EMAIL SUPPORT

dclessons@dclessons.com

LOCATION

NZ

Configure vEdge & Generate Certificate

Configure vEdge & Generate Certificate

Posted on Jan 27, 2020 (0)

Configure vEdge & Generate Certificate

As soon as vEdge VM is created and router boots it will not able to join the Viptela overlay network and .1to do so a signed certificate must be installed on it. In release 17.1 and later, vManage NMS acts as the certificate Authority and this NMS will automatically generate and install the signed certificate on vEdge cloud routers. Where as in 16.1 and earlier manually Symantec signed certificates was used to be installed on routers.

Following steps are to be followed while installing the signed certificate.

  • Retrieve the vEdge router Serial Number
  • Upload the vEdge authorized SN file to vManage NMS
  • Installed the signed certificate on each vEdge cloud Router

Retrieve the vEdge router Serial Number

  • Visit to http://viptela.com/support/ and log in
  • On Downloads | Click My Serial Number Files. For Releases 17.1 and later, the filename extension is .Viptela.
  • Click on the most recent and latest serial number file to download it.

Upload the vEdge authorized SN file to vManage NMS

  • In vManage NMS, select the Configuration | Devices screen | vEdge List tab | click Upload vEdge List.
  • In the Upload vEdge window | Click Choose File | select the vEdge authorized serial number file
  • In order to automatically validate the vEdge routers and send their serial numbers to the controllers, click | select the checkbox Validate the Uploaded vEdge List | Send to Controllers.
  • Click Upload.

As soon as SN file for vEdge is uploaded, vManage will generate the token number for each vEdge cloud router listed in file. This token is further used as one time password for each vEdge router and this token is sent to vBond and vSmart.

Once the file is uploaded, the vEdge router will be visible in vManage.

Install Signed Certificates in Releases 17.1 and Later

Before signed certificate is generated and installed, the very necessary work to be done for this activity is to generate and download the bootstrap configuration file for each vEdge router. This file contains all important information required to generate the signed certificate. In order to achieve all vEdge router and vManage must be on 17.1 release or later.

Bootstrap configuration file contains the following information:

  • UUID acts as router's chassis number.
  • Token, one-time password that the router uses to authenticate itself with the vBond orchestrator and the vManage NMS.
  • IP address or DNS name of the vBond orchestrator.
  • Organization name.
  • If you have already created a device configuration template and attached it to the vEdge Cloud router, the bootstrap configuration file contains this configuration.

Configure the vBond Orchestrator and Organization Name

Now before generating, bootstrap file, follow below steps to configure the organization name and vBond information on vManage.

  • In vManage NMS | Administration | Settings screen | vBond bar | click Edit.
  • In the vBond DNS/IP Address: Port field | Enter the DNS name or IP address of the vBond | Click Save.
  • Organization Name bar | click Edit | Enter the name of your organization. This name must be
  • Confirm Organization name field, re-enter and confirm the organization name Click Save.

Configure Automatic or Manual vEdge Cloud Authorization

In order to generate a bootstrap configuration file for a vEdge Cloud router, follow the below steps

  • vManage NMS, select the Configuration | Devices screen.
  • For bootstrap configuration file for one or multiple vEdge Cloud routers:
    • In the vEdge List tab | select Export Bootstrap Configuration.
    • In the Generate Bootstrap Configuration field | select the file format
      • If the vEdge Cloud router is on a VMware hypervisor | select Encoded String to generate an encoded string.
  • In the Available Devices window | select one or more routers | Click Generate Configuration. The bootstrap configuration is downloaded in a .zip file, which contains one .cfg file for each router present in vManage
  • To generate a bootstrap configuration file individually for each vEdge Cloud router:
    • In the vEdge List tab, select the desired vEdge Cloud router.
    • Click the More Actions icon to the right of the row, and select Generate Bootstrap Configuration.
    • In the Generate Bootstrap Configuration window, select the file format:
      • For a vEdge Cloud router on a KVM hypervisor or on an AWS server, select Cloud-Init to generate a token, vBond orchestrator IP address, vEdge Cloud router UUID, and organization name.
      • For a vEdge Cloud router on a VMware hypervisor, select Encoded String to generate an encoded string.
    • Click Download to download the bootstrap configuration. The bootstrap configuration is downloaded in a .cfg file.

Now use the bootstrap configuration file to configure vEdge cloud router instance on AWS, ESXi, or KVM.

By default gi0/0 is tunnel interface which is always configured as DHCP client and if you want to make it static IP address or to change the interface, use CLI.

Install the Certificate on the vEdge Cloud Router

As soon as vEdge is configured with bootstrap configuration and if automatic certificate authorization is used (by default), vManage NMS automatically installs the certificate on router and router token is changed to its serial number.

Send vEdge Serial Numbers to the Controller Devices

As soon as on vManage, a valid list of all vEdge SN file which consists of vEdge Serial number and Chassis number is uploaded, The NMS will distribute this list to vSmart and vBond.

