ">= 0.2.8"...
- Finding netascode/utils versions matching ">= 0.2.5"...
- Finding hashicorp/local versions matching ">= 2.3.0"...
- Installing ciscodevnet/sdwan v0.3.9...
- Installing netascode/utils v0.2.5...
- Installing hashicorp/local v2.5.1...

Terraform has been successfully initialized!

Set the required environment variables for connecting to your SD-WAN Manager:

export SDWAN_USERNAME="admin"
export SDWAN_PASSWORD="your_password"
export SDWAN_URL="https://your-vmanage-ip"

For the dCloud lab environment, use these specific values:

export SDWAN_USERNAME="sdwan"
export SDWAN_PASSWORD="C1sco12345"
export SDWAN_URL="https://198.18.133.100"

Check that Terraform can successfully read your data model:

terraform version
terraform validate

Before deploying to the SD-WAN fabric, validate your data model using the nac-validate tool:

# Install nac-validate if not already installed
pip install nac-validate

# Validate your data model
nac-validate ./data/ --non-strict

If validation passes (no output), proceed with deployment. If errors are found, review and correct your data model files before continuing.

Execute a Terraform plan to preview the changes that will be made to your SD-WAN fabric:

terraform plan -out=plan.tfplan

This command will:

• Connect to your SD-WAN Manager to query the current state
• Compare current state with your desired data model
• Generate an execution plan showing what will be created, modified, or deleted
• Save the plan to plan.tfplan for consistent execution

Example output:

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # module.sdwan.sdwan_system_feature_template.system_feature_template["FT-EDGE-SYSTEM-01"] will be created
  + resource "sdwan_system_feature_template" "system_feature_template" {
      + description    = "Base Cisco System template"
      + device_types   = [
          + "vedge-C8000V",
        ]
      + id             = (known after apply)
      + name           = "FT-EDGE-SYSTEM-01"
      + template_type  = "system"
      + version        = (known after apply)
      ...
    }

Plan: 45 to add, 0 to change, 0 to destroy.

Important: Review the plan output carefully to ensure it matches your expectations before proceeding to apply.

Apply the planned changes to deploy your SD-WAN configuration:

terraform apply plan.tfplan

This command will:

• Execute the exact plan generated in the previous step
• Create all SD-WAN objects (templates, policies, etc.) in the correct order
• Handle dependencies between resources automatically
• Update the Terraform state file to track managed resources

Example output:

module.sdwan.sdwan_system_feature_template.system_feature_template["FT-EDGE-SYSTEM-01"]: Creating...
module.sdwan.sdwan_vpn_interface_ethernet_feature_template.vpn_interface_ethernet_feature_template["FT-EDGE-VPN0-WAN-01"]: Creating...
module.sdwan.sdwan_device_template.device_template["DT-BR-C8000V-01"]: Creating...

Apply complete! Resources: 45 added, 0 changed, 0 destroyed.

Access your SD-WAN Manager GUI to verify the successful deployment:

1. Navigate to Configuration > Templates: Verify that device templates and feature templates have been created
2. Check Configuration > Devices: Confirm that devices are using the correct templates
3. Review Configuration > Policies: Validate that centralized and localized policies are properly configured

One of the key benefits of Infrastructure as Code is the ability to make incremental changes through code updates.

To modify your SD-WAN configuration:

1. Edit the appropriate YAML files in your data/ directory
2. Validate changes with nac-validate ./data/ --non-strict
3. Plan changes with terraform plan
4. Review the plan to ensure only intended changes will be made
5. Apply changes with terraform apply

Example: Adding a new feature template:

# In edge_feature_templates.nac.yaml
sdwan:
  edge_feature_templates:
    vpn_interface_ethernet_templates:
      - name: "FT-EDGE-VPN20-LAN-01"
        description: "Guest Network Interface"
        vpn_id_variable: "vpn20_id"
        interface_name_variable: "vpn20_interface_name"
        ip_address_variable: "vpn20_ip_address"
        subnet_mask_variable: "vpn20_subnet_mask"

After applying changes, you can view what was modified:

# Show current Terraform state
terraform show

# Show specific resource details
terraform state show 'module.sdwan.sdwan_system_feature_template.system_feature_template["FT-EDGE-SYSTEM-01"]'

After successful deployment, validate your SD-WAN fabric using integrated testing:

pip install iac-test

iac-test --data ./data --data ./defaults.yaml --templates ./tests/templates --output ./tests/results --filters ./tests/filters

This will:

• Generate test cases based on your data model
• Execute tests against SD-WAN Manager to verify configuration
• Create detailed test reports in HTML format
• Validate that deployed configuration matches your intent

Open tests/results/report.html to view comprehensive test results covering:

• Configuration Tests: Verify templates, policies, and objects are correctly configured
• Deployment Tests: Confirm devices are properly attached to templates
• Policy Tests: Validate policy application and precedence

# Verify environment variables
echo $SDWAN_URL
echo $SDWAN_USERNAME

# Test connectivity to SD-WAN Manager
curl -k -u $SDWAN_USERNAME:$SDWAN_PASSWORD $SDWAN_URL/j_security_check

# If state becomes corrupted, refresh from SD-WAN Manager
terraform refresh

# Import existing resources if needed
terraform import 'module.sdwan.resource.name' resource-id

# Check data model syntax
nac-validate ./data/ --non-strict

# Validate Terraform syntax
terraform validate -json

• Commit your data model changes to version control before deployment
• Tag releases for tracking deployed versions
• Use branch protection to require reviews before changes

• Use remote state backends for team environments
• Regularly backup state files
• Never manually edit state files

• Store credentials in secure locations (not in code)
• Use Terraform variables for sensitive data
• Enable audit logging in SD-WAN Manager

• Always run terraform plan before apply
• Use separate environments for testing changes
• Validate with nac-validate before deployment
• Run post-deployment tests to confirm success

With your SD-WAN configuration successfully deployed through Terraform, you now have:

• A declarative, version-controlled SD-WAN infrastructure
• The ability to make repeatable, consistent changes
• Automated validation and testing capabilities
• A foundation for CI/CD pipeline integration

The next section will cover how to integrate these deployment processes into automated pipelines for even greater operational efficiency.