Cisco SD-WAN: vManage, vBond, and vMSmart On-Prem Installation Process.

 

Introduction

This section explains the process how to build an on-prem Cisco Viptela based SD-WAN control plane system. It starts by setting up an enterprise Certificate Server using the Cisco CSR1000V cloud router. Next, it goes through the process of root certificate generation. The rest of the chapter explains the initial configuration and certification installation processes from vManage, vBond, and vSmart viewpoints.

Figure 1-1: Control-Plane Components Topology.

Note! I am using EVE-NG running on an ESXi host. You can find installation instructions from eve-ng.net Documentation > HowTo’s > Cisco SDWAN Viptela image set.

 

Configuring IOS-XE Certification Server

In order to onboard vEdges to the SD-WAN system and building a control plane connection between vBond, vManage, and vSmart we need certificates. The focus of this section is to explain how Cisco IOS-XE can be used as a Certification Authority.

Enabling HTTP Server and NTP

 

The mandatory pre-request is to enable the HTTP server on Certification Authority (CA). In addition, Clock times have to be synchronized between vManage, vBond, vSmart, and Certificate Server, otherwise, there will be problems with certificates. I’m using IOS-XE as Network Time Protocol (NTP) master, this way we turn on a hardware clock on the router and provide a time source for other devices.

 

ip http-server

ntp master 

Example 1-1: Enabling HTTP and NTP Master services on IOS-XE.

 

Certificate Server Configuration

First, we generate an RSA key pair for the IOS-XE Certificate Server (CS).  We are using 2048 bits modulus size for the RSA key. As a next step, we start the Certificate Server configuration. The cs-label used with the server must match the label used with the RSA key configuration (We are using the label PKI). We are using a flash as a file database where we are going to store each issued certificate with their serial number and subject name. The CA issuer DN name is set to rootca.nwkt.local. Besides, we are using the SHA-256 hash function for the signature that our CS uses to sign self-signed certificates. We are using the pkcs12 archive format for the CA keys and certificates and the file is encrypted with the password Cisco123. Certificates are generated automatically. As the last step, we turn on the Certificate Server and export the CA certificate into flash in PEM format.

  

CA-Server(config)#crypto key generate rsa label PKI modulus 2048

% The key modulus size is 2048 bits

% Generating 2048 bit RSA keys, keys will be non-exportable...

[OK] (elapsed time was 1 seconds)

CA-Server(config)#crypto pki server PKI

CA-Server(cs-server)#database url flash:

% Server database url was changed. You need to move the

% existing database to the new location.

CA-Server(cs-server)#database level complete

CA-Server(cs-server)#issuer-name cn=root.nwkt.local

CA-Server(cs-server)#hash sha256

CA-Server(cs-server)#database archive pkcs12 password Cisco123

CA-Server(cs-server)#grant auto

Mar 14 13:12:42.854: %PKI-6-CS_GRANT_AUTO: All enrollment requests will be auto.

CA-Server(cs-server)#no shut

%Some server settings cannot be changed after CA certificate generation.

%Exporting Certificate Server signing certificate and keys...

%Certificate Server enabled.

Mar 14 13:12:57.634: %PKI-6-CS_ENABLED: Certificate server now enabled.

Example 1-2: Enabling HTTP and NTP Master services on IOS-XE.

When configurations are done, we can export the CA certificate (root certificate) in PEM format to the terminal by using the command crypto pki PKI pem terminal.

 

CA-Server(config)#crypto pki export PKI pem terminal

% The specified trustpoint is not enrolled (PKI).

% Only export the CA certificate in PEM format.

% CA certificate:

-----BEGIN CERTIFICATE-----

MIIDFjCCAf6gAwIBAgIBATANBgkqhkiG9w0BAQsFADAcMRowGAYDVQQDExFyb290

Y2EubndrdC5sb2NhbDAeFw0yMTAzMTIxMjUwNTBaFw0yNDAzMTExMjUwNTBaMBwx

GjAYBgNVBAMTEXJvb3RjYS5ud2t0LmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOC

AQ8AMIIBCgKCAQEAnQ79KFAbXXMZmzO0yQUbrky8NFQDoj3wB2Hj4B92wpuVVPhk

m9lSHaljTV/5VarG+i4OOBLtPnzS3XTV7TyvO5bwGcCFd0EA0jDMMOLSjGiilr4R

5nO4U3gJMrtXVxn6v7LvsA1Sw5j646T4dlI4CPFElTpNXMSSRBSWlHMuoG9CLFKm

Rf53VQQlCSO3NmM/2qSBDsjbmDkoE7UMDrgZPwezdvRbJgUvH3EbwJycFUVsA+h5

oQ53YPMwq8F9DPUL85Gdi6I7mbUswTMZX/DyjCd7p8TB8bNJcESnMHaY9gDkmGuc

HfGRLcXSv0LIqQPnkyU08/X2zVaokUmHbeEmcQIDAQABo2MwYTAPBgNVHRMBAf8E

BTADAQH/MA4GA1UdDwEB/wQEAwIBhjAfBgNVHSMEGDAWgBTSwYkk0XxUfShDc060

d/h/LXehrzAdBgNVHQ4EFgQU0sGJJNF8VH0oQ3NOtHf4fy13oa8wDQYJKoZIhvcN

AQELBQADggEBAHLAkh4Tlui1wi3bu8hnM9F47pJ54uQUjC08QqyG5wb5lGX2qGZj

nnqbrI0n9avVJGltib9FJiB1vVir2EpwYAuXtFrmQQWHfwepUdwfA5UT873eWdFA

qE1YyApd4TgaQ4auQlzF5TJ8l3bWTFjZFaOmHw4DBfaN5EMOvcJv1uM5fiqGbIVp

35QkOlf5vKOCe1RgBKErOC0p0NgVM1ZiHtOrhDW5bSLSaoKPSaKoYneoLZFU8XWj

HVzK+NCyVdBnBSLRk2x4U64qZweGCUNUjiYYASoFQAB+kseiFclsAbdm/TZeUwRQ

MvHw+tv9vSmReiOTpVTllyF+VGzYdJ4Xu+I=

-----END CERTIFICATE-----

Example 1-3: Exporting the CA certificate.