As soon as vEdge serial number file is uploaded, there are three states are available which you can place the vEdge router

  • Invalid: As soon as the vEdge is powered on, they are not authorized on Overlay network
  • Staging: vEdge routers are validated and authorized upon power on and secure control channel is established to share the control plane information, while unable to establish the data plane connection due to which it will not be able to communicate with other vEdge routers. This stage is used when vEdge routers are configured at one place and shipped to another place.
  • Valid:   vEdge routers are validated and authorized upon power on and secure control channel is established to share the control plane information, and able to establish the data plane connection for traffic flow.

Placing vEdge router in valid state:

 Refer below series of diagram:

Placing vEdge router in invalid state:

Refer below series of diagram:

Placing vEdge router in staging state

Configure the vEdge Routers

As soon as VM vEdge router of Hardware Routers are installed, they boots with factory default configuration. To make vEdge router participate in overlay network following things must be tried:

  • Configure Tunnel interface (one interface) in VPN 0 is used to connect the WAN transport. And is accessible to all Viptela devices.
  • Enable OMP Protocol
  • Enable BFD Protocol
  • Configure IP address or DNS of vBond
  • Configure Router IP address

Configure a system IP address is configured for vEdge that is a persistence address also acts as router-ID and is useful to identify controller independently and is one of the component of TLOC address. Control traffic over DTLS or TLS connection between vSmart and vEdge or between vSmart and vBond is sent over system interface identified by System IP address which is on VPN0 as device loopback IP address.

Create Configuration Templates for the vEdge Routers

To create vEdge configuration templates, first create feature templates

  1. In vManage NMS, select the Configuration | Templates screen.
  2. From the Templates title bar, select Feature.
  3. Click Add Template.
  4. In the left pane, select vEdge Cloud or a router model.
  5. In the right pane, select the System feature template. Configure the following parameters:
    1. Template Name
    2. Description
    3. Site ID
    4. System IP
    5. Timezone
    6. Hostname
    7. Console baud rate (vEdge hardware routers only)
    8. GPS location
  6. Click Save to save the System template.
  7. In the right pane, select the VPN-Interface-Ethernet feature template. Configure the following parameters
    1. Template Name
    2. Description
    3. Shutdown No
    4. Interface name
    5. IPv4 address (static or DHCP)
    6. IPv6 address (static of DHCPv6), if desired (in Releases 16.3 and later)
    7. Tunnel interface (for VPN 0), color, encapsulation, and services to allow.
  8. Click Save to save the VPN-Interface Ethernet template.
  9. In the right pane, select other templates to configure any desired features. Save each template when you complete the configuration

Next, create a device template that incorporates all the feature templates for the vEdge router:

  1. In the vManage NMS, select the Configuration | Templates screen.
  2. From the Templates title bar, select Device.
  3. Click Create Template, and from the drop-down list select From Feature Template.
  4. From the Device Model drop-down, select the type of device for which you are creating the device template. vManage NMS displays the feature templates for the device type you selected. Required templates are indicated with an asterisk (*).
  5. Enter a name and description for the device template. These fields are mandatory. The template name cannot contain special characters.
  6. In the Transport & Management VPN section, under VPN 0, from the drop-down list of available templates, select the desired feature template. The list of available templates shows the ones that you have previously created.
  7. To include additional feature templates in the device template, in the remaining sections, select the feature templates in turn, and from the drop-down list of available templates, select the desired template. The list of available templates are the ones that you have previously created. Ensure that you select templates for all mandatory feature templates and for any desired optional feature templates.
  8. Click Create to create the device template
    1. In the vManage NMS, select the Configuration | Templates screen.
    2. From the Templates title bar, select Device.
    3. Select a template.
    4. Click the More Actions icon to the right of the row and click Attach Device.
    5. In the Attach Device window, either search for a device or select a device from the Available Device(s) column to the left.
    6. Click the arrow pointing right to move the device to the Selected Device(s) column on the right.
    7. Click Attach

When the vManage NMS discovers that the vEdge router has joined the overlay network, it pushes the configuration template to the router.

Configure the vEdge Routers from the CLI

Open a CLI session to the Viptela device via SSH or the console port.

Log in as the user admin, using the default password, admin. The CLI prompt is displayed.

Enter configuration mode:

vEdge# config
vEdge(config)#

Configure the hostname:

vEdge(config)# system host-name hostname

Configure the system IP address. In Releases 16.3 and later, the IP address can be an IPv4 or an IPv6 address. In earlier releases, it must be an IPv4 address.

vEdge(config-system)# system-ip ip-address

Configure the numeric identifier of the site where the device is located:

vEdge(config-system)# site-id site-id

Configure the organization name:

vEdge(config-system)# organization-name organization-name

Configure the IP address of the vBond orchestrator or a DNS name that points to the vBond orchestrator. The vBond orchestrator's IP address must be a public IP address, to allow all Viptela devices in the overlay network to reach the vBond orchestrator:

vEdge(config-system)# vbond (dns-name | ip-address)

Configure a time limit for confirming that a software upgrade is successful:

vEdge(config-system)# upgrade-confirm minutes

The time can be from 1 through 60 minutes.
Change the password for the user "admin":

vEdge(config-system)# user admin password password

The default password is "admin".

