SD-WAN :: Adding vEdge Cloud

Before we jump in adding vEdges to controllers it’s good to know how many roads lead to Rome. The Cisco SD-WAN solution has two types of software platforms:

  • vEdge (Viptela OS)
  • IOS-XE SD-WAN (IOS-XE with SD-WAN)

Both software platforms run within both physical and virtual appliances.

Also there are three ways of onboarding:

  • Automated Deployment (PnP and ZTP)
  • Bootstrap
  • Manual

I’m not going into details how we provision all WAN Edges as I’m then replicating the initial source of information. As most of the engineers try to get some hands-on experience by labbing in EVE-NG I will start with the vEdge Cloud WAN Edge.

For detailed information about all WAN Edges and onboarding principle please check the Cisco Validated Design zone. Please refer to the resources section below.

The vEdge Cloud support either ZTP Provisioning or manual. Since I use a separate Enterprise CA I’ve chosen the latter.

I’m going to onboard the WAN Edge VE-02-S01 (Site 2)

:: Prerequisites

In this stage I assume you have setup your lab, added controllers, done some cool stuff with root certificates and signing these in order to setup DTLS tunnels between the controllers.

vmanage# show control connections
                                   PEER                                                                        PEER                                          PEER                                                                  
      PEER    PEER PEER            CONFIGURED        SITE       DOMAIN PEER                                    PRIV  PEER                                    PUB                                                                   
INDEX TYPE    PROT SYSTEM IP       SYSTEM IP       ID         ID     PRIVATE IP                              PORT  PUBLIC IP                               PORT  ORGANIZATION            REMOTE COLOR     STATE UPTIME     
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0     vsmart  dtls 1.1.1.3         1.1.1.3         9000       1      192.168.100.251                         12346 192.168.100.251                         12346 testlab.local           default         up     0:00:17:10 
0     vbond   dtls 1.1.1.2         1.1.1.2         0          0      192.168.100.252                         12346 192.168.100.252                         12346 testlab.local           default         up     0:00:16:54 
1     vbond   dtls 0.0.0.0         -               0          0      192.168.100.252                         12346 192.168.100.252                         12346 testlab.local           default         up     0:00:16:54 
2     vbond   dtls 0.0.0.0         -               0          0      192.168.100.252                         12346 192.168.100.252                         12346 testlab.local           default         up     0:00:17:09 
3     vbond   dtls 0.0.0.0         -               0          0      192.168.100.252                         12346 192.168.100.252                         12346 testlab.local           default         up     0:00:17:09 
vsmart# show control connections 
                                                                                             PEER                                          PEER                                          
      PEER    PEER PEER            SITE       DOMAIN PEER                                    PRIV  PEER                                    PUB                                           
INDEX TYPE    PROT SYSTEM IP       ID         ID     PRIVATE IP                              PORT  PUBLIC IP                               PORT  REMOTE COLOR     STATE UPTIME     
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0     vbond   dtls 0.0.0.0         0          0      192.168.100.252                         12346 192.168.100.252                         12346 default         up     0:00:21:12 
0     vmanage dtls 1.1.1.1         9000       0      192.168.100.250                         12346 192.168.100.250                         12346 default         up     0:00:16:17 
1     vbond   dtls 0.0.0.0         0          0      192.168.100.252                         12346 192.168.100.252                         12346 default         up     0:00:21:13 
vbond# show orchestrator connections
                                                                                     PEER                      PEER                                                                            
         PEER     PEER     PEER             SITE        DOMAIN      PEER             PRIVATE  PEER             PUBLIC                                   ORGANIZATION                           
INSTANCE TYPE     PROTOCOL SYSTEM IP        ID          ID          PRIVATE IP       PORT     PUBLIC IP        PORT    REMOTE COLOR     STATE           NAME                    UPTIME         
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0        vsmart   dtls     1.1.1.3          9000        1           192.168.100.251  12346    192.168.100.251  12346   default          up              testlab.local           0:00:21:33     
0        vsmart   dtls     1.1.1.3          9000        1           192.168.100.251  12446    192.168.100.251  12446   default          up              testlab.local           0:00:21:33     
0        vmanage  dtls     1.1.1.1          9000        0           192.168.100.250  12346    192.168.100.250  12346   default          up              testlab.local           0:00:16:38     
0        vmanage  dtls     1.1.1.1          9000        0           192.168.100.250  12446    192.168.100.250  12446   default          up              testlab.local           0:00:16:38     
0        vmanage  dtls     1.1.1.1          9000        0           192.168.100.250  12546    192.168.100.250  12546   default          up              testlab.local           0:00:16:37     
0        vmanage  dtls     1.1.1.1          9000        0           192.168.100.250  12646    192.168.100.250  12646   default          up              testlab.local           0:00:16:37

