Scribd
Upload
37 views18 pages

Workbook

Uploaded by

आदर्श पाण्डेय
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
37 views18 pages

Workbook

Uploaded by

आदर्श पाण्डेय
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 18

SD-WAN control plane configuration

Document Information:

Author Rakus
Version 2
Date 5/2/2020

Lab Objective:

The focus of this lab is to understand basic configuration of SD-WAN require device
basic configure, certificate installation.

Requirement:
- Software:
o eve-nglab version 1.0.2
if eve-nglab still version 1.0.1, let login vm console with account root/eve then
run command:
wget -O - https://user.eve-nglab.com/upgrade/1.0.2 | bash
- Hardware requirement:
o RAM 24Gb

Lab topology:
Taks1: Setup vManage web management
- Setup IP web management for vManage:
Console to vManager
Login incorrect
vmanage login: admin
Password:
Welcome to Viptela CLI
admin connected from 127.0.0.1 using console on vmanage
Available storage devices:
hdb 100GB
hdc 3GB
1) hdb
2) hdc
Select storage device to use: 1
Would you like to format hdb? (y/n): y

Waiting 5-10min for vManage booting again.

config t
vpn 512
interface eth0
ip address 192.168.10.11/24
no shutdown
!
ip route 0.0.0.0/0 192.168.10.1
commit

If it logs commit failed due to:


Aborted: values are not unique: eth0
'vpn 0 interface eth0 if-name'
'vpn 512 interface eth0 if-name'
 Let delete eth0 on vpn 0 by command:
vpn 0
no interface eth0
commit

Click to User icon -> login vManage web with ip address: 192.168.10.11. Login with account:
admin/admin
If cant login, login LAN device and verify interface state:
LAN>show ip int bri
Interface IP-Address OK? Method Status
Protocol
GigabitEthernet0/0 192.168.1.1 YES NVRAM administratively
down down
GigabitEthernet0/1 192.168.10.1 YES NVRAM administratively
down down

LAN#conf t
Enter configuration commands, one per line. End with CNTL/Z.
LAN(config)#int rang g0/0 - 1
LAN(config-if-range)#no sh

 Do the same with WAN router.

Go to Administration -> Setting


Task2: Lab configuration
- vManage
vmanage# conf t
Entering configuration mode terminal
vmanage(config)# system
vmanage(config-system)# system-ip 1.1.1.1
vmanage(config-system)# site-id 1000
vmanage(config-system)# organization-name "eve-nglab"
vmanage(config-system)# vbond 10.1.1.2
vmanage(config-system)# !
vmanage(config-system)# vpn 0 int eth1
vmanage(config-interface-eth1)# ip add 10.1.1.1/24
vmanage(config-interface-eth1)# no shut
vmanage(config-interface-eth1)# exit
vmanage(config-vpn-0)# ip route 0.0.0.0/0 10.1.1.254
vmanage(config-vpn-0)# !
vmanage(config-vpn-0)# commit and-quit

- vBond
vedge# conf t
Entering configuration mode terminal
vedge(config)# system
vedge(config-system)# host-name vBond
vedge(config-system)# system-ip 1.1.1.2
vedge(config-system)# site-id 1000
vedge(config-system)# organization-name "eve-nglab"
vedge(config-system)# vbond 10.1.1.2 local vbond-only
vedge(config-system)# !
vedge(config-system)# vpn 512 int eth0
vedge(config-interface-eth0)# ip add 192.168.10.12/24
vedge(config-interface-eth0)# no shut
vedge(config-interface-eth0)# exit
vedge(config-vpn-512)# ip route 0.0.0.0/0 192.168.10.1
vedge(config-vpn-0)# interface ge0/0
vedge(config-interface-ge0/0)# vpn 0 int ge0/0
vedge(config-interface-ge0/0)# ip add 10.1.1.2/24
vedge(config-interface-ge0/0)# no shut
vedge(config-interface-ge0/0)# exit
vedge(config-vpn-0)# ip route 0.0.0.0/0 10.1.1.254
vedge(config-vpn-0)# commit and-quit