Configure an interface in VPN 0 to be used as a tunnel interface. VPN 0 is the WAN transport VPN, and the tunnel interface carries the control traffic among the devices in the overlay network. For vEdge Cloud routers, the interface name has the format ethnumber. For hardware vEdge routers, the interface name has the format geslot/port.

vEdge(config)# vpn 0
vEdge(config-vpn-0)# interface interface-name
vEdge(config-interface)# (ip dhcp-client | ip address prefix /length)
vEdge(config-interface)# no shutdown
vEdge(config-interface)# tunnel-interface

Configure a color for the tunnel to identify the type of WAN transport. You can use the default color (default), but you can also configure a more appropriate color, such as mpls or metro-ethernet, depending on the actual WAN

vEdge(config-tunnel-interface)# color color

Configure a default route to the WAN transport network:

vEdge(config-vpn-0)# ip route 0.0.0.0/0 next-hop

Commit the configuration:

vEdge(config)# commit and-quit
vEdge#

Once overlay network is UP, create the vBond configuration template in vManage that contain the initial configuration. Use the following vManage Feature template.

  • Use System feature template for hostname, system IP address, and vBond functionality configuration
  • Use AAA feature template to configure a password for the "admin" user.
  • Use VPN Interface Ethernet feature template to configure the interface in VPN 0

In addition, to the above initial configuration, some general system configuration is also required.

  • Organization name, on the vManage Administration
  • Time zone, NTP servers, and device physical location, from the configuration templates.
  • Login banner from Banner feature configuration template.
  • Logging parameters from Logging feature configuration template.
  • AAA, and RADIUS and TACACS+ servers from AAA feature configuration template.
  • SNMP from SNMP feature configuration template

Sample Initial CLI Configuration

vEdge# show running-config
system
host-name vEdge
gps-location latitude 40.7127837
gps-location longitude -74.00594130000002
system-ip 172.16.251.20
site-id 200
max-controllers 1
organization-name "Viptela Inc"
clock timezone America/Los_Angeles
upgrade-confirm 15
vbond 184.122.2.2
aaa
auth-order local radius tacacs
usergroup basic
task system read write
task interface read write
!
usergroup netadmin
!
usergroup operator
task system read
task interface read
task policy read
task routing read
task security read
!
user admin
password encrypted-password
!
!
logging
disk
enable
!
!
ntp
keys
authentication 1 md5 $4$L3rwZmsIic8zj4BgLEFXKw==
authentication 2 md5 $4$LyLwZmsIif8BvrJgLEFXKw==
authentication 60124 md5 $4$LXbzZmcKj5Bd+/BgLEFXKw==
trusted 1 2 60124
!
server 180.20.1.2
key 1
source-interface ge0/3
vpn 1
version 4
exit
!
radius
server 180.20.1.2
vpn 1
source-interface ge0/3
secret-key $4$L3rwZmsIic8zj4BgLEFXKw==
exit
!
tacacs
server 180.20.1.2
vpn 1024
source-interface ge0/3
secret-key $4$L3rwZmsIic8zj4BgLEFXKw==
exit
!
!
omp
no shutdown
gradeful-restart
advertise bgp
advertise connected
advertise static
!
security
ipsec
authentication-type ah-sha1-hmac sha1-hman
!
!
snmp
no shutdown
view v2
oid 1.3.6.1
!
community private
view v2
authorization read-only
!
trap target vpn 0 10.0.1.1 16662
group-name Viptela
community-name private
!
trap group test
all
level critical major minor
exit
exit
!
vpn 0
interface ge0/0
ip address 184.111.20.2/24
tunnel-interface
encapsulation ipsec
color mpls restrict
no allow-service bgp
allow-service dhcp
allow-service dns
allow-service icmp
no allow-service sshd
no allow-service netconf
no allow-service ntp
no allow-service ospf
no allow-service stune
!
no shutdown
bandwidth-upstream 60
bandwidth-downstream 60
!
interface ge0/1
no shutdown
!
interface ge0/2
no shutdown
!
ip route 0.0.0.0/0 184.111.20.1
!
vpn 1
router
bgp 111000
neighbor 172.16.1.20
no shutdown
remote-as 111000
password $4$LzLwZj1ApK4zj4BgLEFXKw==
!
!
ospf
timers spf 200 1000 10000
area 0
interface ge0/1
authentication type message-direct
authentication message-digest message-digest-key 1 md5 $4$LzLwZj1ApK4zj4BgLEFXKw==
exit
exit
!
!


Comment

    You are will be the first.

LEAVE A COMMENT

Please login here to comment.