Viptela Controller Configuration

Viptela Lab – Topology

1008topoloab

I . vManage Initial Configuration(CLI)

vmanage# conf t
Entering configuration mode terminal
vmanage(config)# system
vmanage(config-system)# host-name LAB-VMANAGE1
vmanage(config-system)# system-ip 1.1.255.11
vmanage(config-system)# site-id 255
vmanage(config-system)# organization-name "2019_VIPLAB"
vmanage(config-system)# ntp server 1.1.0.1 prefer vpn 0
vmanage(config-server-1.1.0.1)# exit
vmanage(config-ntp)# exit
vmanage(config-system)# clock timezone America/Los_Angeles
vmanage(config-system)# vbond 1.1.0.12

! Configuration that were added to the internal memory. This won’t take effect until commit.

vmanage(config-system)# show configuration
system
host-name LAB-VMANAGE1
system-ip 1.1.255.11
site-id 255
organization-name 2019_VIPLAB
clock timezone America/Los_Angeles
vbond 1.1.0.12
ntp
server 1.1.0.1
version 4
prefer
exit
!
vmanage(config-system)# commit
Commit complete.

II. Interface Configuration(CLI)

LAB-VMANAGE1# conf t
Entering configuration mode terminal
LAB-VMANAGE1(config)# vpn 0
LAB-VMANAGE1(config-vpn-0)# ip route 0.0.0.0/0 1.1.0.1
LAB-VMANAGE1(config-vpn-0)# interface eth0
LAB-VMANAGE1(config-interface-eth0)# ip address 1.1.0.11/24
LAB-VMANAGE1(config-interface-eth0)# no shut
LAB-VMANAGE1(config-interface-eth0)# commit

Note: VPN512 is other reserved VPN used for dedicated management access, mainly refer to management interface in cisco router.

LAB-VMANAGE1# request nms all status 
NMS application server
Enabled: true
Status: waiting
NMS configuration database
Enabled: true
Status: running PID:6831 for 107s
NMS coordination server
Enabled: true
Status: running PID:6844 for 107s
NMS messaging server
Enabled: true
Status: running PID:8542 for 89s
NMS statistics database
Enabled: true
Status: running PID:2355 for 138s
NMS data collection agent
Enabled: true
Status: not running
NMS cloud agent
Enabled: true
Status: running PID:268 for 155s
NMS container manager
Enabled: false
Status: not running
NMS SDAVC proxy
Enabled: true
Status: running PID:363 for 155s

III. Post Installation(GUI)

1008guilab

Log In to a Device for the First Time
Enter a URL in the format https://ip-address:8443, where 8443 is the port number used by the vManage NMS.

a. Set Organization, vBond(Default port)
Administration > Settings
1009portinstallation1

b. Controller Certificate Authorization
When we bring up all the controller they authenticate to each other using certificate but they need to get that certificate.

Ways to issue certificate to controllers
1. Symantec Automated – vManage will create a CSR on devices behalf then automatically have it signed by the symantec host CA server which controls by Cisco support.

2. Symantec Manual – Similar with the first method but everything is done manually. Includes generating CSR (go to symantec website to have it signed and needs to be approved by Cisco team). Once you get the signed certificate you can manually install it, you do this when you have no vManage internet access.

3. Enterprise root certificate – Basically take all the certificate signing into your own hands, So you need to have your own Boot CA. Process is similar to symantec manual but need to make all devices trust your root CA as supposed to the devices already trusted the symantec CA (built in).

IV. vBond Initial Configuration(CLI)

Similar to vEdge, you need to configure the system-id, site-id, organization etc. Difference is we need enable the vBond service by providing the local command.