 

vManage Configuration

 

When booting up the vManage the first time, we need to define the storage device. During the vManage installation process in EVE-NG, we install an additional 100G storage HDD, which can be seen as 1) vdb in the initial setup process.

 

viptela 20.3.3

 

System Initializing. Please wait to login...

 

vmanage login: admin

Password:

Welcome to Viptela CLI

admin connected from 127.0.0.1 using console on vmanage

You must set an initial admin password.

Password:

Re-enter password:

Available storage devices:

vdb     100GB

hdc     3GB

1) vdb

2) hdc

Select storage device to use: 1

Would you like to format vdb? (y/n): y

mke2fs 1.43.8 (1-Jan-2018)

/dev/vdb contains a ext3 file system

        last mounted on Sun Mar 14 08:10:51 2021

Creating filesystem with 26214400 4k blocks and 6553600 inodes

Filesystem UUID: 021ed637-2944-4665-a817-2248d217ae3a

Superblock backups stored on blocks:

        32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,

        4096000, 7962624, 11239424, 20480000, 23887872

 

Allocating group tables: done

Writing inode tables: done

Creating journal (131072 blocks): done

Writing superblocks and filesystem accounting information: done

 

Extracting vManage extra-packages

vManage Extra-Package extracted to /tmp_install/extra-packages/20.3.3/

vManage Extra-Package Extraction Complete

 

Broadcast message from root@vmanage (somewhere) (Sun Mar 14 14:57:53 2021):

 

Sun Mar 14 14:57:53 UTC 2021: The system is going down for reboot NOW!

Example 1-4: vManage Initial Setup.

 

Example 1-5 shows the initial configuration of vManage.

  

vmanage# sh run

system

 host-name             vmanage

 admin-tech-on-failure

 aaa

  auth-order local radius tacacs

  usergroup basic

   task system read write

   task interface read write

  !

  usergroup netadmin

  !

  usergroup operator

   task system read

   task interface read

   task policy read

   task routing read

   task security read

  !

  usergroup tenantadmin

  !

  user admin

   password $6$Stk7TwMMEy7Qi82x$j.WtL3.WseQgOhAPMtULUfaT9T5ihxYJJI.BXHJj.BzdPapd9TCElFF0MZm3daFrE2ClwX9DS5c0jTAASjiW8.

  !

  user ciscotacro

   description CiscoTACReadOnly

   group       operator

   status      enabled

  !

  user ciscotacrw

   description CiscoTACReadWrite

   group       netadmin

   status      enabled

  !

 !

 logging

  disk

   enable

  !

 !

!

vpn 0

 interface eth0

  ip dhcp-client

  ipv6 dhcp-client

  no shutdown

 !

!

vpn 512

!

Example 1-5: vManage Initial Configuration.

 

System Information

 

All our control components are on the same site using the site-ID 100. The system-ip address identifies devices just like a Router Identifier (RID), it doesn’t have to be routable but it has to be unique. We are using the organization name nwkt. vBond IP address in VPN 0 (Infrastructure VPN) is 10.100.100.11. As the last step, we define the time source and expressed its VPN. Note that the VPN is just like VRF, it is a virtual routing instance. Changes are implemented and saved with the command commit.

 

vmanage# conf t

Entering configuration mode terminal

vmanage(config)# system

vmanage(config-system)# site-id 100

vmanage(config-system)# system-ip 10.100.100.12

vmanage(config-system)# organization-name nwkt

vmanage(config-system)# vbond 10.100.0.11

vmanage(config-system)# ntp server 10.100.0.14

vmanage(config-server-10.100.0.14)# vpn 0

vmanage(config-server-10.100.0.14)# commit

Commit complete.

Example 1-6: vManage System Information.

  

VPN Configuration

 

VPN 0 is used for control plane connections. Interface eth 0 is used as a tunnel interface with IP address 10.100.0.12/24 attached to it. We can allow (or deny) services like ssh, dhcp, ntp, netconf, dns by listing them separately. However, I’m allowing all services with the command allow-service all. The two last steps are enabling interface and assign VPN-specific default route. VPN 512 used for Out of Band (OoB) management connection. I’m using DHCP for IP address assignment but in the production environment, you should use a statically configured IP address.

  

vmanage(config-system)# vpn 0

vmanage(config-vpn-0)#  interface eth0

vmanage(config-interface-eth0)# ip address 10.100.0.12/24

vmanage(config-interface-eth0)# tunnel-interface

vmanage(config-tunnel-interface)# allow-service all

vmanage(config-tunnel-interface)# no shutdown

vmanage(config-tunnel-interface)# ip route 0.0.0.0/0 10.100.0.1

vmanage(config-vpn-0)# vpn 512

vmanage(config-vpn-512)#  interface eth1

vmanage(config-interface-eth1)# ip dhcp-client

vmanage(config-interface-eth1)# no shutdown

vmanage(config-interface-eth1)# ip route 0.0.0.0/0 192.168.10.1

vmanage(config-vpn-512)# commit

Commit complete.

Example 1-7: VPN0 and VPN512 Configuration of vManage.

 

The example below shows the interface eth1 IP address setting and its operational status as well as other interface-related information.