Also let’s highlight some settings that are important before we start:

vManage: Administration / Settings

Auth0Tizatiort 
C«tifcate Ьу•, С) AUt—ted О Sy—tk 
с гаг ясдт€„ 
ымтт 
qdOLj 
WAN Cbud 
C«tifnte

Controller Certificate Authorization was set to Enterprise CA. All controllers have the root-cert installed from this Enterprise CA and all device certificates are signed by that CA.

Note: you don’t have to use a separate CA. You can also use the vManage as a CA via the vshell function.

Some commands to check certificate installation:

  • Show certificate root-ca-cert
  • Show certificate installed
  • Show certificate validity

:: Prepare vEdge

Preparing a vEdge means two things:

  • Prepare bootstrap config or skinny configuration
  • Get IP reachability

The latter is needed to onboard the device into the fabric. The first one makes sure it gets that IP reachability. The MPLS-PE nodes are already setup with iBGP and MPLS, so pointing with a default route to the PE nodes would be sufficient. Also make sure the Local Tail ip range (/30) is know in your datacenter.

Important to note that we choose for Automatic WAN Edge Cloud Authorization. The vManage will generate and sign the certificate for you.

To summarize:

The Enterprise CA acts as a CA for all controllers and contains your own properties

The vManage (can) act as the CA for all WAN Edges and is generated as a Viptela certificates which is signed by the vManage. The vManage has the root-cert for both Viptela and your own CA.

Since I’m labbing a lot for SD-WAN there is an old configuration on VE-02-S01.

Let’s erase it first:

VE-02-S01 login: admin
Password: 
Welcome to Viptela CLI
admin connected from 127.0.0.1 using console on VE-02-S01
VE-02-S01# 
VE-02-S01# 
VE-02-S01# request reset ?
Possible completions:
  configuration   Reset to default configuration
  logs            Clear logs
VE-02-S01# request reset configuration ?
Possible completions:
  |  <cr>
VE-02-S01# request reset configuration 
Are you sure you want to reset to default configuration? [yes,NO] yes
VE-02-S01# Sat Sep 26 13:25:03 CEST 2020: The system is going down for reboot NOW!
Stopping services...
acpid: exiting
ok: down: acpid: 0s, normally up
ok: down: button: 3990s, normally up
ok: down: cloudinit: 3939s, normally up
ok: down: ephemeral: 0s, normally up
ok: down: getty-tty1: 0s, normally up
<omitted>

After reboot the vEdge will return with a default config shown below:

system
 host-name               vedge
 admin-tech-on-failure
 no route-consistency-check
 vbond ztp.viptela.com
 aaa
  auth-order local radius tacacs
  usergroup basic
   task system read write
   task interface read write
  !
  usergroup netadmin
  !
  usergroup operator
   task system read
   task interface read
   task policy read
   task routing read
   task security read
  !
  usergroup tenantadmin
  !
  user admin
   password $6$TK6lEx1f/KWa/kX4$nezPbtMPFcE0wUTQMauGN/RzwWdPPkOeKh5JsxxqVE.0psruUPrWV7q0t/omuwuoRhJia
  !
 !
 logging
  disk
   enable
  !
 !
!
omp
 no shutdown
 graceful-restart
 advertise connected
 advertise static
!
security
 ipsec
  authentication-type ah-sha1-hmac sha1-hmac
 !
!
vpn 0
 interface ge0/0
  ip dhcp-client
  ipv6 dhcp-client
  tunnel-interface
   encapsulation ipsec
   no allow-service bgp
   allow-service dhcp
   allow-service dns
   allow-service icmp
   no allow-service sshd
   no allow-service netconf
   no allow-service ntp
   no allow-service ospf
   no allow-service stun
   allow-service https
  !
  no shutdown
 !
!
vpn 512
 interface eth0
  ip dhcp-client
  ipv6 dhcp-client
  no shutdown
 !
!

