• 0 Vote(s) - 0 Average


TUTORIAL How to Setup Cisco SD-WAN Viptela Test LAB Setup
1
Building a SD-WAN lab leads to the need for onboarding, which is can be manual, mandatory for on-premise installations, or automated for cloud hosted deployments (AWS or Azure).
This post is the first one, i think there will be two in total, in which we download images, power-up lab and make basic configuration for devices.
First step in onboarding is downloading and installing required images from official site software.cisco.com. Software images can be downloaded from the Downloads Home/Routers/Software-Defined WAN (SD-WAN)/SD-WAN.
For this post i am using SD-WAN software version 19.1.0 with following image names: Because the lab purpose is to give an overview of onboarding of vDevices (vManager, vBond, vSmart, vEdge and cEdge), we use a simple topology, based on the following network diagram.
[Image: vip-topology-1024x477.png]
To be fast and effective, i use the best network simulation software, in my opinion, EVE-NG Pro. As usual, a guide for instalation and setup of Viptela images can be found in the How-To documentation area of EVE-NG website, for cEdge node installation follow steps described here. At the end of this document you can find download links for lab topology and node configurations. A Docker node (eve-gui-server) is used as a CA and for accessing web gui of vManage (users of EVE-NG Community Edition can use any other Linux node instead of Docker).
Basic configuration for vManage
After powering up vManage node in EVE-NG, we have to create and deploy a basic configuration that has to accomplish next requirements:
  • Create a zone-based security, separating interfaces and VPNs in two categories, control (VPN 0) and management (VPN 512);
  • Nodes connectivity, System IP, Site ID, Org-Name, vBond IP, Enterprise CA certificate.
We use the following, recommended, template:
Code:
system
host-name vManage
system-ip <vManage system IP>
site-id   100
admin-tech-on-failure
organization-name "pocvlab sdwan"
clock timezone Europe/Bucharest
vbond <VPN0 VBOND IP>
!
vpn 0
interface eth1
  ip address <VPN0 IP address/netmask>
  no shutdown
ip route 0.0.0.0/0 <VPN0 gateway address>
!
vpn 512
interface eth0
  ip address <VPN512 IP address/netmask>
  no shutdown
ip route 0.0.0.0/0 <VPN512 gateway address>
!
ntp
server 0.pool.ntp.org
  version 4
exit
Be aware that organization-name must be consistent for all nodes, and must match exactly the value used in license. Check organization-name string that you plan to use, must be unique in Cisco database. You can check following steps from Cisco SD-WAN Edges licensing and onboarding, Add controller profile step.
Open web browser on Docker node and navigate to vManage web interface, authenticate using default username and password (admin/admin). Go to Administrator > Settings and verify that Organization Name is correctly displayed. Edit vBond settings and enter 10.10.0.3 in the IP address field.
If you don’t configure vBond address under system settings, process of generating bootstrap config for vEdge node will not be successfull.
Basic configuration for vBond
vBond configuration has the next requirements:
  • Cannot be behind NAT;
  • Create a zone-based security, separating interfaces and VPNs in two categories, control (VPN 0) and management (VPN 512);
  • Nodes connectivity, System IP, Site ID, Org-Name, vBond IP, Enterprise CA certificate.
Recommended template for this node is listed below. For the moment, tunnel-interface is disabled until the thrust chain between nodes is established:
Code:
system
host-name vBond
system-ip <vBond system IP>
site-id 100
organization-name "pocvlab sdwan"
clock timezone Europe/Bucharest
vbond <vBond VPN0 IP address> local vbond-only
!
vpn 0
interface ge0/0
  ip address <VPN0 IP address/netmask>
  no tunnel-interface
  ipv6 dhcp-client
  no shutdown
ip route 0.0.0.0/0 <VPN0 gateway address>
!
vpn 512
interface eth0
  ip address <VPN512 IP address/netmask>
  no shutdown
ip route 0.0.0.0/0 <VPN512 gateway address>
!
ntp
server 0.pool.ntp.org
version 4
exit
where
Code:
<vBond VPN0 IP address>
has to be equal with
Code:
<VPN0 IP address>
.
Basic configuration for vSmart Controller
Template for vSmart Controller is the next one:
Code:
system
host-name              vSmart
system-ip              <vSmart system IP>
site-id                100
admin-tech-on-failure
organization-name     "pocvlab sdwan"
clock timezone Europe/Bucharest
vbond <VPN0 VBOND IP>
!
vpn 0
interface eth1