 

vmanage# sh int eth1

interface vpn 512 interface eth1 af-type ipv4

 ip-address      192.168.10.34/24

 if-admin-status Up

 if-oper-status  Up

 encap-type      null

 port-type       mgmt

 hwaddr          50:00:00:04:00:01

 speed-mbps      1000

 duplex          full

 uptime          0:00:01:53

 rx-packets      500

 tx-packets      23

Example 1-8: Interface IP Address Verification.

Certification enrollment

 

After attaching the IP address to the management interface we can log on to vManage. We are using the username/password combination admin/admin.

Figure 1-2: Log in to vManage. 

Navigate to Administration/Settings window. Before the actual certification enrollment process, we fill in the organization name and the vBond IP address. 

Figure 1-3: Administration/Settings Window.

Choose the Edit from Organization Name row and apply changes if they are blank (we specify an organization in the initial setup via CLI). Click the Save button to commit changes.

Figure 1-4: Administration/Settings/Organization Name Window.

Next, configure the IP address of the vBond node changes if it is not shown here (we also specify an IP address of vBond in the initial setup process). Click the Save button to commit changes.

Figure 1-5: Administration/Settings/Organization Name Window.

After adding the Organization Name and vBond IP address we are good to go to the certificate enrollment process. Select the Edit option for the Controller certificate Authorization row. The Certification Signed by filed has a default value Cisco Automated (Recommended). Select the Enterprise Root Certificate. Copy the root certificate from the IOS-XE certificate Server and paste it to the Certificate filed. Fill Doman Name, Organization Unit, Organization, City, State, Email, and Country Code fields and select the Validity time. Click the Import & Save button.

Figure 1-6: Installing the Root Certificate into vManage.

You will get a warning message that you can accept by clicking the Proceed button.

Figure 1-7: Installing the Root Certificate into vManage - Confirmation.

The figure below verifies our configuration changes.

Figure 1-8: Verification.

When the root certificate is installed, we generate a Certificate Signing Request (CSR). Navigate to Configuration > Certificates window and select Controllers sheet. Select […] at the end of the vManage row and choose the Generate CSR option.

Figure 1-9: Generating the Certificate Signing Request (CSR).

Figure 1-10 shows the generated CSR. Copy it to the clipboard and click the Close button.

Figure 1-10: Generating the Certificate Signing Request (CSR).

Login to IOS-XE certificate Server. Type the command crypto pki server PKI request pkcs10 terminal and press enter. Now paste the CSR into the terminal window. After that type quit. In case your prompt stays at the end of line “-----END CERTIFICATE REQUEST-----” you need to press enter before typing the command quit. Copy the vManage Specific Granted Certificate into the clipboard.

 

CA-Server#crypto pki server PKI request pkcs10 terminal

PKCS10 request in base64 or pem

 

% Enter Base64 encoded or PEM formatted PKCS10 enrollment request.

% End with a blank line or "quit" on a line by itself.

-----BEGIN CERTIFICATE REQUEST-----

MIIDNTCCAh0CAQAwgbQxCzAJBgNVBAYTAkZJMQswCQYDVQQIEwJIUjEMMAoGA1UE

BxMDSEVMMQ0wCwYDVQQLEwRud2t0MQ0wCwYDVQQKEwRud2t0MUIwQAYDVQQDEzl2

bWFuYWdlLTZkNTg5OGU1LWI2OGQtNDYwZC04NjAxLTNlZjc0YjVhMzIyNC0wLm53

a3QubG9jYWwxKDAmBgkqhkiG9w0BCQEWGXRoZW5ldHdvcmt0aW1lc0BnbWFpbC5j

b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCoEQA6n31JImoRAvfi

/M2/G/mEzNOmdtjWnW3UVfoZIV6iKzHb0ZQ7EZJbiiBYhJObRz8yTzKDeW/YKRLv

EamgQLTmdRozaAKslLxK8y+ltcaC41FDwUMM1UtDDCOBlXZX2sjmdnqoEXL89Ihc

ObBH3RTEHU4YQ0pY2qMywQ7CVlqInGOwnfhULkwVSMTq5N00qaydZvKhMWIWlOMe

1FWj9eQOK+MKIEnJpvC6MUJz0tb7o0H/VueY/UrqHomEIP3tnBYMwMXao+vs+XoA

2tbA6uL7r8FyvXZrjsYNi7FCxVf2k13jSopVX/X5xoahuYGpDwL3nYZnZAh9rAlL

sLRpAgMBAAGgOzA5BgkqhkiG9w0BCQ4xLDAqMAkGA1UdEwQCMAAwHQYDVR0OBBYE

FEN2zrWJjEvyksXNxzD2MH7ScBTNMA0GCSqGSIb3DQEBCwUAA4IBAQChib9df0BM

fE3A8f+KHqLnIYChwTysjeUbT7W/EmokJ0YtTQYff46tMrUMITqksm/R8ZlFawc2

f92OkMKdfeyQvuo37+oJX6CBdmvwqRWT7AOT64qADDxIOuye52H35APbfaQpm5Me

dLy98oqrDrD66ExRFq7FXYnqCRxGLaL263/HSlSroLGYwlwc7ED4aiuoW1NKI/or

BP0aLnbQl2GPJ5cwJrPW6Np9wqrosXzCrvHQqzFdTRRpfFZPMHhoMoWVo8YCwVnR

hiwO0EqnAN/NVBWcuhsENph5VEMUalPRFJ1rMQ3bG40gePjWDsV15IhW1EN/m0l6

dj8u9qiwaGoz

-----END CERTIFICATE REQUEST-----

quit

% Granted certificate:

-----BEGIN CERTIFICATE-----

MIIDnzCCAoegAwIBAgIBCDANBgkqhkiG9w0BAQsFADAcMRowGAYDVQQDExFyb290

Y2EubndrdC5sb2NhbDAeFw0yMTAzMTQxNTM2NDVaFw0yMjAzMTQxNTM2NDVaMIG0

MQswCQYDVQQGEwJGSTELMAkGA1UECBMCSFIxDDAKBgNVBAcTA0hFTDENMAsGA1UE

CxMEbndrdDENMAsGA1UEChMEbndrdDFCMEAGA1UEAxM5dm1hbmFnZS02ZDU4OThl

NS1iNjhkLTQ2MGQtODYwMS0zZWY3NGI1YTMyMjQtMC5ud2t0LmxvY2FsMSgwJgYJ

KoZIhvcNAQkBFhl0aGVuZXR3b3JrdGltZXNAZ21haWwuY29tMIIBIjANBgkqhkiG

9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqBEAOp99SSJqEQL34vzNvxv5hMzTpnbY1p1t

1FX6GSFeoisx29GUOxGSW4ogWISTm0c/Mk8yg3lv2CkS7xGpoEC05nUaM2gCrJS8

SvMvpbXGguNRQ8FDDNVLQwwjgZV2V9rI5nZ6qBFy/PSIXDmwR90UxB1OGENKWNqj

MsEOwlZaiJxjsJ34VC5MFUjE6uTdNKmsnWbyoTFiFpTjHtRVo/XkDivjCiBJyabw

ujFCc9LW+6NB/1bnmP1K6h6JhCD97ZwWDMDF2qPr7Pl6ANrWwOri+6/Bcr12a47G

DYuxQsVX9pNd40qKVV/1+caGobmBqQ8C952GZ2QIfawJS7C0aQIDAQABo1MwUTAP

BgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFNLBiSTRfFR9KENzTrR3+H8td6Gv

MB0GA1UdDgQWBBRDds61iYxL8pLFzccw9jB+0nAUzTANBgkqhkiG9w0BAQsFAAOC

AQEAEOSIOqdA4p9rejub2wzJWlgagDy/vCnmvvuOwO7Nz177ktzP82KX6VUe+PSY

P8ArXlAbH0YNmMl0ukZVD3xb3q5q0YKGzxt4JwLSEbqn7BMY6DsGhkrnJp/5WYVQ

dhjX1JQbvzjGXjX+cYnqCKLwMIPiwRk/vrUxJzS6bfxPUHpiXpWX8VnsxIX49iU7

WW3CI1SqyABfhAwrrmXo7fyFTk+ng6FbcNTj69G7ciLZnV7ckVQYH8CYKgwxEezD

xr7ogUIRAbZqn3/J/s6fLsr6MQ8xlVuG7+adZlLLeSYnbjjR/AublSWS0oOLLzN3

vRqA519Xr6m5CsqWcgLu4sXOAw==

-----END CERTIFICATE-----

 

CA-Server#

Example 1-9: Generating Granted Certificate from the Certificate Signing Request.

Go back to the vManage management window and navigate to Configuration > Certificates window and select Controller sheet. Click the Install Certificate button.

Figure 1-11: Installing the Granted Certificate into vManage.

Paste the Granted Certificate into the Install Certificate Text in the Install Certificate window and click the Install button.

Figure 1-12: Installing the Granted Certificate into vManage Continues.

The figure below illustrates the installation progress and its result which is Success. At this phase the vManage certification process is ready.

Figure 1-13: The Granted Certificate Installation Progress.

We can verify certificate status from the Controllers sheet in Configuration > Devices windows. From there we can see that the Certificate Status column is Installed.

Figure 1-14: The Granted Certificate Verification.

vBond Initial Configuration

The vBond initial configuration is shown in the example below. The very first configuration step is to provide a password for the admin user account. 

viptela 20.3.2

 

vedge login: admin

Password:

Welcome to Viptela CLI

admin connected from 127.0.0.1 using console on vedge

You must set an initial admin password.

Password:

Re-enter password:

vedge# sh run

system

 host-name               vedge

 admin-tech-on-failure

 no route-consistency-check

 vbond ztp.viptela.com

 aaa

  auth-order local radius tacacs

  usergroup basic

   task system read write

   task interface read write

  !

  usergroup netadmin

  !

  usergroup operator

   task system read

   task interface read

   task policy read

   task routing read

   task security read

  !

  usergroup tenantadmin

  !

  user admin

   password $6$meJoeGPXSl/jhFSK$hwZ5Uo3pLhiRLm9AD7eRAutUkRknCLgJyrhzFdJ74qaZyYS3                yoKP2xrBwAo6slmRrOUiuI9ejmk9LmftljbIp/

  !

  user ciscotacro

   description CiscoTACReadOnly

   group       operator

   status      enabled

  !

  user ciscotacrw

   description CiscoTACReadWrite

   group       netadmin

   status      enabled

  !

 !

 logging

  disk

   enable

  !

 !

!

omp

 no shutdown

 graceful-restart

 advertise connected

 advertise static

!

security

 ipsec

  authentication-type ah-sha1-hmac sha1-hmac

 !

!

vpn 0

 interface ge0/0

  ip dhcp-client

  ipv6 dhcp-client

  tunnel-interface

   encapsulation ipsec

   no allow-service bgp

   allow-service dhcp

   allow-service dns

   allow-service icmp

   no allow-service sshd

   no allow-service netconf

   no allow-service ntp

   no allow-service ospf

   no allow-service stun

   allow-service https

  !

  no shutdown

 !

!

vpn 512

 interface eth0

  ip dhcp-client

  ipv6 dhcp-client

  no shutdown

 !

!

vedge#

Example 1-10: The Initial Configuration of vBond.

  

System Information

There are only two differences in the system configuration of vBond compared to vManage. The system-ip is 10.100.100.11 and the vbond configuration is defined as local. Other than these everything else is common with vManage system configuration.