- vSmart
vsmart(config-vpn-0)# system
vsmart(config-system)# system-ip 1.1.1.3
vsmart(config-system)# site-id 1000
vsmart(config-system)# organization-name "eve-nglab"
vsmart(config-system)# vbond 10.1.1.2
vsmart(config-system)# !
vsmart(config-system)# vpn 512 int eth0
vsmart(config-interface-eth0)# ip add 192.168.10.13/24
vsmart(config-interface-eth0)# no shut
vsmart(config-interface-eth0)# exit
vsmart(config-vpn-512)# ip route 0.0.0.0/0 192.168.10.1
vsmart(config-vpn-512)# !
vsmart(config-vpn-512)# vpn 0 int eth1
vsmart(config-interface-eth1)# no int eth0
vsmart(config-interface-eth1)# ip add 10.1.1.3/24
vsmart(config-interface-eth1)# no shut
vsmart(config-interface-eth1)# exit
vsmart(config-vpn-0)# ip route 0.0.0.0/0 10.1.1.254
vsmart(config-vpn-0)# !
vsmart(config-vpn-0)# commit and-quit
Commit complete.
vsmart#

- vEdge site 1
vedge# conf t
Entering configuration mode terminal
vedge(config)# system
vedge(config-system)# system-ip 2.1.1.1
vedge(config-system)# site-id 1
vedge(config-system)# organization-name eve-nglab
vedge(config-system)# vbond 10.1.1.2
vedge(config-system)# vpn 0 int ge0/0
vedge(config-interface-ge0/0)# ip add 172.16.0.2/24
vedge(config-interface-ge0/0)# no shutdown
vedge(config-interface-ge0/0)# exit
vedge(config-vpn-0)# ip route 0.0.0.0/0 172.16.0.254
vedge(config-vpn-0)# commit and-quit

- vEdge site 2
vedge# conf t
Entering configuration mode terminal
vedge(config)# system
vedge(config-system)# system-ip 3.1.1.1
vedge(config-system)# site-id 2
vedge(config-system)# organization-name eve-nglab
vedge(config-system)# vbond 10.1.1.2
vedge(config-system)# vpn 0 int ge0/0
vedge(config-interface-ge0/0)# ip add 172.17.0.2/24
vedge(config-interface-ge0/0)# no shutdown
vedge(config-interface-ge0/0)# exit
vedge(config-vpn-0)# ip route 0.0.0.0/0 172.17.0.254
vedge(config-vpn-0)# commit and-quit
Commit complete.

Task3: Certificate installation


- vManage
vmanage# vshell
vmanage:~$ openssl genrsa -out ROOTCA.key 2048
Generating RSA private key, 2048 bit long modulus
........................................+++
.............................+++
e is 65537 (0x10001)
vmanage:~$

Created ROOTCA.pem with ROOTCA.key

openssl req -x509 -new -nodes -key ROOTCA.key -sha256 -days 1024 \
> -subj "/C=AU/ST=NSW/L=NSW/O=eve-nglab /CN=vmanage.lab" \
> -out ROOTCA.pem

Install ROOTCA.pem

exit
vmanage# request root-cert-chain install /home/admin/ROOTCA.pem

Uploading root-ca-cert-chain via VPN 0


Copying ... /home/admin/ROOTCA.pem via VPN 0
Successfully installed the root certificate chain

Login vManage to create certificate request


Configuration → Certificates → Controllers → vManage → Generate CSR then copy

Create vmanage.crt with CSR code copy above.


And create vmanage.csr with ROOTCA.key

openssl x509 -req -in vmanage.csr \


-CA ROOTCA.pem -CAkey ROOTCA.key -CAcreateserial \
-out vmanage.crt -days 500 -sha256

Result:
Signature ok
subject=/C=US/ST=California/L=San Jose/OU=eve-nglab/O=vIPtela
Inc/CN=vmanage_07af546c-d136-4f32-9f6d-
aa8e598a3410_0.viptela.com/[email protected]
Getting CA Private Key

Copy content vmanage.crt file by using “cat vmanage.crt” then install certificate on vManage
Configuration → Certificates → Controllers → Install Certificate

- vBond:

vBond# request root-cert-chain install


scp://[email protected]:/home/admin/ROOTCA.pem vpn 512

Result:
Uploading root-ca-cert-chain via VPN 512
Copying ... [email protected]:/home/admin/ROOTCA.pem via VPN 512
Warning: Permanently added '192.168.10.11' (ECDSA) to the list of
known hosts.
viptela 16.2.11

[email protected]'s password:
ROOTCA.pem 100% 1265
1.2KB/s 00:00
Successfully installed the root certificate chain

