EMAIL SUPPORT

dclessons@dclessons.com

LOCATION

NZ

Configure vManage & Generate Certificate

Configure vManage & Generate Certificate

Posted on Jan 27, 2020 (0)

Configure vManage & Generate Certificate

After you deployed the VM instance, it will come up with factory default setting. But for minimum configuration, you should configure IP address of vBond orchestrator, vManage system IP address, tunnel Interface VPN 0 for exchanging control traffic among vBond, vManage, and vSmart devices.

vManage must be configured with following so that it can participate in overly network.

  • Configure a tunnel interface (one interface) in VPN 0. This interface is one over which any WAN transport is connected and all Viptela devices must be able to access this interface. VPN 0 is the tunnel interface that carries all the control traffic among Viptela devices
  • Enable OMP protocol if it is not enabled. This protocol is responsible for establishing and maintaining Viptela Control plane.

Configure the vManage NMS with a Device Configuration Template

In order to configure the vManage NMS, a device configuration template must be created

  1. Configure the address of the vBond orchestrator:
  • Select the Administration section | Settings screen | Click the Edit button to the right of the vBond bar.
  • In the vBond DNS/IP Address: Port field, enter the DNS name which points to the vBond orchestrator or the IP address of the vBond orchestrator and the port number to use to connect to it. | Click Save.

  1. In vManage NMS, select the Configuration | Templates screen. | In the Device tab, click Create Template | From the Create Template drop-down, select From Feature Template.
  2. From the Device Model drop-down, select vManage device and the required feature templates are shown with an asterisk (*), and the remaining templates are shown as optional. The factory-default template for each feature is selected by default
  3. In the Template Name field | name for the device template. This field is mandatory. In the Description field | enter a description for the device template. This field is mandatory.
  4. In the System feature template | Site ID | System IP Address | Host name | Location | Time zone, and GPS Location.
  5. In the AAA feature template | Local tab | click Users | change the password for the user "admin."
  6. In the VPN feature template | select VPN 0 | configure the system IP address and the address or host name of a DNS server. If necessary, click the Route tab | add a static route.
  7. If you need to add a static route in VPN 512, in a second VPN feature template, select VPN 512, click the Route tab, and add the static route.
  8. In the VPN-Interface-Ethernet feature template | configure the interface in VPN 0 to connect to the WAN transport network. In Shutdown | click No enter the Interface Name | Assign the interface either a dynamic or static address. In the Interface Tunnel tab, Tunnel Interface | click On.| assign a color to the Tunnel interface, | select the desired services to allow on the tunnel
  9. In a second VPN-Interface-Ethernet feature template, configure management interface in VPN 512. In Shutdown | click No | enter the Interface Name | assign the interface either a dynamic or static Address.
  10. In the Security feature template | configure the control plane protocol
  11. Optionally, modify the default Archive | Banner | Logging | NTP | SNMP feature templates.
  12. Click Create. The new configuration template will be displayed in the Device Template table. The Feature Templates column shows the number of feature templates that are included in the device template, and the Type column shows "Feature" to indicate that the device template was created from a collection of feature templates.
  13. In the Device Template table | locate the desired device template | Click the More Actions icon to the right of the row | select Attach Devices.
  14. In the Attach Devices box, select the local vManage NMS from the Available Devices list | click the right-pointing arrow to move it to the Selected Devices box | Click Attach.

Sample CLI Configuration

Below is the sample vManage Configuration, it should be noted that this configuration contains a large number of factory default configuration with default values.

Example:

vManage# show running-config
system
host-name vManage
gps-location latitude 40.7127856
gps-location longitude -74.00594130000112
system-ip 172.11.11.11
site-id 100
organization-name "Viptela Inc"
clock timezone America/Los_Angeles
vbond 10.10.10.10
aaa
auth-order local radius tacacs
usergroup basic
task system read write
task interface read write
!
usergroup netadmin
!
usergroup operator
task system read
task interface read
task policy read
task routing read
task security read
!
user admin
password encrypted-password
!
!
logging
disk
enable
!
!
!
snmp
no shutdown
view v2
oid 1.3.6.1
!
community private
view v2
authorization read-only
!
trap target vpn 0 10.0.1.1 16662
group-name Viptela
community-name private
!
trap group test
all
level critical major minor
exit
exit
!
vpn 0
interface eth1
ip address 10.10.11.22/24
tunnel-interface
color public-internet
allow-service dhcp
allow-service dns
allow-service icmp
no allow-service sshd
allow-service netconf
no allow-service ntp
no allow-service stun
allow-service https
!
no shutdown
!
ip route 0.0.0.0/0 10.10.11.13
!
vpn 512
interface eth0
ip 172.16.16.16/23
!
no shutdown
!
ip route 0.0.0.0/0 172.16.16.1
!

Configure Certificate Settings

In Overlay network any new controller device like vManage, vBond, vSmart authenticate using signed certificate. Now from vManage a certificate signing request (CSR) can be automatically generated and from CSR certificates can be retrieved, installed them on all controller devices that are going to be added to network.

In order to automate the certificate generation & installation, an organization name and certificate authorization setting must be configured before adding controller devices in network.

Hardware vEdge Routers are having pre-equipped certificate installed and shipped, and for vEdge Cloud router, a CSR must be generated and certificate must be installed from router CLI 

Configure the Organization Name

Note: Once you add devices to the vManage NMS, you cannot edit the organization name.

  • In vManage NMS, select the Administration | Settings screen | Organization Name bar | click Edit
  • Enter the organization name also note that the organization name must be identical to the vBond orchestrator.
  • Confirm Organization Name field | re-enter | confirm your organization name.
  • In the vBond bar| click Edit | in the vBond DNS/IP Address: Port field | DNS name that points to the vBond orchestrator, or the IP address of the vBond orchestrator and the port number | Click Save

Configure Certificate Authorization Settings

In order to automate the certificate generation and installation for vManage, vBond and vSmart, certificate authorization must be configured.

  • In vManage NMS, select the Administration | Settings screen | In the Certificate Authorization bar | click Edit.
  • In the Certificate Signing by Symantec section | select Automated to have the Symantec signing server automatically generate | sign | install certificates on each controller device. It is recommended that you select Automated certificate signing. If you select Manual, then you need to see the section hoe manual certificate generation happens
  • Enter the first and last name of the requester of the certificate | Enter the email address of the requester of the certificate required because the signed certificate and a confirmation email are sent to the requester via email; they are also made available through the customer portal.
  • Specify the validity period for the certificate | Enter a challenge phrase. The password you’re your certificate is challenge phrase and is very much required when you renew or revoke a certificate | Confirm your challenge phrase.
  • In the Certificate Retrieve Interval field | specify how often the vManage server checks if the Symantec signing server has sent the certificate | Click Save

Note: This process tells that whether the certificate generation for all controller devices will be done automatically or manually. It does not generate the certificates.

Generate Certificate for the vManage NMS

 If you have selected for Automated certificate signing, follow these steps to retrieve the signed certificate and install it on the vManage NMS:

  • In vManage NMS, select the Configuration | Certificates screen | In the title bar | select the Controllers tab.
  • From the controllers table | select the row that lists the vManage NMS.

  • Click the More Actions icon to the right of the row and select Generate CSR | vManage NMS automatically generates the CSR, retrieves the generated certificate, and installs it on the vManage NMS.

  • The Controller table now displays the certificate serial number and expiration date

Verify Certificate Installation


Comment

    You are will be the first.

LEAVE A COMMENT

Please login here to comment.