Cisco SDWAN Self Hosted Lab Part 2


Cisco SDWAN Self Hosted Lab Part 2

This is the second post in a two part series on building a self hosted Cisco SDWAN lab using an enterprise CA for certificates. You can find the first part here.

In this part I will install the controller stack:

Along with the WAN edges:

I am hosting this lab on an Ubuntu server running the KVM hypervisor. I will also use the vManage as the enterprise root CA server.

Pre Requisites

This post assumes that you have the KVM hypervisor already installed along with the libvirt management application. Additionally you will need the virt-install and cloud-localds CLI tools.

It is also assumed that you have downloaded the virtual disk images from https://software.cisco.com and the serial file from the PnP Portal generated in part one.

Lab Diagram

The following diagram depicts the topology for the lab.

vManage

Over on the build server, create a working directory and copy the VM image files to the directory. I will be working from the ~/sdwan-testlab directory which contains the following files.

The vBond and the vEdge share the same image. I copied the vEdge image twice renaming it for the vBond .

The vManage requires a second disk for the database. Create a thin provisioned disk.

Start the vManage installation

This will start the VM and attach to a virtual console. Once you see the message System Ready login with the username/password admin . You will then need to follow the prompts to initialize the database.

Once this is done the VM will reboot. Login again and apply the bootstrap configuration.

While here, generate the Root CA certificate. First login to the vshell which is a Unix like shell. Login with the vshell command.

Generate a Root CA key.

Next generate the Root CA certificate. I will generate a certificate with 5 years of validity.

This will create a Root CA cert named ROOTCA.pem cat the file contents so you can copy and paste them in an upcoming step.

exit back to the cli shell and find the IP address of the vpn512 interface.

Once you have the IP address browse to the URL https:// and login with the username/password admin .

vmanage-install-1.png

The dashboard looks like this.

vmanage-install-2.png

Once logged in navigate to the settings page.

  • Administration
  • Settings

Enter the Organization Name and click Save. This field must match what you used when creating the vBond profile.

vmanage-install-3.png

Enter the vBond IP Address and click Save.

vmanage-install-4.png

Change the Controller Certificate Authorization to use Enterprise Root Certificate. Paste in the contents of the generated ROOTCA.pem file from the previous step and click Import & Save.

vmanage-install-5.png

Keep the WAN Edge Cloud Certificate Authorization method as Automated (vManage – signed Certificate). This way the vManage will automatically signed the cloud edge certs when they connect to the vManage.

vmanage-install-6.png

Next we need to create a CSR for the vManage. Navigate to the certificates section.

  • Configuration
  • Certificates
  • Controllers
  • vManage
  • .
  • Generate CSR

vmanage-install-7.png

A window will popup with the CSR text. This can be ignored for the vManage.

Back in the vshell there will be a file called vmanage_csr . Sign this file with the ROOTCA.key and ROOTCA.pem .

This creates a file called vmanage.crt cat the file in order to copy and paste it into the web interface in the next step.

Navigate to the certificates page and install the certificate by pasting the contents of the vmanage.crt file and click Install.

  • Configuration
  • Certificates
  • Controllers
  • Install Certificate

vmanage-install-8.png

You should see a success message similar to the below.

vmanage-install-9.png

To exit the console use one of these key combinations (Assuming English keyboard).

  • CTRL + ]
  • CTRL + 5
  • Press and hold CTRL and SHIFT while pressing 6 then ]

For convenience sake, I recommend SSHing to the vManage from another terminal in order to sign the cert of the other devices.

vBond

Start the install of the vBond VM.

Once you see the message System Ready login with the username/password admin and apply the following bootstrap config.

Navigate to the devices page to add the vBond to the vManage.

  • Configuration
  • Devices
  • Controllers
  • Add Controller
  • vBond

vbond-install-1.png

Enter the vBond details add click Add.

vbond-install-2.png

Navigate to the certificates page to get the vBond CSR text.

  • Configuration
  • Certificates
  • Controllers
  • vBond
  • .
  • View CSR

vbond-install-3.png

Copy the CSR text and go to the vManage vshell to generate the certificate.

vbond-install-4.png

Use vim to create a file called vbond.csr with the contents of the vBond CSR from the previous step. Then sign the CSR with the Root CA certificate.

This will create a certificate file called vbond.crt . cat the contents of the vbond.crt file in order to copy and past the contents to the vManage in the next step.

Navigate to the certificates page and install the vBond certificate by pasting in the contents of the vbond.crt file and click Install.

  • Configuration
  • Certificates
  • Controllers
  • Install Certificate

vbond-install-5.png

If it was successful you will see a success message similar to the below.

vbond-install-6.png

Finally activate the control plane tunnel on the ge0/0 interface.

Confirm that control connections are active between the vBond and vManage.

To exit the console use one of these key combinations (Assuming English keyboard).

  • CTRL + ]
  • CTRL + 5
  • Press and hold CTRL and SHIFT while pressing 6 then ]

vSmart

Start the install of the vSmart VM.

Once you see the message System Ready login with the username/password admin and apply the following bootstrap config.

Navigate to the devices page to add the vSmart to the vManage.