Before we start we need to gather some mandatory information to configure the vEdge:

  • Sited-id: 2
  • System-IP: 6.1.1.1
  • Org: testlab.local
  • vBond IP: 192.168.100.252
  • Local tail between VE-02-S01 and MPLS-PE-GREEN: 172.18.30.0/24
  • Default route to 172.18.30.2

The skinny configuration:

!
system
 host-name VE-02-S01
 system-ip 6.1.1.1
 site-id 2
 admin-tech-on-failure
 no route-consistency-check
 organization-name testlab.local
 clock timezone Europe/Amsterdam
 vbond 192.168.100.252
!
vpn 0
!
 no interface ge0/0
 interface ge0/1
  ip address 172.18.30.2/24
  no shutdown
  tunnel-interface
   encapsulation ipsec
   no allow-service bgp
   allow-service dhcp
   allow-service dns
   allow-service icmp
   allow-service sshd
   allow-service netconf
   no allow-service ntp
   no allow-service ospf
   no allow-service stun
   allow-service https
  !
  no shutdown
 !
 ip route 0.0.0.0/0 172.18.30.1
!
vpn 512
 interface eth0
  ip dhcp-client
  ipv6 dhcp-client
  no shutdown
 !
commit and-exit
!

Make sure you do some basic check for connectivity. We ping the next-hop address and the vBond’s IP address:

Ping local tail; 
VE-02-S01# ping vpn 0 172.18.30.2
Ping in VPN 0
PING 172.18.30.2 (172.18.30.2) 56(84) bytes of data.
64 bytes from 172.18.30.2: icmp_seq=1 ttl=64 time=0.171 ms
64 bytes from 172.18.30.2: icmp_seq=2 ttl=64 time=0.066 ms
64 bytes from 172.18.30.2: icmp_seq=3 ttl=64 time=0.014 ms
64 bytes from 172.18.30.2: icmp_seq=4 ttl=64 time=0.030 ms
64 bytes from 172.18.30.2: icmp_seq=5 ttl=64 time=0.030 ms
<omitted> 

VE-02-S01# ping vpn 0 192.168.100.252
Ping in VPN 0
PING 192.168.100.252 (192.168.100.252) 56(84) bytes of data.
64 bytes from 192.168.100.252: icmp_seq=1 ttl=58 time=40.0 ms
64 bytes from 192.168.100.252: icmp_seq=2 ttl=58 time=41.0 ms
<omitted> 

:: Getting the DTLS tunnels up

Checking some things before we continue:

VE-02-S01# show certificate root-ca-cert | i Viptela
        Subject: O=Cisco, OU=Albireo, CN=Viptela SubCA
VE-02-S01# 
VE-02-S01# 
VE-02-S01# show certificate installed               

VE-02-S01#

Check status main dashboard on vManage:

Cisco vManage 
DASHBOARD MAIN DASHBOARD 
(Total 
Contml Up 
vSmar1 • 1 
WAN • 1 
Sit. (Total 1) 
O 
WAN C—tivity 
partial WAN CMnectivity 
No WAN Co —tivny 
10 Mbps 
10 Mb„. 100 Mbp, 
100 Mbps 500 
Mbps

Go to Configuration / Certificates:

Cisco vManage 
CONFIGURATION 
WAN Edge List TLS moxy 
wedge 
ge Ckud 
ge CBJd 
b97d. 
s le02d3&927d-9c61-2def-6E6cf571
List of available and claimed vEdges in vManage

As you can see we already uploaded the Viptela serial file and this has been send to the vBond to enable authentication:

You can check via the following command piped with the chassis number I’m going to use:

vbond# show orchestrator valid-vedges | i bd0f
orchestrator valid-vedges bd0f4c5d-96b9-d71e-604f-5d1b97d56beb

After uploading the Viptela file you can choose to send the information to vBond. With the above command you can check if vBond has the information to authorize a new vEdge. Otherwise the process will fail.