 

vedge# conf t

Entering configuration mode terminal

vedge(config)# system

vedge(config-system)# host-name vbond

vedge(config-system)# site-id 100

vedge(config-system)# system-ip 10.100.100.11

vedge(config-system)# organization-name nwkt

vedge(config-system)# vbond 10.100.0.11 local

vedge(config-system)# ntp server 10.100.0.14

vedge(config-server-10.100.0.14)# vpn 0

Example 1-11: The System Configuration of vBond.

VPN Configuration

 

The VPN configuration follows the same procedure as what we did with vManage. We attached interfaces to VPN 0 and VPN 512 and give IP addresses and the VPN-specific gateways. The vEdge image is also used for vEdge devices and that is why the interface naming is different. In the vManage, we attached the interface eth0 to VPN 0 while in vBond we are going to use interface ge0/0 instead. Note that interface ge0/0 has to be a non-tunnel interface, that is why there is a command no tunnel-interface.

 

vedge(config-system)# vpn 0

vedge(config-vpn-0)#  interface ge0/0

vedge(config-interface-ge0/0)# ip address 10.100.0.11/24

vedge(config-interface-ge0/0)# no tunnel-interface

vedge(config-interface-ge0/0)# no shut

vedge(config-interface-ge0/0)# ip route 0.0.0.0/0 10.100.0.1

vedge(config-vpn-0)#

vedge(config-vpn-0)# vpn 512

vedge(config-vpn-512)# vpn 512

vedge(config-vpn-512)#  interface eth0

vedge(config-interface-eth0)# ip dhcp-client

vedge(config-interface-eth0)# no shut

vedge(config-interface-eth0)# ip route 0.0.0.0/0 192.168.10.1

vedge(config-vpn-512)# commit

Commit complete.

Example 1-12: VPN0 and VPN512 Configuration of vBond.

 

The example below shows the interface eth0 IP address setting and its operational status as well as other interface-related information.

 

vbond# sh int eth0

interface vpn 512 interface eth0 af-type ipv4

 ip-address        192.168.10.33/24

 if-admin-status   Up

 if-oper-status    Up

 if-tracker-status NA

 encap-type        null

 port-type         service

 mtu               1500

 hwaddr            50:00:00:01:00:00

 speed-mbps        1000

 duplex            full

 tcp-mss-adjust    1416

 uptime            0:01:03:35

 rx-packets        5840

 tx-packets        389

Example 1-13: The IP Address Verification of vBond.

  

Certification enrollment

There couple of ways to install the root certificate into vBond. I’m using the WinSCP application for that. First, you need to copy the root certificate from the IOS-XE Certificate Serve as shown in the example 1-3. Then paste it to notepad or your favorite text editor, and save it as PKI.pem. After that, copy the file into the vBond directory /home/admin. 

Figure 1-15: Copying the PKI.pem to vBond.

After copying the file into the /home/admin directory, it is installed by using the command request root-cert-chain install /home/admin/PKI.pem.

vbond# request root-cert-chain install /home/admin/PKI.pem

Uploading root-ca-cert-chain via VPN 0

Copying ... /home/admin/PKI.pem via VPN 0

Updating the root certificate chain..

Successfully installed the root certificate chain

vbond#

Example 1-14: Installing the Root certificate into vBond.

Next, we will add vBond to the controller list in the vManage management console. vBond can be added to the controller list by navigating to Configuration > Devices window and from there by selecting the Controller sheet. Select vBond from the Add Controller drop-down menu.

Figure 1-16: Adding vBond to Controller List.

Give the vBond IP address and user credentials, check the Generate CSR box and click the Add button to commit changes.

Figure 1-17: Adding vBond to Controller List Continues.

The figure below shows that vBond is now listed in the controller list.

Figure 1-18: Adding vBond to Controller List Continues.

After installing the root certificate, navigate to Configuration > Certificates window and select Controllers sheet. Select […] at the end of the vBond row and choose the View CSR option.

Figure 1-19: Adding vBond to Controller List Continues.

Copy the CSR into the clipboard.

Figure 1-20: vBond CSR.

Login to IOS-XE certificate Server. Type the command crypto pki server PKI request pkcs10 terminal and press enter. Now paste the vBond CSR into the terminal window. After that type quit. In case your prompt stays at the end of line “-----END CERTIFICATE REQUEST-----” you need to press enter before typing the command quit. Copy the vManage Specific Granted Certificate into the clipboard. This is the same process we used with vManage.

CA-Server#crypto pki server PKI request pkcs10 terminal

PKCS10 request in base64 or pem

 

% Enter Base64 encoded or PEM formatted PKCS10 enrollment request.

% End with a blank line or "quit" on a line by itself.