vedge# conf t
Entering configuration mode terminal
vedge(config)# system 
vedge(config-system)# host-name LAB-VBOND1
vedge(config-system)# system-ip 1.1.255.12
vedge(config-system)# site-id 255
vedge(config-system)# organization-name "2019_VIPLAB"
vedge(config-system)# ntp server 1.1.0.1 prefer vpn 0
vedge(config-server-1.1.0.1)# exit
vedge(config-ntp)# exit
vedge(config-system)# vbond 1.1.0.12 local
vedge(config-system)# 
Uncommitted changes found, commit them? [yes/no/CANCEL] yes
Commit complete.
!
LAB-VBOND1# conf t
Entering configuration mode terminal
LAB-VBOND1(config)# vpn 0
LAB-VBOND1(config-vpn-0)# ip route 0.0.0.0/0 1.1.0.1
LAB-VBOND1(config-vpn-0)# interface ge0/0
LAB-VBOND1(config-interface-ge0/0)# ip address 1.1.0.12/24
LAB-VBOND1(config-interface-ge0/0)# no shut
LAB-VBOND1(config-interface-ge0/0)# no tunnel-interface
LAB-VBOND1(config-interface-ge0/0)# commit
LAB-VBOND1# show interface 
interface vpn 0 interface ge0/0 af-type ipv4
 ip-address        1.1.0.12/24
 if-admin-status   Up
 if-oper-status    Up
 if-tracker-status NA
 encap-type        null
 port-type         service
 mtu               1500
 hwaddr            50:00:00:03:00:01
 speed-mbps        1000
 duplex            full
 tcp-mss-adjust    1416
 uptime            0:00:03:11
 rx-packets        149
 tx-packets        111
interface vpn 0 interface system af-type ipv4
 ip-address        1.1.255.12/32                 <----- For vManage
 if-admin-status   Up
 if-oper-status    Up
 if-tracker-status NA
 encap-type        null
 port-type         loopback
 mtu               1500
 hwaddr            00:00:00:00:00:00
 speed-mbps        0
 duplex            full
 tcp-mss-adjust    1416
 uptime            0:00:03:17
 rx-packets        0
 tx-packets        0
interface vpn 512 interface eth0 af-type ipv4
 if-admin-status   Up
 if-oper-status    Up
 if-tracker-status NA
 encap-type        null
 port-type         service
 mtu               1500
 hwaddr            50:00:00:03:00:00
 speed-mbps        0
 duplex            half
 tcp-mss-adjust    0
 uptime            0:00:03:10
 rx-packets        0
 tx-packets        41

Note: By default it just a vEdge cloud router until you enable vBond using local command. Also by default tunnel interface is enabled on vEdge router, So we need to delete if you plan to registed vManage using the G0/0 interface because it will not register because there’s a policy added on the tunnel interface “allow-services” and by default it is not allowed to talk to anything but the specific services.

V. Adding vBond to vManage (web)
Add vBond management interface but as long you disable tunnel 0 you be able to connect to vBond vpn 0.

Configuration > Devices > Controllers > Add Controller > vBond
1009vbondtovmanage1x

VI. Certificate Installation using OpenSSL

LAB-VMANAGE1# vshell
LAB-VMANAGE1:~$ openssl genrsa -out ROOTCA.key 2048
Generating RSA private key, 2048 bit long modulus
.......................................+++++
...............................+++++
e is 65537 (0x10001)

LAB-VMANAGE1:~$ openssl req -x509 -new -nodes -key ROOTCA.key -sha256 -days 1024 \
> -subj "/C=AU/ST=NSW/L=NSW/O=network-lab/CN=vmanage.lab" \
> -out ROOTCA.pem
LAB-VMANAGE1:~$ exit

LAB-VMANAGE1# request root-cert-chain install /home/admin/ROOTCA.pem
Uploading root-ca-cert-chain via VPN 0
Copying ... /home/admin/ROOTCA.pem via VPN 0
Updating the root certificate chain..
Successfully installed the root certificate chain

LAB-VMANAGE1# vshell
LAB-VMANAGE1:~$ cat > vmanage.csr
LAB-VMANAGE1:~$ ls
ROOTCA.key ROOTCA.pem archive_id_rsa.pub vmanage.csr vmanage_csr

LAB-VMANAGE1:~$ pwd 
/home/admin

LAB-VMANAGE1:~$ cat > vmanage.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIDSzCCAjMCAQAwgcoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MREwDwYDVQQHEwhTYW4gSm9zZTEUMBIGA1UECxQLMjAxOV9WSVBMQUIxFDASBgNV
BAoTC3ZJUHRlbGEgSW5jMUMwQQYDVQQDEzp2bWFuYWdlLWJmMGM1NGIyLWRiOGUt
NDAwZi1hNGM3LTkzYmIyMjZhYzM5YS0xLnZpcHRlbGEuY29tMSIwIAYJKoZIhvcN
AQkBFhNzdXBwb3J0QHZpcHRlbGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEA05ofYt9O39qLpcD73D2yOl0e9XLeDtJtQqAqNlPrBcQvmkNKO2Jx
sGL7uLB0I5JLMWQnC58GHe+h8HPNMjFIoPD7lGVHs1lzgsZ/OkODGGbI+0mHENnS
lWOyqcrkKbg7lB7EcIc40MJF9fqhIIV6z0Lwmr0/hqIrzD0LanSUss1LcyJ1XAVF
oNUIhEUKZVkrEPMFuHpBPw2lSL2ghFHagNExVLwFwXfmVSqBr2bfO7vIgqWOZQKO
lUc3ZrHgwmTO3pjRKsUXUztYxbspLK3gf2v+IJrIxSlxYcd3RHCXnIccEkOMD/cM
eu+7QDKleYrSjnXa0uXzUYmpSf5Y4EQR0QIDAQABoDswOQYJKoZIhvcNAQkOMSww
KjAJBgNVHRMEAjAAMB0GA1UdDgQWBBQ9ic9XKX3scnPi0UYRC288tJRwNDANBgkq
hkiG9w0BAQsFAAOCAQEAvN34hWESmr8YCQzh4flJf7LexhZovKVR5ZmsjJxr4uBU
7/Y4A6+eNq678ogoGhPtIuWg6Bs4+fo2r3/qLoOa6SAMCxtQApjz5fuzZcmYoZCB
53VGWY1yk33S0GLikNt7ZS5nNAkZKkWtnswsl5w2KeNfYReb3VVoEe804S/7Nqqd
fU6zkC3dq3x4Ddm3FfC/U4EntonX4eaMsu7EKP4jYEQYRsf++WW13WoTEkFHG2PG
I/lxRCrNsLJk0OArNU/rYTHM62AkWU15I9P5WALZpJDVcTftrhSaleU2XNNjk14y
tN5bE8D/g4fAv0sxS237VsnmvbaxchVXIb/e9a9IMw==
-----END CERTIFICATE REQUEST-----