Add vBond to vmanage:

Configuration → Certificates → Controllers → Add Controller:


If vbond adding unsuccessful, lets no tunnel-interface as bellow:

vBond# conf t
Entering configuration mode terminal
vBond(config)# vpn 0
vBond(config-vpn-0)# interface ge0/0
vBond(config-interface-ge0/0)# no tunnel-interface
vBond(config-interface-ge0/0)# commit
Commit complete.
vBond(config-interface-ge0/0)#

View vBond CSR:

Configuration → Certificates → Controllers → vBond → View CSR


On vManage, create vbond.csr with content above

- vManage
openssl x509 -req -in vbond.csr \
> -CA ROOTCA.pem -CAkey ROOTCA.key -CAcreateserial \
> -out vbond.crt -days 500 -sha256

Result:
Signature ok
subject=/C=US/ST=California/L=San Jose/OU=eve-nglab/O=vIPtela
Inc/CN=vbond_cdb5c222-0188-4384-a5c2-
8fa0b76d822f_0.viptela.com/[email protected]
Getting CA Private Key
vmanage:~$

Using “cat vbond.crt” to see file contents then copy and install certificate on vManage web

Configuration → Certificates → Controllers → Install Certificate


Send certificate to vBond
Configuration → Certificates → Controllers → Send to vBond

- vSmart:

vsmart# request root-cert-chain install


scp://[email protected]:/home/admin/ROOTCA.pem vpn 512

Result:

Uploading root-ca-cert-chain via VPN 512


Copying ... [email protected]:/home/admin/ROOTCA.pem via VPN 512
Warning: Permanently added '192.168.10.11' (ECDSA) to the list of
known hosts.
viptela 16.2.11

[email protected]'s password:
ROOTCA.pem 100% 1265
1.2KB/s 00:00
Successfully installed the root certificate chain

- Add vSmart to vManage web

Configuration → Devices → Controllers → Add Controller → vSmart


View and copy vSmart CSR
Configuration → Certificates → Controllers → vSmart → View CSR:

Create vsmart.csr file on vManage with contents viewed above.


Author vsmart.csr with ROOTCA.key

- vManage:
openssl x509 -req -in vsmart.csr \
-CA ROOTCA.pem -CAkey ROOTCA.key -CAcreateserial \
-out vsmart.crt -days 500 -sha256

Result:

Signature ok
subject=/C=US/ST=California/L=San Jose/OU=eve-nglab/O=vIPtela
Inc/CN=vsmart_f35d4b87-8322-4f81-a63c-
52981f16d5e9_1.viptela.com/[email protected]
Getting CA Private Key

Using “cat vmsart.crt” to see contents and copy then install certificate:

Configuration → Certificates → Controllers → Install Certificate

- vEdge:

on vManage, using “cat ROOTCA.pem” to see contents then create ROOTCA.pem file on
vEdge with same contents. Install ROOTCA.pem on vEdge with command:
vedge# request root-cert-chain install /home/admin/ROOTCA.pem

Result:
Uploading root-ca-cert-chain via VPN 0
Copying ... /home/admin/ROOTCA.pem via VPN 0
Updating the root certificate chain..
Successfully installed the root certificate chain

Create vedge01.csr file

request csr upload /home/admin/vedge01.csr

Uploading CSR via VPN 0


Enter organization-unit name : eve-nglab
Re-enter organization-unit name : eve-nglab
Generating private/public pair and CSR for this vedge device
Generating CSR for this vedge device ........[DONE]
Copying ... /home/admin/vedge01.csr via VPN 0
CSR upload successful

Using “cat vedge01.csr” to copy contents and create vedge01.csr file on vManage.
Create vedge01.crt with command bellow:
vMange:

openssl x509 -req -in vedge01.csr \


-CA ROOTCA.pem -CAkey ROOTCA.key -CAcreateserial \
-out vedge01.crt -days 500 -sha256

Result:
Signature ok
subject=/C=US/ST=California/L=San Jose/OU=eve-nglab/O=vIPtela
Inc/CN=vedge-368755e1-cfc9-4dbe-984e-9a8d7e3f41f9-
0.viptela.com/[email protected]
Getting CA Private Key

