In this post we generate and install the necessary licenses for Edge devices and then connect them to the controllers. This is the second part from Cisco SD-WAN On-boarding series on building a self hosted SD-WAN lab. For first part click here.
At first we need to obtain the necessary licenses from the Cisco site. That’s why we need a Smart Account that includes a Virtual one. Go to software.cisco.com, from the Administration area select Manage Smart Account:
then, select Virtual Accounts
next, select New Virtual Account
fill the form with the name of the new Virtual Account and save.
Next step is to add a vBond profile. Go back to Software Central page and from the Network Plug and Play area, choose Plug and Play Connect.
From the top right drop-down menu select the virtual account created before.
Next, select Controller Profiles, then select Add Profile button.
For the controller type, VBOND must be selected.
In the next page, fill the required fields and pay attention to Organization Name (this defines the OU to match in the Certificate Auth Process and must be consistent across the Viptela domain) and Primary Controller (this name/address will be used for vBond), then Submit.
To add Virtual edges (vEdge or cEdge) devices, from the Plug and Play Connect page, select Devices link.
then select Add Software Devices button
To add a vEdge, in the Identify Device window, enter VEDGE-CLOUD-DNA in the Base PID field.
For cEdge, the Base PID is CSR1KV and for ISRv is ISRV.
After finishing adding devices, click Next, then check Review and Submit, and Done
Now devices are added, for a few minutes they will be on Pending for publish state
Once the status become Provisioned, we can go to Controller Profiles and select the check box in front of Profile Name and then Provisioning File link, to download the provisioning file.
In the Download Provisioning File dialog, select Controller Versions 18.3 and newer and download the file.
Transfer the downloaded file to the docker node, if you don’t know how, look on EVE-NG Cookbook section 13.2 and you will find how.
Navigate to Configuration > Devices and select Upload vEdge List to upload provisioning file downloaded from Cisco website. On the page are displayed several unused device licenses being successfully added to the system.
Onboarding Edge nodes
First step in configuring vEdge is applying the following template:
system host-name vEdge system-ip <vEdge system IP> site-id 1 organization-name "pocvlab sdwan" clock timezone Europe/Bucharest vbond <VPN0 VBOND IP> ! vpn 0 interface ge0/0 ip address <VPN0 IP address/netmask> ipv6 dhcp-client tunnel-interface encapsulation ipsec no shutdown ! ip route 0.0.0.0/0 <VPN0 gateway address>
Verify connection with vBond (10.10.0.3), vManage (10.10.0.2) and vSmart (10.10.0.4) using ping.
Now, we have to copy/paste CA certificate content from docker node to a file on vEdge. Open a terminal on Docker and
cat CA.crt, select and copy content.
On vEdge go to linux shell using
vshell command, type
vim CA.crt to open a empty file in vim editor. Press
i key to start inserting text and paste the previous copied content. Use
<Esc>wq to write the file and quit. Type
exit to go back in vEdge CLI. Now we can import root CA certificate:
vEdge# request root-cert-chain install /home/admin/CA.crt Uploading root-ca-cert-chain via VPN 0 Copying ... /home/admin/CA.crt via VPN 0 Updating the root certificate chain.. Successfully installed the root certificate chain
In vManage interface, navigate to Configuration > Devices and select unused vEdge entry, click on the three dots on the right side and select Generate bootstrap configuration. Accept the defaults and click OK. From the new window open we need UUID code and OTP. Go to vEdge console and insert UUID and OTP in the following command:
request vedge-cloud activate chassis <UUID> token <OTP> example bellow: request vedge-cloud activate chassis-number ebad1856-1b4a-c89c-d120-25ed7d6945b5 token 58b4fb93b34a13dbfdb8a0c2f29d4fad
in about a minute you can use
show control local-properties to check certificate status on vEdge CLI, it should be Installed.
Because we have to copy root certificate from Docker node to cEdge bootflash, at first we configure only basic system properties and IP address for Ge0/0 interface, using following template:
config-transaction ! hostname cEdge ! system system-ip <cEdge system IP> site-id 2 admin-tech-on-failure organization-name "pocvlab sdwan" vbond <VPN0 VBOND IP> ! interface GigabitEthernet1 no shutdown ip address <VPN0 IP address/netmask> ! commit end
on the Docker node, edit /etc/ssh/sshd_config and permit ssh root login, restart sshd service (not recommended in production environment). Next step is to copy CA root certificate file from Docker to cEdge bootflash, using next command:
cEdge#copy scp://firstname.lastname@example.org bootflash: Address or name of remote host [10.10.0.1]? Source username [root]? Source filename [root/CA.crt]? /root/CA.crt Destination filename [CA.crt]? Password:
once file is copied, we can proceed to install certificate:
cEdge#request platform software sdwan root-cert-chain install bootflash:CA.crt Uploading root-ca-cert-chain via VPN 0 Copying ... /bootflash/CA.crt via VPN 0 Updating the root certificate chain.. Successfully installed the root certificate chain
now we can go ahead and finish configuration for cEdge:
config-transaction ! interface Tunnel0 no shutdown ip unnumbered GigabitEthernet1 tunnel source GigabitEthernet1 tunnel mode sdwan exit sdwan interface GigabitEthernet1 tunnel-interface encapsulation ipsec color default exit exit ! commit end
Activate cEdge manually, using chassis number and OTP from Bootstrap Configuration. This is generated from vManage web, Configuration > Devices, select unused CSR1000v line.
request platform software sdwan vedge_cloud activate chassis-number <UUID> token <OTP> example bellow: request platform software sdwan vedge_cloud activate chassis-number CSR-6170246D-E8C4-1D4A-A972-5EF144184AB9 token c448da2783609afcc3e9a7a7a17f1dfd
After one minute or so, Tunnel0 interface should go up and certificate installation done, you can check status of control connections on cEdge CLI with
show sdwan control connections.
From vManage web interface Configuration > Device we can see the state of WAN Edges:
and in the main Dashboard status of all connected nodes:
Ok, here is the end of this long post. I hope it will be useful.