:: Onboard vEdge

We are going to perform the following tasks:

  • Upload root-cert-chain:
  • Request activation with chassis-number and One Time Password from vManage / Configuration / Certificates
  • Check status and control tunnels

Upload root certificate chain to vEdge:

Logon to CA Server:

Last login: Sat Sep 26 05:12:30 2020 from 10.100.200.50
root@ubuntu1804-pfne:~#
root@ubuntu1804-pfne:~#
root@ubuntu1804-pfne:~#
root@ubuntu1804-pfne:~# ls -lha
total 60K
drwx------  5 root root 4.0K Sep 19 14:11 .
drwxr-xr-x 23 root root 4.0K Jun 10  2018 ..
-rw-------  1 root root 5.5K Sep 26 05:26 .bash_history
-rw-r--r--  1 root root 3.1K Apr  9  2018 .bashrc
drw-------  7 root root 4.0K Sep 19 13:51 ca
drwx------  3 root root 4.0K Jan 19  2020 .cache
drwx------  3 root root 4.0K Jan 19  2020 .gnupg
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-------  1 root root   12 Jun 10  2018 .python_history
-rw-------  1 root root 1.0K Sep 19 14:10 .rnd
-rw-------  1 root root  13K Sep 19 14:11 .viminfo
root@ubuntu1804-pfne:~# cd ca
root@ubuntu1804-pfne:~/ca# ls -lha
total 64K
drw------- 7 root root 4.0K Sep 19 13:51 .
drwx------ 5 root root 4.0K Sep 19 14:11 ..
-rw------- 1 root root 2.1K Jan 19  2020 cacert.pem
drw------- 2 root root 4.0K Jan 19  2020 certs
drw------- 2 root root 4.0K Jan 19  2020 crl
-rw-r--r-- 1 root root 3.2K Sep 19 13:51 index.txt
-rw-r--r-- 1 root root   21 Sep 19 13:51 index.txt.attr
-rw-r--r-- 1 root root   21 Sep 15 12:53 index.txt.attr.old
-rw-r--r-- 1 root root 3.1K Sep 15 12:53 index.txt.old
drw------- 2 root root 4.0K Sep 19 13:51 newcerts
drw------- 2 root root 4.0K Jan 19  2020 private
drw------- 2 root root 4.0K Sep 19 14:11 request
-rw-r--r-- 1 root root    5 Sep 19 13:51 serial
-rw-r--r-- 1 root root    5 Sep 15 12:53 serial.old
-rw-r--r-- 1 root root 1.2K Jun 12 13:08 vedge1.csr
-rw-r--r-- 1 root root    0 Jun 12 13:09 vedge1.pem
-rw-r--r-- 1 root root 1.2K Jun 12 13:08 vedge2.csr
root@ubuntu1804-pfne:~/ca# cat cacert.pem
-----BEGIN CERTIFICATE-----
MIIF4jCCA8qgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBiTELMAkGA1UEBhMCTkwx
EDAOBgNVBAgMB0xpbWJ1cmcxEzARBgNVBAcMCk1hYXN0cmljaHQxEDAOBgNVBAoM
B1Rlc3RsYWIxGTAXBgNVBAMMEGNhLnRlc3RsYWIubG9jYWwxJjAkBgkqhkiG9w0B
CQEWF2pvcmRpLnNjaGxvb3pAZ21haWwuY29tMB4XDTIwMDExOTExNTI1MFoXDTIz
MDExODExNTI1MFowgYkxCzAJBgNVBAYTAk5MMRAwDgYDVQQIDAdMaW1idXJnMRMw
EQYDVQQHDApNYWFzdHJpY2h0MRAwDgYDVQQKDAdUZXN0bGFiMRkwFwYDVQQDDBBj
YS50ZXN0bGFiLmxvY2FsMSYwJAYJKoZIhvcNAQkBFhdqb3JkaS5zY2hsb296QGdt
YWlsLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALWaW+Bz0ge0
UmyiXfIdpE5FQy8/0HMCzOE3cmBXZnveKCNrR8SlyfgXe7P4egL83zOWHkYdiClZ
NGvTREIfd+QsEQIOVMTmN7lvYm/7egzF2nohwbw/PiM7VMpGLSIXGkkBGp2Dq+sa
FukZoajvFfqsAMQsGU2AB13CLgCn4C1uiANrvgz7i6I38I1A1+N6d22Z56KTbtjC
DsJ4cbsNicpPFDTuuC+kvyzPm8AbNG2VYcUmYBv9xvjJTICq6nSNEAlNE85lTN8a
yXPZ6oL3kCFa/bN2EX8/WN82CnLatL6r4JZxlepJ1nuMVbyfjyfw8Or7NhfJwdDk
hOGnCiiq3JbBTGF6aHKKpuXJNxnPDr5vUg1075HQPDm1leB0LSvM3JHwl1fuNT0m
l7GOqUZJsJ+fMd7EnEeUhksnGHijounfw7qdOLj+PZcDoa5fBQT4RbP98Obn50SU
XKEfhVzOxAy/KmePHwV5kUuYAjmF6ErqfthxnlvCYFglb+J6Z9j6DXI2mnSsiw9L
/5rdN/FKigvV6qL4pF/PNA9Opm7HdvO41yN48TMjiIHPYNYCVQkDxrXr6bXA1diD
SM2IRqzVtDqAIFgJq4WB1LxA8MFCl6Q6lNVpagO15EVWwrG4va7VgOdhEjgmxIzd
VRvS4+o3mxWTHTwH16VaymWaqCV9RNqnAgMBAAGjUzBRMB0GA1UdDgQWBBTImkv6
ExunbxMxxVeSIOrQGJ/AMzAfBgNVHSMEGDAWgBTImkv6ExunbxMxxVeSIOrQGJ/A
MzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQCPwngBMrCgyLRR
In5k3o3/RvEmtQscYcMZLfkr6J5n28m+p21r9NKGHRG/dgz/qPACk5aG6jQgMP8w
am3cgKoufGXQghynIX1xSuwrSjhiQ0hP3BKm7bac+7P0rbYL51Z02yEvphOjUzjX
/pBINUIgkki9t+6SAaeUyPHpLCKQ4VthErh/ewY1d4zezKuyRuNDDdh26UyifrQ0
3hzASr5dFdxnvLxIop9apDwNksqMZnhEuVm8NynbTAE182w7vHMZ0udH5k/ierB+
VWLvSXP5+796L1OW+bf38lcl5rbSnjkmFXikQrr+iBzfzfiliKmjjxmbat0tA0Sd
Wfpo2sy4YZXLIZMjY3KwJlvw7ha305GfmFxAo8a91GdhUbvKHjCvLtbEAYkKlOcX
zAGod63LnvTQKb0rFvUrZBsFLPZAvG5XRK9ixPeyl8Xqf8NmC0Cg9/pCZmhx0e8W
rh26Z3gP1LHNps0lVN45cR8xNnNsTlx3yOanoF/ZhhovdWADLh2iadODLoGNcS8P
Ewbf0RKtrLhXn8jqeXhvUmRH77jybi0I9CiIlKh2KODHe7FWeWqHeRqx58vdkR/w
Q31NSzwpMpJCtDecIe7TiGkYqy9q89O/mGsxPvQ/d8Cwp/NPzyjYk1qei1mowFd4
+8R/IAgnYtm6RTqal0FRFJS3pwEOfw==
-----END CERTIFICATE-----
root@ubuntu1804-pfne:~/ca#