  • Configuration
  • Devices
  • Controllers
  • Add Controller
  • vSmart

vsmart-install-1.png

Enter the vSmart details and click Add.

vsmart-install-2.png

Navigate to the certificates page to get the vSmart CSR text.

  • Configuration
  • Certificates
  • Controllers
  • vSmart
  • .
  • View CSR

vsmart-install-3.png

Copy the CSR text and go to the vManage vshell to generate the certificate.

vsmart-install-4.png

Use vim to create a file called vsmart.csr with the contents of the vSmart CSR from the previous step. Then sign the CSR with the Root CA certificate.

This will create a certificate file called vsmart.crt . cat the contents of the vsmart.crt file in order to copy and past the contents to the vManage in the next step.

Navigate to the certificates page and install the vSmart certificate by pasting in the contents of the vsmart.crt file and click Install.

  • Configuration
  • Certificates
  • Controllers
  • Install Certificate

vsmart-install-5.png

If it was successful you will see a success message similar to the below.

vsmart-install-6.png

Finally activate the control plane tunnel on the eth1 interface.

Confirm that control connections are active between the vSmart, vBond and vManage.

To exit the console use one of these key combinations (Assuming English keyboard).

  • CTRL + ]
  • CTRL + 5
  • Press and hold CTRL and SHIFT while pressing 6 then ]

Now with the controllers out of the way, let move onto the WAN edge devices.

WAN Edge List

Do you remember in part one when I said to keep the serial file safe for a later time? Now is that time! In order for WAN edges to join the fabric, you need to upload the serial file generated in part one of this series.

Navigate to the devices page and upload the serial file from the location you save it to previously. Keep the box ticked to validate the list and send to controllers.

  • Configuration
  • Devices
  • Upload WAN Edge List

wan-edge-list-1.png

A success message looks similar to the below.

wan-edge-list-2.png

wan-edge-list-3.png

vEdge

To add a virtual edge you need to generate a bootstrap file. Navigate to the devices page.

  • Configuration
  • Devices
  • WAN Edge List
  • A vEdge Cloud
  • .
  • Generate Bootstrap Configuration

vedge-install-1.png

For KVM select Cloud-Init . (VMWare uses Encoded String). Then click OK.

vedge-install-2.png

You can either download the file and SCP it across to the host server, or copy and paste the contents via a terminal to the server. Use the method you are most comfortable with.

vedge-install-3.png

On the host server, create and ISO image from the cloud-init file that can be mounted to the vEdge on boot. I named the file vedge.cfg and copied it to the working directory.

Boot the vEdge with the config.iso disk attached. This will ensure that the image boots with the correct chassis number.

Once you see the message System Ready login with the username/password admin and apply the following bootstrap config.

Confirm that the chassis number is the same as the one from the cloud-init config.

Install the Root CA cert by SCPing it from the vManage via the VPN 512 interface.

Now activate the vEdge using the chassis number and the one time password from the cloud-init file.

It will take a minute or two, but confirm that the control connections are active to the vManage, vBond and vSmart.

cEdge

Navigate to the devices page to generate the bootstrap config for the cEdge.

  • Configuration
  • Devices
  • WAN Edge List
  • A cEdge Cloud
  • .
  • Generate Bootstrap Configuration

cedge-install-1.png

For KVM select Cloud-Init . (VMWare uses Encoded String). Then click OK.

cedge-install-2.png

You can either download the file and SCP it across to the host server, or copy and paste the contents via a terminal to the server. Use the method you are most comfortable with.

cedge-install-3.png

Unlike the vEdge it does not look like you can mount a cloud-init ISO to set the initial boot parameters. The cloud-init config file will need to be named ciscosdwan.cfg and copied via SCP to the cEdge after it boots up.

Boot up the cEdge VM.

Once you see the VM is booted up login with the username/password admin .

Find the IP address of the GigabitEthernet1 so you can SCP the ciscosdwan.cfg file to the device.

From the host SCP the ciscosdwan.cfg file to the cEdge.

Reset the SDWAN software in order for the chassis serial number from the ciscosdwan.cfg file to be applied to the device.

Once the router is back online, login and confirm that the chassis number is the same as the one from the ciscosdwan.cfg config.

Apply the bootstrap configuration.

Install the Root CA cert by SCPing it from the vManage via the GigabitEthernet1 interface.

Now install the Root CA certificate.

The vEdge should be activated automatically, but if it is not you can do it manually using the the chassis number and the one time password from the cloud-init file.

It will take a minute or two, but confirm that the control connections are active to the vManage, vBond and vSmart.

And that’s it. A functioning Cisco SDWAN lab with both vEdges and cEdges. Here is a couple of images of the finished product.

final-dashboard.png

final-network.png

Outro

This was a pretty loooooonnnnngggg post. If you got this far, thanks for hanging in there. In this series of posts, we configured a Cisco SDWAN lab using an Enterprise CA with the vManage, vBond and vSmart controllers and both the cEdge and vEdge devices. If Cisco dCloud labs don’t meet your needs, then building your own lab might. Until next time!


Добавить комментарий

Ваш адрес email не будет опубликован. Обязательные поля помечены *