EMAIL SUPPORT

dclessons@dclessons.com

LOCATION

NZ

Configure vSmart & Generate Certificate

Configure vSmart & Generate Certificate

Posted on Jan 27, 2020 (0)

Configure vSmart & Generate Certificate

Once vSmart VM has been setup and started, it will come up with factory-default configuration. Now some more basic and initial configuration still to be done manually so that devices can be authenticated and verified and can easily join the overlay network.

Following things must be configured to make vSmart operation and join the overlay network.

  • Configure Tunnel Interface with one interface in VPN0 which must be connected to WAN transport and should be accessible to Viptela Devices. This VPN0 carries all control traffic between Viptela devices.
  • OMP protocol must be enabled.

Once initial configuration is done, a full configuration templates can be created on vManage and then attaching these templates to vSmart controller.  By doing so, configuration parameters in the template may overwrite the initial configuration.

In initial configuration, a system IP address is configured for vSmart that is a persistence address also acts as router-ID and is useful to identify controller independently and is one of the component of TLOC address. Control traffic over DTLS or TLS connection between vSmart and vEdge or between vSmart and vBond is sent over system interface identified by System IP address which is on VPN0 as device loopback IP address.

Create Initial Configuration for the vSmart Controller

Login to the Viptela device via SSH with user admin, using the default password, admin. | Enter configuration mode:

Enter configuration mode:

vSmart# config
vSmart(config)#

Configure the hostname:

Viptela(config)# system host-name hostname

Configure the system IP address.

vSmart(config-system)# system-ip ip-address

Configure the site  ID where the device is located:

vSmart(config-system)# site-id site-id

Configure  domain ID  in which the device is located:

vSmart(config-system)# domain-id domain-id

Configure the IP address of the vBond orchestrator or vBond DNS name

The vBond orchestrator's IP address should be a public IP address, so that all Viptela devices in the overlay network can reach it.

vSmart(config-system)# vbond (dns-name | ip-address)

Configure a time limit for confirming that a software upgrade is successful:

vSmart(config-system)# upgrade-confirm minutes

Change the password for the user "admin" whereas The default password is "admin

vSmart(config-system)# user admin password password

Configure an interface in VPN 0, over which an Internet or other WAN transport network can be connected and must be public IP address. This IP address can be configured as static or via DHCP.

vSmart(config)# vpn 0
vSmart(config-vpn-0)# interface interface-name
vSmart(config-interface)# (ip dhcp-client | ip address prefix /length)
vSmart(config-interface)# no shutdown
vSmart(config-interface)# tunnel-interface
vSmart(config-tunnel-interface)# allow-service netconf

To identify type of WAN transport Configure a color for the tunnel. Use the default color (default), but

a more appropriate color, such as mpls or metro-ethernet, depending on the actual WAN transport can also be configured

vSmart(config-tunnel-interface)# color color

Configure a default route to the WAN transport network:

vSmart(config-vpn-0)# ip route 0.0.0.0/0 next-hop
vSmart(config)# commit and-quit
vSmart#

Once overlay network is UP, create the vBond configuration template in vManage that contain the initial configuration. Use the following vManage Feature template.

  • Use System feature template for hostname, system IP address, and vBond functionality configuration
  • Use AAA feature template to configure a password for the "admin" user.
  • Use VPN Interface Ethernet feature template to configure the interface in VPN 0

In addition, to the above initial configuration, some general system configuration is also required.

  • Organization name, on the vManage Administration
  • Time zone, NTP servers, and device physical location, from the configuration templates.
  • Login banner from Banner feature configuration template.
  • Logging parameters from Logging feature configuration template.
  • AAA, and RADIUS and TACACS+ servers from AAA feature configuration template.
  • SNMP from SNMP feature configuration template

Sample Initial CLI Configuration

host-name vSmart
gps-location latitude 40.7127837
gps-location longitude -74.00594130000002
system-ip 172.16.16.18
site-id 100
organization-name "Viptela Inc"
clock timezone America/Los_Angeles
upgrade-confirm 15
vbond 11.10.10.10
aaa
auth-order local radius tacacs
usergroup basic
task system read write
task interface read write
!
usergroup netadmin
!
usergroup operator
task system read
task interface read
task policy read
task routing read
task security read
!
user admin
password encrypted-password
!
!
logging
disk
enable
!
server 192.168.48.11
vpn 512
priority warm
exit
!
!
omp
no shutdown
graceful-restart
!
snmp
no shutdown
view v2
oid 1.3.6.1
!
community private
view v2
authorization read-only
!
trap target vpn 0 10.0.1.1 16662
group-name Viptela
community-name private
!
trap group test
all
level critical major minor
exit
exit
!
vpn 0
interface eth1
ip address 10.10.11.23/24
tunnel-interface
color public-internet
allow-service dhcp
allow-service dns
allow-service icmp
no allow-service sshd
allow-service netconf
no allow-service ntp
no allow-service stun
!
no shutdown
!
vpn 512
interface eth0
ip dhcp-client
no shutdown

Add the vSmart Controller and Generate Certificate

Following steps needs to be performed in order to add a vSmart orchestrator to the network, automatically generate the CSR for vSmart, and install the signed certificate on vSmart:

  • In vManage NMS | select the Configuration | Devices screen.
  • In the Controllers tab | click Add Controller | select vSmart.

In the Add vSmart dialog box provide the following information

  • vSmart management IP address | username and password to access the vSmart orchestrator.
  • Select the protocol for control plane connection , default is DTLS, if TLS is selected than provide port number 23456
  • Select the Generate CSR checkbox to automatically allow the certificate-generation process | Click Add.

vManage NMS will generates the CSR, retrieves the generated certificate for vSmart, and automatically installs on the vSmart orchestrator and this vSmart will be added to vManage. To verify that the certificate is installed on a vSmart orchestrator follow below screen shots:


Comment

    You are will be the first.

LEAVE A COMMENT

Please login here to comment.