-----BEGIN CERTIFICATE REQUEST-----

MIIDMzCCAhsCAQAwgbIxCzAJBgNVBAYTAkZJMQswCQYDVQQIEwJIUjEMMAoGA1UE

BxMDSEVMMQ0wCwYDVQQLEwRud2t0MQ0wCwYDVQQKEwRud2t0MUAwPgYDVQQDEzd2

Ym9uZC01YTYwM2E3Zi00OTI5LTQ1ZDctYjY5NS02MTg0ZjYxN2ExNjctMC5ud2t0

LmxvY2FsMSgwJgYJKoZIhvcNAQkBFhl0aGVuZXR3b3JrdGltZXNAZ21haWwuY29t

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0ddwBR1GkpaUDIsrr9kQ

tMX8zvqS8XgSm14DXHK5CZEnbVMpH+WdYf/NaKi2zy7/2RR0TYZyRx73AXb7KFSq

umQWxbfUN5jg5AlTCh02RJhYbtaHqdof6STpMTTTMW23t3vwrPzQ6V5MvEmtBFb/

ZUplgrOoBXS/cifjSG4u9G1EBIdxDXf8wJ5riLzBBGnjS+TtQ5fyecfgMMho0166

QJbmL82NKwaBYI1M+FMnxQYyOslRFWWOHRI5k3xQoSrIgcWZf12OjR7WSSf+TdX9

LYTBfrH2WfvvMnn29Mj+A8XhdQ+nBe4v9clSYigFon/B1bC9KKAfmb8kj+LXgqTh

hwIDAQABoDswOQYJKoZIhvcNAQkOMSwwKjAJBgNVHRMEAjAAMB0GA1UdDgQWBBRY

0tkxC/BHlLo4WIJiMRgRPBUUijANBgkqhkiG9w0BAQsFAAOCAQEAXJ9jKwfmgIV9

NfRt9cUbnbFBFYxmSnodAphFNKmu8X5kx6cMme1A5pb05ao8FgSdBX/L6h4pqXdo

cVHY1lSzwJ8HfXgSwKJPmZOtYLUotXPKZAe9d+pJx+nrQdq/gZ8VEvMcO7z9pelu

qIp1o1fAd/ZADLuHYiQGjzdejtYnfTt5uMc/3puGI2k4J+YKZjlBthCz8QouHOT0

Q40X3S5AUC8Ts36nGePUH8W4pw5OBJjmaNtzIVWMpo4MLcxlkVmwRjwDvz6AxSAO

hgh4rxuon+SLPlE74TVZAThXVAXiktLABxN/4m5YREJIDLPxtLCAGl+jwfPX6XTR

Fsqn5FJj4g==

-----END CERTIFICATE REQUEST-----

quit

% Granted certificate:

-----BEGIN CERTIFICATE-----

MIIDnTCCAoWgAwIBAgIBCTANBgkqhkiG9w0BAQsFADAcMRowGAYDVQQDExFyb290

Y2EubndrdC5sb2NhbDAeFw0yMTAzMTQxNjEzNTZaFw0yMjAzMTQxNjEzNTZaMIGy

MQswCQYDVQQGEwJGSTELMAkGA1UECBMCSFIxDDAKBgNVBAcTA0hFTDENMAsGA1UE

CxMEbndrdDENMAsGA1UEChMEbndrdDFAMD4GA1UEAxM3dmJvbmQtNWE2MDNhN2Yt

NDkyOS00NWQ3LWI2OTUtNjE4NGY2MTdhMTY3LTAubndrdC5sb2NhbDEoMCYGCSqG

SIb3DQEJARYZdGhlbmV0d29ya3RpbWVzQGdtYWlsLmNvbTCCASIwDQYJKoZIhvcN

AQEBBQADggEPADCCAQoCggEBANHXcAUdRpKWlAyLK6/ZELTF/M76kvF4EpteA1xy

uQmRJ21TKR/lnWH/zWiots8u/9kUdE2Gckce9wF2+yhUqrpkFsW31DeY4OQJUwod

NkSYWG7Wh6naH+kk6TE00zFtt7d78Kz80OleTLxJrQRW/2VKZYKzqAV0v3In40hu

LvRtRASHcQ13/MCea4i8wQRp40vk7UOX8nnH4DDIaNNeukCW5i/NjSsGgWCNTPhT

J8UGMjrJURVljh0SOZN8UKEqyIHFmX9djo0e1kkn/k3V/S2EwX6x9ln77zJ59vTI

/gPF4XUPpwXuL/XJUmIoBaJ/wdWwvSigH5m/JI/i14Kk4YcCAwEAAaNTMFEwDwYD

VR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBTSwYkk0XxUfShDc060d/h/LXehrzAd

BgNVHQ4EFgQUWNLZMQvwR5S6OFiCYjEYETwVFIowDQYJKoZIhvcNAQELBQADggEB

AGgygNkmi0oTX+8kqfrn88ydNSpK5kgPjMzDn0ktQ7KtLVHutGVetdDTA6c8OARi

sybjMwLcuMZxahJ5H62FPqQEZ0MPol7qm6We4DOOftLbPvppTP8hTfLj4/R2Aqxq

KJ9andY/K8vkuv/NH+sgdiNtyNlx+hY5dZjDYDXzVxSntoL3aD+qMWHCPTKDpg5/

QT+/9u76wX5wMVfKY3+XzcGmDqIyDxsqLn66w3ADcLshOjXGokxwtDvzKPpAXU1e

XPxZJsM5LEd4+VxlcKsswkX385KKDVj2mYYm7uxB8Tlt71hlsHKaBBiIeUq9ai69

2HOp/VzmfXqWsQ/anUWxDG0=

-----END CERTIFICATE-----

 

CA-Server#

Example 1-15: Generating the Granted Certificate for vBond.

Go back to the vManage management window and navigate to Configuration > Certificates window and select Controller sheet. Select the vBond row and click the Install Certificate button.

Figure 1-21: Installing the Granted Certificate into vBond.

Paste the Granted Certificate into the Install Certificate Text in the Install Certificate window and click the Install button.

Figure 1-22: Installing the Granted Certificate into vBond Continues.

The figure below illustrates the installation progress and its result which is Success. At this phase, the vBond certification process is done.

Figure 1-23: The Granted Certificate Installation Progress.

We can verify certificate status from the Controllers sheet in Configuration > Devices windows. From there we can see that the Certificate Status column is Installed.