Copy paste the root cert from BEGIN CERTIFICATE to END CERTIFICATE

Login to vEdge:

viptela 19.2.099 

VE-02-S01 login: admin
Password: 
Welcome to Viptela CLI
admin connected from 127.0.0.1 using console on VE-02-S01
VE-02-S01# 
VE-02-S01# 
VE-02-S01# vshell
VE-02-S01:~$ vi rootcert.pem

In Vi first enter the “i’ to edit and paste the cert into the screen. After pasting push ESC key and enter “:wq” to save and quit Vi

VE-02-S01:~$ exit
exit
VE-02-S01# request root-cert-chain install /home/admin/rootcert.pem 
Uploading root-ca-cert-chain via VPN 0
Copying ... /home/admin/rootcert.pem via VPN 0
Updating the root certificate chain..
Successfully installed the root certificate chain
VE-02-S01# 

Now request to activate vEdge with your chassis-number and OTP (just choose one form the list to claim):

VE-02-S01# request vedge-cloud activate 
Value for 'chassis-number' (<Chassis number/uuid of the device>): bd0f4c5d-96b9-d71e-604f-5d1b97d56beb
Value for 'token' (<Serial number of the device>): 9a179deb24f941d0a5f914b1ff8b8483
VE-02-S01# 

Wait for some time or check vManage / Configuration / Device or Configuration / Certificate. The System-IP and hostname should popup in the list.

