Bringup Sequence for Overlay Network
Bring up Sequence for Overlay Network
There are two major bring up Sequence for Overlay network which uses Cisco SD-WAN Viptela devices
First Sequence (User Portion of Bring UP)
- In first Sequence , it requires user intervention , In this sequence Architect design network , create VM machine for Viptela devices , install and boot hardware Viptela routers, once its is done , then on vManage ( NMS ) Viptela devices are added to network and create configuration for each devices.
Second Sequence (Automatic Portion of Bring UP)
- In second Sequence, it occurs automatically which is orchestrated by Viptela software. Once they are added to network, they validate and authenticate themselves automatically and then they establish secure connection with each other.
Once two process are completed, a fully functional Overlay network is setup.
Summary of Events:
Below are the summery of events that occurs to bring up Cisco Viptela device. To bring up the Cisco Viptela hardware and software components in a Viptela Overlay network, all Viptela components must be connected and reachable to each other via any transport Network which includes Internet, MPLS, etc.
- The vManage NMS software get started on an ESXi or KVM server in the data center.
- The vBond orchestrator get started on an ESXi or KVM server in the DMZ.
- The vSmart controller get started on an ESXi or KVM server in the data center.
- At first the vManage NMS and the vBond orchestrator authenticate each other, their after vManage NMS and the vSmart controller authenticate each other, and then the vSmart controller and the vBond orchestrator authenticate each other.
- The vManage NMS sends configurations to the vSmart Controller and vBond devices.
- The vEdge routers deployed and get started in the network.
- The vEdge routers authenticate with the vBond orchestrator.
- The vEdge routers authenticate with the vManage NMS.
- The vEdge routers authenticate with the vSmart controller.
Once vEdge is authenticated to all SD-WAN component, the vManage NMS sends configurations to the vEdge routers
Summary of User Portion of Overlay Bring UP.
Below are the summery steps of User Portion of Viptela Network Bring up. Buts it is not necessary that you follow these steps in mentioned order, you can bring UP Viptela devices in any order, but it is recommend that you must bring up Viptela devices and deploy them in given order listed below:
1 Plan your Network: In this Architecture must plan and design their WAN network
2 Download the Viptela Software image
3 Deploy vManage NMS in Data center
- Create VM instance of vManage
- Configure Certificate Setting and Generate a Certificate for vManage NMS
- Create vManage Cluster
4 Deploy vBond in Data center
- Create VM instance of vBond
- Add vBond to the Overlay network and Generate a Certificate for vBond
- Create a full configuration of vBond orchestrator
5 Deploy vSmart Controller
- Create VM instance of vSmart
- Add vSmart to the Overlay network and Generate a Certificate for vSmart
- Create a full configuration of vSmart Controller
6 Deploy vEdge Router
- For Software vEdge Router , create VM instance of vEdge Router
- Send a CSR to Symantec and then install the signed certificate to router
- From NMS , Send Serial Number of all vEdge Routers to vSmart Controller and vBond Orchestrator in the overlay network
- Create a full Configuration for vEdge Routers
Summery for Automatic Portion of Overlay Bring UP.
Once Viptela devices are booted and they start running via initial configuration, the automatic bring up process starts automatically. In automatic bring up , this process is led by vBond , under which , the Viptela devices setup an encrypted communication channel between each other , and these channel are used by Viptela devices to automatically validate and authenticate each other , once this is done Viptela devices receives and activate their full configuration from vManage Server
User Input for ZTP Automatic Authentication Process:
When the vSmart controller and vBond knows the serial number and chassis number of devices then only the automatic validation and authentication of Viptela devices happens during bring up process
Serial Number: It is 40 Byte number included in device certificate, for vBond and vSmart the certificate can be provided either by semantic or enterprise root CA. For vEdge routers the certificate is provided in hardware trusted board Id Chip.
Chassis Number: Each vEdge router has also Chassis number, and due to its unique Manufacture, it has one to one mapping between vEdge router Serial number and Chassis number.
The Serial number and Chassis number of is learnt by vSmart and vBond during initial configuration of these devices.
Along with Serial and Chassis number which is required for validation and authentication, same and unique organization name (case-sensitive) must also be required. This name can be configured in vManage NMS and is included in configuration file on all devices.
This organization name is also included in the certificate for each device which is created either by Viptela or by an enterprise root CA.
Zero Touch Provisioning Method:
Below are the Controller Bring up steps for Cisco SD-WAN Viptela:
Spin-up Controller VMs - vBond, vSmart, vManage
- Orchestration (vOrchestrator or OpenStack, etc.)
Add Controllers to vManage
Sign Certificates - Symantec, Enterprise CA can be used
- Manual: Generate CSRs, Send to CA for signing, Install signed Certificates
- Automatic: vManage generates CSRs, sends for signing, installs Certificates (Symantec Only)
Control channels brought up automatically when controllers are functional
Zero Touch Provisioning: Initial Steps
- After Ordering – Cisco – Generates vEdge chassis-number
- viptela.com – Download license file (vEdge list)
- Upload license file to vManage => vEdge white-list
- Select one of the available vEdge and then attach a device template
Zero Touch Provisioning: Attach a device template to chassis-id
- Select a Device Template from the list
- Attach a Device to the Template
Zero Touch Provisioning: Pick a Chassis Number that is Available
Select a Chassis Number from the Available Devices List
Zero Touch Provisioning: Fill in Device Specific Parameters
Fill in Device Specific Parameters or alternatively import using a CSV file
Configuration like: System IP, Host name etc
Zero Touch Provisioning: Device Config Scheduled
Template will be attached to Device when it comes Online
Brief Over view via Diagrams
Plug-n-Play vEdge Secure Bring-up (Zero Trust)
Zero Touch Provisioning - vEdge Appliance
Zero Touch Provisioning - vEdge Cloud