Figure 1-24: Certificate Status Verification.

vSmart Initial Configuration

Example 1-16 illustrates the default configuration of vSmart.

vsmart# sh run

system

 host-name             vsmart

 admin-tech-on-failure

 aaa

  auth-order local radius tacacs

  usergroup basic

   task system read write

   task interface read write

  !

  usergroup netadmin

  !

  usergroup operator

   task system read

   task interface read

   task policy read

   task routing read

   task security read

  !

  usergroup tenantadmin

  !

  user admin

   password $6$jKzSSqC2GCJveJV4$VxMCv59Qv2J.lDd2luqXXJ9dUuv3izVKXPEbE3b43AAry3n6ptI7DqunO0y0TzxaUVRGAUZ7E/ySEiWdyt8/60

  !

  user ciscotacro

   description CiscoTACReadOnly

   group       operator

   status      enabled

  !

  user ciscotacrw

   description CiscoTACReadWrite

   group       netadmin

   status      enabled

  !

 !

 logging

  disk

   enable

  !

 !

!

omp

 no shutdown

 graceful-restart

!

vpn 0

 interface eth0

  ip dhcp-client

  ipv6 dhcp-client

  no shutdown

 !

!

vpn 512

Example 1-16: The Initial Configuration of vSmart.

 

System Information

As with vManage and vBond we set the system settings. It is just like what we did with vManage, the only difference is the unique system-ip.

 

vsmart# conf t

Entering configuration mode terminal

vsmart(config)# system

vsmart(config-system)# site-id 100

vsmart(config-system)# system-ip 10.100.100.13

vsmart(config-system)# organization-name nwkt

vsmart(config-system)# vbond 10.100.0.11

vsmart(config-system)# ntp server 10.100.0.14

vsmart(config-server-10.100.0.14)# vpn 0

Example 1-17: The System Configuration of vSmart.

 

VPN Configuration

VPN configuration follows the same process as what we did with vManage and vBond.

 

vsmart(config-system)# vpn 0

vsmart(config-vpn-0)#  interface eth0

vsmart(config-interface-eth0)# ip address 10.100.0.13/24

vsmart(config-interface-eth0)# tunnel-interface

vsmart(config-tunnel-interface)# allow-service all

vsmart(config-tunnel-interface)# no shutdown

vsmart(config-tunnel-interface)# ip route 0.0.0.0/0 10.100.0.1

vsmart(config-vpn-0)# vpn 512

vsmart(config-vpn-512)# interface eth1

vsmart(config-interface-eth1)# ip dhcp-client

vsmart(config-interface-eth1)# no shutdown

vsmart(config-interface-eth1)# commit

Commit complete.

Example 1-18: VPN0 and VPN512 Configuration of vSmart.

 

The example below shows the interface eth1 IP address setting and it's operational status as well as other interface-related information.

 

vsmart# sh int eth1

interface vpn 512 interface eth1 af-type ipv4

 ip-address      192.168.10.35/24

 if-admin-status Up

 if-oper-status  Up

 encap-type      null

 port-type       mgmt

 hwaddr          50:00:00:03:00:01

 speed-mbps      1000

 duplex          full

 uptime          0:00:09:35

 rx-packets      2208

 tx-packets      97

Example 1-19:The IP Address Verification of vBond.

  

Certification enrollment

The root certificate installation into vSmart is the same as what was explained with vBond. I’m using the WinSCP to copy the root certificate into the vSmart directory /home/admin. 

Figure 1-25: Copying the PKI.pem to vSmart.

After copying the file into the /home/admin directory, it is installed by using the command request root-cert-chain install /home/admin/PKI.pem.

 

vsmart# request root-cert-chain install /home/admin/PKI.pem

Uploading root-ca-cert-chain via VPN 0

Copying ... /home/admin/PKI.pem via VPN 0

Updating the root certificate chain..

Successfully installed the root certificate chain

vsmart#

Example 1-20: Installing the Root certificate into vSmart.

 Next, we will add vSmart to the controller list in the vManage management console. vSmart can be added to the controller list by navigating to Configuration > Devices window and from there by selecting the Controller sheet. Select vSmart from the Add Controller drop-down menu. 

Figure 1-26: Adding vBond to Controller List.

Give the vSmart IP address and user credentials, check the Generate CSR box and click the Add button to commit changes.

Figure 1-27: Adding vSmart to Controller List Continues.

The figure below shows that vSmart is now listed in the controller list.

Figure 1-28: Adding vBond to Controller List Continues.

After installing the root certificate, navigate to Configuration > Certificates window and select Controllers sheet. Select […] at the end of the vSmart row and choose the View CSR option.

Figure 1-29: Adding vSmart to Controller List Continues.

Copy the CSR into the clipboard.

Figure 1-30: vSmart CSR.

Login to IOS-XE certificate Server. Type the command crypto pki server PKI request pkcs10 terminal and press enter. Now paste the vSmart CSR into the terminal window. After that type quit. In case your prompt stays at the end of line “-----END CERTIFICATE REQUEST-----” you need to press enter before typing the command quit. Copy the vManage Specific Granted Certificate into the clipboard.

  

CA-Server#crypto pki server PKI request pkcs10 terminal

PKCS10 request in base64 or pem

 

% Enter Base64 encoded or PEM formatted PKCS10 enrollment request.

% End with a blank line or "quit" on a line by itself.