LAB-VMANAGE1:~$ openssl x509 -req -in vmanage.csr \
> -CA ROOTCA.pem -CAkey ROOTCA.key -CAcreateserial \
> -out vmanage.crt -days 500 -sha256
Signature ok
subject=/C=US/ST=California/L=San Jose/OU=2019_VIPLAB/O=vIPtela Inc/CN=vmanage-bf0c54b2-db8e-400f-a4c7-93bb226ac39a-1.viptela.com/emailAddress=support@viptela.com
Getting CA Private Key
LAB-VMANAGE1:~$ ls
ROOTCA.key ROOTCA.pem ROOTCA.srl archive_id_rsa.pub vmanage.crt vmanage.csr vmanage_csr

-----BEGIN CERTIFICATE-----
MIIDnDCCAoQCCQCn0+m/Nt5msjANBgkqhkiG9w0BAQsFADBVMQswCQYDVQQGEwJB
VTEMMAoGA1UECAwDTlNXMQwwCgYDVQQHDANOU1cxFDASBgNVBAoMC25ldHdvcmst
bGFiMRQwEgYDVQQDDAt2bWFuYWdlLmxhYjAeFw0xOTEwMDgxMDE3MzBaFw0yMTAy
MTkxMDE3MzBaMIHKMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTER
MA8GA1UEBxMIU2FuIEpvc2UxFDASBgNVBAsUCzIwMTlfVklQTEFCMRQwEgYDVQQK
Ewt2SVB0ZWxhIEluYzFDMEEGA1UEAxM6dm1hbmFnZS1iZjBjNTRiMi1kYjhlLTQw
MGYtYTRjNy05M2JiMjI2YWMzOWEtMS52aXB0ZWxhLmNvbTEiMCAGCSqGSIb3DQEJ
ARYTc3VwcG9ydEB2aXB0ZWxhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBANOaH2LfTt/ai6XA+9w9sjpdHvVy3g7SbUKgKjZT6wXEL5pDSjticbBi
+7iwdCOSSzFkJwufBh3vofBzzTIxSKDw+5RlR7NZc4LGfzpDgxhmyPtJhxDZ0pVj
sqnK5Cm4O5QexHCHONDCRfX6oSCFes9C8Jq9P4aiK8w9C2p0lLLNS3MidVwFRaDV
CIRFCmVZKxDzBbh6QT8NpUi9oIRR2oDRMVS8BcF35lUqga9m3zu7yIKljmUCjpVH
N2ax4MJkzt6Y0SrFF1M7WMW7KSyt4H9r/iCayMUpcWHHd0Rwl5yHHBJDjA/3DHrv
u0AypXmK0o512tLl81GJqUn+WOBEEdECAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA
IZa7TPJv7AdFDDWBkqHl6XE44TJywpkmpj29GXsDDf1CDtsyEC1oA4mPQX0f6dPb
IOEcKf8KXm+8TkW8hxI10/wIU5abYtY0i+JoLb/QSb0WbjShwN56SjzYmDJzBf5Q
9Cfxgx9LF6SrEm2/5pQP7HRikZsyhVSsrx2MuaWggwluzFRsqxs/y7ATqrP3QOyj
zGyZ1PmRT/EOgkTBVSb9SUkKHMp1tZoqoxxoqDzK6TPKiWas54IwF7rlMjIJMPAi
JVZ6mgIkPIIQlx5VKXDP3Y8SArhZDKWX6xWetNEkGrbqu33F4WZi3kHA97X1fhGz
MLDuUtAVBhVA85EfkntD+w==
-----END CERTIFICATE-----
LAB-VMANAGE1:~$ exit

LAB-VMANAGE1# request certificate install /home/admin/vmanage.crt
Installing certificate via VPN 0
Copying ... /home/admin/vmanage.crt via VPN 0
Same certificate is already installed.
Failed to install the certificate !!