  ip address <VPN0 IP address/netmask>
  no tunnel-interface
  no shutdown
ip route 0.0.0.0/0 <VPN0 gateway address>
!
vpn 512
interface eth0
  ip address <VPN512 IP address/netmask>
  no shutdown
ip route 0.0.0.0/0 <VPN512 gateway address>
!
ntp
server 0.pool.ntp.org
  version 4
exit
!
Verify connectivity to 10.10.0.2, 10.10.0.3, 10.10.0.254 and 10.10.0.1 using ping. It should be successful.
Before going further, check configuration on vManage, vBond and vSmart using
Code:
show control local-properties
. Verify that organizational name is correctly configured, site-id value assigned, system-ip uniquely configured, and vBond IP address correctly specified.
Root CA Certificate
To generate root CA certificate we use the following commands on Docker node (enter the same Organization Name used before when asked):
Code:
openssl genrsa -out CA.key 2048
openssl req -new -x509 -days 100 -key CA.key -out CA.crt
Now let’s copy CA certificate to all three vDevices using scp:
Code:
scp CA.crt [email protected]:
scp CA.crt [email protected]:
scp CA.crt [email protected]:
SSH into vManage and import the new Root-CA:
Code:
vManage# request root-cert-chain install /home/admin/CA.crt
Uploading root-ca-cert-chain via VPN 0
Copying ... /home/admin/CA.crt via VPN 0
Updating the root certificate chain..
Successfully installed the root certificate chain
Check if root CA is imported sucessful
Code:
using show certificate root-ca-cert
. Repeat the process on vBond and vSmart controllers.
On the Docker node, open Firefox and go to https://172.16.1.2/dataservice/system/de...tcertchain to resync vManage DB. You need to provide web user and password, which is admin/admin. The answer in JSON format should be: {“syncRootCertChain”:”done”}.
From the vManage page (https://172.16.1.2), navigate to Configuration > Devices and then select Controllers in top left. Click Add Controller and select vBond from the list. Enter vBond VPN0 IP address, username and password (admin/admin). Deselect Generate CSR option and click Add. Repeat the process for the vSmart Controller.
Check on Administration > Settings page values for Organization Name and vBond ip address, should match the values used in basic configuration section. Change Controller Certificate Authorization to Enterprise Root certificate and import CA.crt.
Navigate to Configuration > Certificates and then select Controllers in top left. In the right side for each device press on the three dots button to access Generate CSR option. Copy and paste the content in new file for each node, save files in /root directory as vManage, vBond.csr and vSmart.csr.
Sign CSRs using openssl:
Code:
openssl x509 -req -in vManage.csr -CA CA.crt -CAkey CA.key -CAcreateserial -out vManage.crt -days 2000 -sha256
openssl x509 -req -in vBond.csr -CA CA.crt -CAkey CA.key -CAcreateserial -out vBond.crt -days 2000 -sha256
openssl x509 -req -in vSmart.csr -CA CA.crt -CAkey CA.key -CAcreateserial -out vSmart.crt -days 2000 -sha256
In the Configuration > Certificates > Controllers page, select vManage line and click Install Certificate, and install vManage.crt file. Repeat the process for vBond and vSmart.
Navigate to Configuration > Devices > Controllers, if the import of the certificate was sucessfull, you will see Certificate Installed status under all three controllers.
[Image: vip-019-1024x422.png]
On the home dashboard, you notice that no control connection is established between nodes. One more step is needed, we have to configure
Code:
tunnel-interface
to VPN0 interface for each controller.
Code:
!vManage and vSmart
vpn 0
interface eth1
  tunnel-interface
commit and-quit
!
!vBond
vpn 0
interface ge0/0
  tunnel-interface
   encapsulation ipsec
commit and-quit
Check connection between vBond and the other two conntrollers, STATE of the connections should be UP:
[Image: vip-020-1024x175.png]
In the next post we will see how we generate and install licenses for vEdge and cEdge and how the manual onboarding process works for these devices.
This post was last modified: 04-30-2020, 08:37 AM by Ninja.







Forum Jump:


Users browsing this thread:
1 Guest(s)


Copyright © ITStudyGroup.org 2015-2020

ITStudyGroup.org is not sponsored by, endorsed by or affiliated with Cisco Systems, Inc. Cisco®, Cisco Systems®, CCDA™, CCNA™, CCDP™, CCNP™, CCIE™ the Cisco Systems logo and the CCIE logo are trademarks or registered trademarks of Cisco Systems, Inc. All other trademarks, including those of Microsoft, CompTIA, VMware, Juniper ISC(2), and CWNP are trademarks of their respective owners.