Scribd
Upload
25 views13 pages

Cedge Onboarding Aman

The document outlines the configuration and setup process for edge routers in a Cisco SD-WAN environment, specifically focusing on control connections and certificate management. It details the differences between cEdge and vEdge devices, including the manual enabling of SD-WAN tunnels on cEdge, and the necessary steps to install root CA certificates for establishing secure control connections. Additionally, it provides instructions for uploading WAN edge lists and generating tokens for edge devices to ensure proper authentication and connectivity within the network.

Uploaded by

hostreachable
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
25 views13 pages

Cedge Onboarding Aman

The document outlines the configuration and setup process for edge routers in a Cisco SD-WAN environment, specifically focusing on control connections and certificate management. It details the differences between cEdge and vEdge devices, including the manual enabling of SD-WAN tunnels on cEdge, and the necessary steps to install root CA certificates for establishing secure control connections. Additionally, it provides instructions for uploading WAN edge lists and generating tokens for edge devices to ensure proper authentication and connectivity within the network.

Uploaded by

hostreachable
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 13

Imp:

On all devices:

sp-organization-name "vTAC-India - 22201"

organization-name "vTAC-India - 22201"

 On edge router we have 2 control connection, 1 is private and other is


public, example MPLS uses private and biz internet used public IP, so
on the vbond, we have to check which IP is being used to form control
connection

 Example: vBond is having 2 IPs for vsmart, 1 is public and 1 is private,


we have to check in customer setup which IP is being used to form
control connection, the control connection will be formed with the IP
which is reachable, 1 example is if customer using MPLS it will use
private IP, if they are using Biz internet they will use public IP

Day0 config for the edge router

 For cedge few commands are different thn vedge, in vedge sdwan
tunnel is enabled by default but in cedge we have to enable it
manually

System

Site-id 1002

System-ip 22.22.22.1

Organization-name "vTAC-India - 22201"

vbond 172.18.64.3

Commit

Cisco Confidential
================> uptill now same config as vbond or vsmart

In vedge when we enable the vpn0 and the interface, and enable tunnel, THE
sdwan tunnel comes up, but in cedge we have to enable it manually, and
provide interface details and provide mode as sdwan

#show ip vrf

Router#show ip vrf

Name Default RD Interfaces

65528 <not set> Lo65528

65529 <not set> Lo65529

Note: vrf 0 will be dere but any other vrf/vpn we need to create so we need
to create vpn 1 vrf on the cedge and also on the vedge

#vrf definition 1

Rd 1:1

Address-family ipv4

Route-target export 1:1

Route-target import 1:1

commit

### if we are using the template and enable vpn1, this config is done by the
vmanage, but if using the cli, we need to do manually

Gig1, 10.x.x.x will be used for tunnel interface

Cisco Confidential
#config t

#interface Tunnel2

#ip unnumbered gigabit2

#tunnel source gigabit2

#tunnel mode sdwan

#commit

!now we created a sdwan tunnel, we need to now enable it

!we gave vpn0 and created sdwan tunnel manually

#sdwan

#interface gigabit 2

# tunnel-interface

#color mpls

#encapsulation ipsec

#commit

============ (if we are using 1 interface only for ssh and same
interface for sdwan tunnel, ssh might get disable )

When tunnel interface is enabled, ssh is disabled, we need to go to console


and enable ssh

Take console and enable ssh

# config

#sdwan

#interface gigabit1

#tunnel-interface

#allow-service ssh

Cisco Confidential
#commit

=====

#show sdwan control local-properties

NAT TYPE: E -- indicates End-point independent mapping

A -- indicates Address-port dependent mapping

N -- indicates Not learned

Note: Requires minimum two vbonds to learn the NAT type

PUBLIC PUBLIC PRIVATE PRIVATE


PRIVATE MAX RESTRICT/ LAST SPI TIME NAT
VM

INTERFACE IPv4 PORT IPv4 IPv6


PORT VS/VM COLOR STATE CNTRL CONTROL/ LR/LB CONNECTION
REMAINING TYPE CON REG

STUN PRF IDs

------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------

GigabitEthernet2 10.126.105.114 12346 10.126.105.114 ::


12346 0/0 mpls down 2 no/yes/no No/No 0:02:04:33
0:09:55:26 N 5 Default

!to see control connection local properties, and also see if certificate is
installed

Cisco Confidential
Example:

From vmanage we will install root CA (it is either selected as automatic or we


have to do it manually)

We need to install the pem file and the certificate

We will install root ca from


vmanage

Vmanage

Administration => settings =>

Cisco Confidential
Note:

If automatic option is selected, vbond will provide vmanage IP and vmanage


will generate csr and also create a signed certificate for vedge, after
authenticating its serial number and chassis number,

since our device is software router, vedge or cedge we need to do it


manually,

We need to generate a token and that token need to be present on vbond


and vmanage,

When the vedge/cedge will form a control connection with the vbond, it will
check the token number and the subject serial number, if it is valid it will
check the organization name,

if that is valid, it will try to authenticate and form control connection and
then provide the vmanage IP

===

The control connection/ tunnel interface will be down, until we install token
and certificate

==

When we are getting a new device, the serial number, chassis


number should be installed on all controllers, vbond, vmanage and
vsmart

How to upload wan edge list?

Vmanage => configuration => devices => upload wan edge list

Note: also dere will be an option asking if you want to push the edge list to
the controllers, if you will do yes, it will validate and it will send to other
controllers

Cisco Confidential
================

Step:

Upload the wan edge list on the vmanage

Go to the configurations => certificates and validate the edge device

Once validated, from top left send it to the controllers, below is the command
to see if the edge device is successfully validated and is send successfully to
the controllers

vbond# show orchestrator valid-?

Possible completions:

valid-vedges Display valid vedges

valid-vmanage-id Display valid vManage certificate authority UUID

valid-vsmarts Display valid vSmarts

Similar command on vsmart

VS1# show control valid-vedges

HARDWARE

INSTALLED SUBJECT

SERIAL
SERIAL

Cisco Confidential
CHASSIS NUMBER SERIAL NUMBER VALIDITY
ORG NUMBER NUMBER

------------------------------------------------------------------------------------------------------------
----------------------

C8K-2C356C8F-2591-3A28-DF55-CCF7A28CDDB1
08c6f1cc5dc2460eb83b88958ecab6e6 valid vTAC-India - 22201 N/A
C8K-2C356C8

NEXT STEP is to generate token for the edge device

Config => Devices => select the chassis number you want to use => click
on action and on Generate Bootstrap configuration (cloud-int option)

Post that you will get the chassis number and the token number, now we
need to install this on the edge router

Cisco Confidential
Command:

request platform software sdwan vedge_cloud activate chassis-number xxxx


token xxxx

Now under the local properties it will show the token and chassis number
that we installed:

Cisco Confidential
And once the token is installed the interface will also be up, under sdwan and
it will try to build the control connection

It will try to build control connection but will fail saying, certification
verification failed, we can check using show sdwan control connection-history

Now we need to install a root CA

And the vbond have a certificate but on the router we do not have a root CA
who can validate the certificate and approve the certificate of the vBond,
also currently there is no certificate on the edge router also,

We have on the vbond but a root CA is also needed on edge router which can
validate and approve the certificate

Cisco Confidential
Note:

Previously we generated a certificate from the vmanage and we created a


root CA also from the vmanage, we need to copy same root CA on the edge
router and install it dere

..go to vmanage and copy the ROOT CA files () using scp or other file transfer
mechanism

On vmanage

# request execute vpn 0 scp -P 22 /home/admin/ROOTCA.pem


[email protected]:/bootflash:/ROOTCA.pem

Note: if using from vshell we can use "scp -P 22


/home/admin/ROOTCA.pem
[email protected]:/bootflash:/ROOTCA.pem"

Once file is copied on the edge, verifiy it by checking the directory, and we
will install it using below command:

cedge1#request platform software sdwan root-cert-chain install


bootflash:ROOTCA.pem

After that if you check the control connection will be up with vbond

Cisco Confidential
Another method is to manually install the certificate on the edge device,

we also need to change the certification method for edge devices, from
automatic to manual

After that perform below steps:

Configure => certificates => the edge device => view CSR and copy
the CSR

Go to the vmanage, and do:

vi cedge_csr <= copy the csr content

And perform below command to generate the certificate:

openssl x509 -req -in cedge.csr \


-CA ROOTCA.pem -CAkey ROOTCA.key -CAcreateserial \
-out cedge.crt -days 2000 -sha256

Copy the contents of the cedge.crt, go to vmanage GUI

And go to configurations => certifications => install certificate and copy the
content

Cisco Confidential
Cisco Confidential

You might also like