Check if the tunnels to the controllers are UP and running:

VE-02-S01# show control connections
                                                                                       PEER                                          PEER                                          CONTROLLER 
PEER    PEER PEER            SITE       DOMAIN PEER                                    PRIV  PEER                                    PUB                                           GROUP      
TYPE    PROT SYSTEM IP       ID         ID     PRIVATE IP                              PORT  PUBLIC IP                               PORT  LOCAL COLOR     PROXY STATE UPTIME      ID         
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
vsmart  dtls 1.1.1.3         9000       1      192.168.100.251                         12446 192.168.100.251                         12446 mpls            No    up     0:00:00:05  0           
vbond   dtls 0.0.0.0         0          0      192.168.100.252                         12346 192.168.100.252                         12346 mpls            -     up     0:00:00:06  0           
vmanage dtls 1.1.1.1         9000       0      192.168.100.250                         12446 192.168.100.250                         12446 mpls            No    up     0:00:00:06  0       

Check for certificate status’:

VE-02-S01# show certificate installed

Installed device certificates
-----------------------------
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 1490860803 (0x58dcbb03)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, CN=5507a138-09ab-4b0f-b44f-6d536b92c428, O=Viptela
        Validity
            Not Before: Sep 26 12:15:41 2020 GMT
            Not After : Sep 24 12:15:41 2030 GMT
        Subject: C=US, ST=California, L=San Jose, OU=testlab.local, O=Viptela LLC, CN=vedge-bd0f4c5d-96b9-d71e-604f-5d1b97d56beb-0.viptela.com/emailAddress=support@viptela.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c7:da:51:f7:77:c7:0a:28:56:f7:92:4a:87:79:
                    bb:8c:a6:66:58:ef:a7:9e:9c:d6:d8:4b:65:6d:c4:
                    ca:d2:8f:b3:99:6b:6a:f7:08:64:0a:b2:13:ea:03:
                    b2:a8:01:3f:3d:69:d7:a6:bd:7f:1b:e9:e1:38:ff:
                    01:12:d2:28:e9:9f:34:67:ac:f4:a0:54:57:fc:b8:
                    7a:1a:1f:16:d7:59:01:fe:bb:93:64:b2:a2:12:b2:
                    9c:f2:6a:30:8a:f6:84:44:b4:0a:ba:29:a0:a3:d3:
                    14:d5:eb:5b:c6:f8:a6:c2:41:85:7d:fa:6c:9b:62:
                    a4:91:3d:ca:9c:fa:4d:1d:34:4e:ad:41:9f:d2:8d:
                    6c:0d:3d:cf:41:d7:95:a8:e1:21:f6:01:ec:be:c7:
                    8f:dc:56:0d:e0:72:90:5c:58:f2:86:0f:b6:3d:74:
                    c5:f6:a6:2c:4e:74:09:c4:fa:79:35:36:ef:36:bc:
                    15:4a:dd:70:eb:80:db:1a:17:66:07:11:8d:aa:ab:
                    c4:1b:ef:3e:96:aa:48:06:dc:da:04:cd:08:cf:ae:
                    26:d7:9a:7f:73:43:75:24:59:b1:80:85:03:f5:ea:
                    3a:74:77:4c:e1:6d:8f:c8:24:5d:01:29:c9:c4:8c:
                    9c:3c:b7:9c:a7:e3:33:37:13:5b:08:a1:1b:c2:2d:
                    50:e9
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
         71:ab:49:e6:20:07:92:d3:33:cc:02:01:31:91:f7:cf:46:35:
         83:cf:93:49:50:b5:74:92:89:da:d2:6a:e3:12:6d:95:04:f6:
         11:be:58:e6:6e:a5:17:fd:60:c4:f7:e1:51:7b:31:38:6c:76:
         03:2b:2a:71:3f:0b:71:6e:eb:59:4d:20:d3:98:44:a1:1e:c2:
         02:55:49:19:83:3a:1d:6f:83:12:7f:8b:fc:2c:ac:6b:fd:95:
         a7:02:0b:b6:f8:f4:77:23:40:20:4e:81:4d:fe:45:6a:e9:5f:
         82:ef:10:20:4c:f1:f1:ce:4a:93:6a:a4:3c:5a:04:f1:72:5d:
         1c:8e:21:53:3d:6c:58:86:0a:fa:0b:19:ce:45:cb:cc:d5:8e:
         fb:b5:b1:6a:1e:3c:bb:1d:cc:6f:e4:be:93:0d:79:b2:b8:e1:
         04:c6:54:f8:5e:51:36:52:b1:df:b5:57:d5:be:64:9c:0d:04:
         b3:8c:8b:00:92:2a:42:a4:8b:b7:a5:f8:bd:e4:64:9c:c4:59:
         4d:12:37:78:10:27:50:84:03:a8:6d:51:95:8f:4a:0a:fe:b5:
         c2:e4:d3:7c:c6:0c:30:bd:fd:7e:d5:29:dc:02:c7:55:bb:d1:
         c8:09:80:e7:1c:4b:c9:50:48:ad:a2:e1:14:2e:5d:9e:bc:3f:
         4c:3e:8b:1e