On vedge01, create vedge01.crt same contents with file on vManage then install with
command bellow:

vedge# request certificate install /home/admin/vedge01.crt

Result:
Installing certificate via VPN 0
Copying ... /home/admin/vedge01.crt via VPN 0
Successfully installed the certificate

Check serial number:

vedge# show certificate serial


Chassis number: 368755e1-cfc9-4dbe-984e-9a8d7e3f41f9 serial
number: BB36DBCE6DF33852

Create text file with code:

368755e1-cfc9-4dbe-984e-9a8d7e3f41f9,BB36DBCE6DF33852

Do the same with vedge02. Check serial and add to text file.
Task 4: Upload vEdge list

On User PC, press Ctrl + Shift + ALT and choose Shared Driver -> Upload file

Upload vedge file to vManage


Send vedge list to controller
Configuration → Certificates → vEdge List → Send to Controllers

Validate vEdges

Configuration → Certificates → vEdge List → (vEdge) → Valid


Then send to controller after valid all vedge

- Configure tunnel

vManage/Smart
vpn 0
interface eth1
tunnel-interface

vBond
vpn 0
interface ge0/0
tunnel-interface encapsulation ipsec

Task 5: Verification:

vmanage# show control connections

PEER PEER
PEER PEER PEER SITE DOMAIN PEER
PRIVATE PEER PUBLIC
INSTANCE TYPE PROTOCOL SYSTEM IP ID ID PRIVATE IP
PORT PUBLIC IP PORT REMOTE COLOR STATE UPTIME
---------------------------------------------------------------------------------
---------------------------------------------------------------------------------
-----
0 vedge dtls 3.1.1.1 2 1 172.17.0.2
12346 172.17.0.2 12346 default up 0:00:00:34
0 vsmart dtls 1.1.1.3 1000 1 10.1.1.3
12346 10.1.1.3 12346 default up 0:00:00:28
0 vbond dtls 1.1.1.2 0 0 10.1.1.2
12346 10.1.1.2 12346 default up 0:00:00:47
1 vbond dtls 1.1.1.2 0 0 10.1.1.2
12346 10.1.1.2 12346 default up 0:00:00:46
2 vedge dtls 2.1.1.1 1 1 172.16.0.2
12346 172.16.0.2 12346 default up 0:00:00:29
2 vbond dtls 1.1.1.2 0 0 10.1.1.2
12346 10.1.1.2 12346 default up 0:00:00:47
3 vbond dtls 1.1.1.2 0 0 10.1.1.2
12346 10.1.1.2 12346 default up 0:00:00:47
vsmart# show control connections

PEER PEER
PEER PEER PEER SITE DOMAIN PEER
PRIVATE PEER PUBLIC
INSTANCE TYPE PROTOCOL SYSTEM IP ID ID PRIVATE IP
PORT PUBLIC IP PORT REMOTE COLOR STATE UPTIME
---------------------------------------------------------------------------------
---------------------------------------------------------------------------------
-----
0 vedge dtls 2.1.1.1 1 1 172.16.0.2
12346 172.16.0.2 12346 default up 0:00:00:53
0 vedge dtls 3.1.1.1 2 1 172.17.0.2
12346 172.17.0.2 12346 default up 0:00:00:58
0 vbond dtls - 0 0 10.1.1.2
12346 10.1.1.2 12346 default up 0:00:01:00
0 vmanage dtls 1.1.1.1 1000 0 10.1.1.1
12346 10.1.1.1 12346 default up 0:00:00:52
1 vbond dtls - 0 0 10.1.1.2
12346 10.1.1.2 12346 default up 0:00:00:59

vedge# show control connections

PEER PEER
CONTROLLER
PEER PEER PEER SITE DOMAIN PEER
PRIV PEER PUB
GROUP
TYPE PROT SYSTEM IP ID ID PRIVATE IP
PORT PUBLIC IP PORT LOCAL COLOR PROXY STATE
UPTIME ID
---------------------------------------------------------------------------------
---------------------------------------------------------------------------------
----------------------
vsmart dtls 1.1.1.3 1000 1 10.1.1.3
12346 10.1.1.3 12346 default No up
0:00:04:40 0
vbond dtls 0.0.0.0 0 0 10.1.1.2
12346 10.1.1.2 12346 default - up
0:00:09:29 0
vmanage dtls 1.1.1.1 1000 0 10.1.1.1
12546 10.1.1.1 12546 default No up
0:00:04:40 0

You might also like