-----BEGIN CERTIFICATE REQUEST-----

MIIDNDCCAhwCAQAwgbMxCzAJBgNVBAYTAkZJMQswCQYDVQQIEwJIUjEMMAoGA1UE

BxMDSEVMMQ0wCwYDVQQLEwRud2t0MQ0wCwYDVQQKEwRud2t0MUEwPwYDVQQDEzh2

c21hcnQtODM5YWVlNjItZmVkNS00MGZjLWI1M2MtNmZjNTQ3YThkN2U1LTAubndr

dC5sb2NhbDEoMCYGCSqGSIb3DQEJARYZdGhlbmV0d29ya3RpbWVzQGdtYWlsLmNv

bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJeNyO6I8npUO3/5jIeR

Ik101UCxsA67JlN8x0U/UR+eaADAAzqLCXbCzV7Zh6BnWAIWypMz0t3suJRHFOv+

G4gz/MMyB+68DEambUMi6Zgkr96eCf9tfRsB5eSRsOYqebHCtcFh+5x2qDgTjNG1

H5YsuSpniIFocuyGKKCk4s6hz+TAwir+AsJFLqlQWLP9ADN3bXe4BaDfQesgt5AL

Svk0xLBGIVPikwX3fllOKcXnIso76xr6Z+KN2BI+O8fqfylhHDyzhBnKls2EpfdJ

gza94LL4alo4Iid2Rw073fb7GP1f6BHJJAIHt1fHZJDn1ewHvOYrhtm/XLqLkEIj

vhcCAwEAAaA7MDkGCSqGSIb3DQEJDjEsMCowCQYDVR0TBAIwADAdBgNVHQ4EFgQU

CqjVl4eZeQOpjpuKbyc75Q11JaswDQYJKoZIhvcNAQELBQADggEBAGVpq0VFHG4W

0Surnlwj+KkAdLRmNX0u3lg30RZpULm9tpmji01mFIq65NHpEVEXBZ69nkfMeuHC

6Lj//pdzNueIiH+/FfQOk6IdS0+cmVxjF2xXrhats1HYNdiiSGdVcK93gZgdWqJY

Fm6l2x9CiusYFfhvDfkJKcFJ6z3AUSoi4KijREgkrpnk+yZ+m2Tm/DjgA5YLGaDb

p/DBsJh6M6aI0zbgebyrxiJEAJri1l7bKmx+5h0Hu1VaUMllP7TkgnhYLDG4Mdz2

W1STwRO5RNbY6qnoVdybKiL/6BNhyuH9r+DMeY+THQea+rx+N61xetEL/hmlugth

XVDYrXrEdtE=

-----END CERTIFICATE REQUEST-----

quit

% Granted certificate:

-----BEGIN CERTIFICATE-----

MIIDnjCCAoagAwIBAgIBCjANBgkqhkiG9w0BAQsFADAcMRowGAYDVQQDExFyb290

Y2EubndrdC5sb2NhbDAeFw0yMTAzMTQxNjUyNTNaFw0yMjAzMTQxNjUyNTNaMIGz

MQswCQYDVQQGEwJGSTELMAkGA1UECBMCSFIxDDAKBgNVBAcTA0hFTDENMAsGA1UE

CxMEbndrdDENMAsGA1UEChMEbndrdDFBMD8GA1UEAxM4dnNtYXJ0LTgzOWFlZTYy

LWZlZDUtNDBmYy1iNTNjLTZmYzU0N2E4ZDdlNS0wLm53a3QubG9jYWwxKDAmBgkq

hkiG9w0BCQEWGXRoZW5ldHdvcmt0aW1lc0BnbWFpbC5jb20wggEiMA0GCSqGSIb3

DQEBAQUAA4IBDwAwggEKAoIBAQCXjcjuiPJ6VDt/+YyHkSJNdNVAsbAOuyZTfMdF

P1EfnmgAwAM6iwl2ws1e2YegZ1gCFsqTM9Ld7LiURxTr/huIM/zDMgfuvAxGpm1D

IumYJK/engn/bX0bAeXkkbDmKnmxwrXBYfucdqg4E4zRtR+WLLkqZ4iBaHLshiig

pOLOoc/kwMIq/gLCRS6pUFiz/QAzd213uAWg30HrILeQC0r5NMSwRiFT4pMF935Z

TinF5yLKO+sa+mfijdgSPjvH6n8pYRw8s4QZypbNhKX3SYM2veCy+GpaOCIndkcN

O932+xj9X+gRySQCB7dXx2SQ59XsB7zmK4bZv1y6i5BCI74XAgMBAAGjUzBRMA8G

A1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAU0sGJJNF8VH0oQ3NOtHf4fy13oa8w

HQYDVR0OBBYEFAqo1ZeHmXkDqY6bim8nO+UNdSWrMA0GCSqGSIb3DQEBCwUAA4IB

AQAJK3ojgtVWCw2DnoJ44paGEuI9TF7YdKqsJnM3rrFU9zwuoqUNHcEQtvrUmMFZ

Pffo8sF3OMOPLAZ99kTvBDVAKZM0MFwlC619XdB3XyPjbkmsgA5oc12tH+bVEfFW

41qo8xNU65/BA0ysdh1Qt7VT/PcmsliPDY81ltmtxX3S84gQCwlAZTtI5o0ocCdX

KuC8SgICacecfjy8NlcOpNduZsKFYY7e1bUuCDuWMcb9Fk3Rf6NCXhI6c1oWO9xu

XTgHpf0mBOlQyU7540/ubb/DEldCVbCisd3V9rqk+L4QnFYte+LZr3j7Gf/2KILb

IrhZ+4j7/DdwVEKnHv3xAD+9

-----END CERTIFICATE-----

Example 1-21: Generating the Granted Certificate for vSmart.

Go back to the vManage management window and navigate to Configuration > Certificates window and select Controller sheet. Select the vSmart row and click the Install Certificate button. Paste the Granted Certificate into the Install Certificate Text in the Install Certificate window and click the Install button.

Figure 1-31: Installing the Granted Certificate into vSmart Continues.

The figure below illustrates the installation progress and its result which is Success. At this phase, the vSmart certification process is ready.

Figure 1-32: The Granted Certificate Installation Progress.

We can verify certificate status from the Controllers sheet in Configuration > Devices windows. From there we can see that the Certificate Status column is Installed.

Figure 1-33: Certificate Status Verification.

And we are done.