VE-02-S01# show certificate root-ca-cert | i Viptela      
        Subject: O=Cisco, OU=Albireo, CN=Viptela SubCA
        Issuer: C=US, CN=5507a138-09ab-4b0f-b44f-6d536b92c428, O=Viptela
        Subject: C=US, CN=5507a138-09ab-4b0f-b44f-6d536b92c428, O=Viptela
VE-02-S01# show certificate root-ca-cert | i testlab
        Issuer: C=NL, ST=Limburg, L=Maastricht, O=Testlab, CN=ca.testlab.local/emailAddress=jordi.schlooz@gmail.com
        Subject: C=NL, ST=Limburg, L=Maastricht, O=Testlab, CN=ca.testlab.local/emailAddress=jordi.schlooz@gmail.com
VE-02-S01# 
VE-02-S01# show certificate validity 
The certificate issued by 5507a138-09ab-4b0f-b44f-6d536b92c428 is valid from  Sep 26 12:15:41 2020 GMT  (Current date is Sat Sep 26 15:41:55 GMT 2020) & valid until  Sep 24 12:15:41 2030 GMT
VE-02-S01# 

Check vManage:

Cisco vManage 
CONFIGURATION CERTIFICATES 
WAN Edge List TLS 
Enterpri. Svial N 
Gdge 
1 Eß7d56beb
Cisco vManage 
O CONFIGURATION DEVICES 
WAN Edge List 
serial 
2FIF0046 
subjxt suol 
WOEASE-g-9soa-E69$6CE6-A6E9A„. 
vEdge 
vEdge C
Cisco мМападе 
% DASHBOARDI мат DASHa0AR0 
St.t“ (То“ ' 2) 
Ир 
Edge • 2 
sa. H„hh 2) 
Fu]I 
[ WAN C—tivify 
WAN C—tNRy 
« МЬ.рз 
мьр, мьр, 
100 мьр,. 500 мьр,

Your vEdge is up and running.

:: Conclusion

We have observed that the vEdge has a different certificate installed then the vBond, vSmart and vManage. The root certificate on the controllers from my own CA have a validity of 3 years and each signed device certificate is valid for 1 year basis on O=testlab.local and OU=testlab.local

The vEdge has a O=Viptela LLC based on OU=testlab.local and is valid for 10 years. So this means the vManage has delivered a different device certificate. Before onboarding we saw that the vEdge has a root certificate pre-installed for O=Viptela LLC. The controllers also have a bunch of root-certificate pre-installed. With this match the DTLS tunnels are setup to the controllers.

Also for the observant ones I use 20.3.1 for all my controllers. This vEdge has version 19.2.099 and is not on the compatibility list. Reason for this is that this release is deferred. But it still works fine.

I hope I can onboard the CSR SD-WAN IOS-XE device as well in the next coming days. After this I’m going to learn and test templating. Also I’m thinking of running through the WAN Edge replacement procedure to update the WAN Edge to 20.3.1.

Hope you find it usefull and as always the answer could be 42.

:: Resources

Leave a Reply