https://codingpackets.com/blog/viptela-control-plane-setup

vBond Certificate installation

#request root-cert-chain install scp://admin@1.1.0.11:/home/admin/ROOTCA.pem vpn 0

LAB-VBOND1# request root-cert-chain install scp://admin@1.1.0.11:/home/admin/ROOTCA.pem vpn 0
Uploading root-ca-cert-chain via VPN 0
Copying ... admin@1.1.0.11:/home/admin/ROOTCA.pem via VPN 0
Warning: Permanently added '1.1.0.11' (ECDSA) to the list of known hosts.
viptela 18.4.3

admin@1.1.0.11's password:
ROOTCA.pem 100% 1269 40.2KB/s 00:00
Updating the root certificate chain..
Successfully installed the root certificate chain
### SIGNED FROM VMANGE
LAB-VMANAGE1# vshell
LAB-VMANAGE1:~$ cat > vbond.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIDSzCCAjMCAQAwgcoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MREwDwYDVQQHEwhTYW4gSm9zZTEUMBIGA1UECxQLMjAxOV9WSVBMQUIxFDASBgNV
BAoTC3ZJUHRlbGEgSW5jMUMwQQYDVQQDEzp2bWFuYWdlLWJmMGM1NGIyLWRiOGUt
NDAwZi1hNGM3LTkzYmIyMjZhYzM5YS0yLnZpcHRlbGEuY29tMSIwIAYJKoZIhvcN
AQkBFhNzdXBwb3J0QHZpcHRlbGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEA05ofYt9O39qLpcD73D2yOl0e9XLeDtJtQqAqNlPrBcQvmkNKO2Jx
sGL7uLB0I5JLMWQnC58GHe+h8HPNMjFIoPD7lGVHs1lzgsZ/OkODGGbI+0mHENnS
lWOyqcrkKbg7lB7EcIc40MJF9fqhIIV6z0Lwmr0/hqIrzD0LanSUss1LcyJ1XAVF
oNUIhEUKZVkrEPMFuHpBPw2lSL2ghFHagNExVLwFwXfmVSqBr2bfO7vIgqWOZQKO
lUc3ZrHgwmTO3pjRKsUXUztYxbspLK3gf2v+IJrIxSlxYcd3RHCXnIccEkOMD/cM
eu+7QDKleYrSjnXa0uXzUYmpSf5Y4EQR0QIDAQABoDswOQYJKoZIhvcNAQkOMSww
KjAJBgNVHRMEAjAAMB0GA1UdDgQWBBQ9ic9XKX3scnPi0UYRC288tJRwNDANBgkq
hkiG9w0BAQsFAAOCAQEARKSNvHrJloLvuOtsMqSpGrn/O6gv/HKMf7Z3N2IMwmBo
RFbH2lLe8VAoilODduJEUTVHKSYiA698g+Y1s5lvPK1pYzUMyAFOtKr5YPJnYOH5
yaOnLlKdRZHqrx8hRa/ISRwj86m1N6QnXs9a1Ctdf7uPIiDZlhK4ju/qchfSa1Iw
9566rxEmz+MpPbSiSjkFP82NghtH+H2A6NjtpNMxpPQhGJxhcSly9uKmFfWYi6OJ
oCTUPfLeHHdLK6EFcBR2zps1QkzTXQYRNTwQUmkJ9G1NpWNwOc+8TGk4miGkgWea
i2CnThLC/JhxnxIKyIbVDSZA4zGhbgsTMxEvxKK97g==
-----END CERTIFICATE REQUEST-----
LAB-VMANAGE1:~$
LAB-VMANAGE1:~$
LAB-VMANAGE1:~$ openssl x509 -req -in vbond.csr \
> -CA ROOTCA.pem -CAkey ROOTCA.key -CAcreateserial \
> -out vbond.crt -days 500 -sha256
Signature ok
subject=/C=US/ST=California/L=San Jose/OU=2019_VIPLAB/O=vIPtela Inc/CN=vmanage-bf0c54b2-db8e-400f-a4c7-93bb226ac39a-2.viptela.com/emailAddress=support@viptela.com
Getting CA Private Key

request certificate install scp://admin@1.1.0.11:/home/admin/vbond.crt vpn 0
LAB-VBOND1# request certificate install scp://admin@1.1.0.11:/home/admin/vbond.crt vpn 0
Installing certificate via VPN 0
Copying ... admin@1.1.0.11:/home/admin/vbond.crt via VPN 0
Warning: Permanently added '1.1.0.11' (ECDSA) to the list of known hosts.
viptela 18.4.3

admin@1.1.0.11's password:
vbond.crt 100% 1314 41.4KB/s 00:00
Error: CSR not generated.. Aborting !
Failed to install the certificate !!
LAB-VBOND1#

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s