SDWAN: onboarding cEDGE router cisco CSR1K and template config sdwan mode tunnels
23.02 2024 | by massimilianoPreparazione Software Image Quando il router cEdge esegue il boot-up andiamo ad eseguire i seguenti comandi: cEDGE# pnpa service discovery […]
Preparazione Software Image
Quando il router cEdge esegue il boot-up andiamo ad eseguire i seguenti comandi:
cEDGE# pnpa service discovery stop
Una volta che il processo PnP è fermato, si richiede l’installazione della parte SDWAN underlay packages se necessario (dipende dal modello del CSR1 software image).
cEDGE# request platform software sdwan software reset
e verificare l’effettivo software image in uso
cEDGE# request platform software sdwan software upgrade-confirm
Si riscontra che il software è attivo e confermato
cEDGE# show sdwan soft
VERSION ACTIVE DEFAULT PREVIOUS CONFIRMED TIMESTAMP
<version> true true false user date
Total Space: <value_used> Space: <value> Available Space: <value>
Bootstrap cEDGE router
Una volta caricato il software image SDWAN, è necessario caricare sul router una configurazione base richiesta affinchè si possa unire (join) alla Fabric Overlay SDWAN.
Nota: quando un cEDGE router lavora in Controller mode (quindi in SDWAN mode), noi accediamo in configuration utilizzando il comando: “config-transaction” anziché il più conosciuto “configure-terminal” (conf t).
Un esempio di configurazione base è indicata di seguito:
cEDGE# config-transaction
hostname cEDGE
!
interface <interface_type_1>
description link-wan-internet
ip address <ip_public_address>
no shut
!
interface <interface_type_2>
description link-wan-mpls
ip address <ip_private_address>
no shut
!
ip route 0.0.0.0 0.0.0.0 <next-hop_interface_internet_wan>
ip route 0.0.0.0 0.0.0.0 <next-hop_interface_mpls_wan>
!
ip host vbond.<organization_name> <ip_address_vbond>
!
system
system-ip <ip_address_system>
site-id <site-id>
organization-name >organization_name>
vbond <organization_name> <ip_address_vbond>
!
commit
Ora, dovremmo essere in gradi di pingare (IP reachability) i Controllers del datacenter (vbond, vsmart, vmanage).
Con esito positivo possiamo iniziare a creare la parte di Overlay Tunnels.
Nota: la parola Tunnel configurata in “interface Tunnel” deve essere sempre maiuscola.
cEDGE# sdwan
!
interface <interface_type_1>
description link-wan-internet
ip address <ip_public_address>
tunnel-interface
color public-internet
encapsulation ipsec
no shut
!
interface <interface_type_1>
description link-wan-mpls
ip address <ip_private_address>
tunnel-interface
color mpls restrict
encapsulation ipsec
no shut
!
interface Tunnel 1
ip unnumbered <interface_type_1>
tunnel source <interface_type_1>
tunnel mode sdwan
!
interface Tunnel 2
ip unnumbered <interface_type_2>
tunnel source <interface_type_2>
tunnel mode sdwan
!
commit
Con questa configurazione il router cEDGE è unito alla SDWAN Fabric.
Installing Root CA certificate
Con il vBOND Controller avente un ROOTCA.pem certificato, possiamo seguire i prossimi step:
Creare un local file nel cEDGE CSR1K
cEDGE# tclsh
cEDGE (tcl)# puts [open “flash:ROOTCA.pem” w+] {
+ > paste root-cert-here
+ > }
cEDGE (tcl)# exit
Verifica:
cEDGE# more bootflash:ROOTCA.pem
—–BEGIN CERTIFICATE—–
MIIDozCCAougAwIBAgIUO3RbXE2XMApPCOUU35JtRW0pBwcwDQYJKoZIhvcNAQEL
BQAwYTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxEzARBgNVBAoM
ClRIRVRFQ0hHVVkxEzARBgNVBAsMClRIRVRFQ0hHVVkxEzARBgNVBAMMClRIRVRF
Q0hHVVkwHhcNMjMwNjA4MDcwMDE1WhcNMjQwNjA3MDcwMDE1WjBhMQswCQYDVQQG
EwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTETMBEGA1UECgwKVEhFVEVDSEdVWTET
MBEGA1UECwwKVEhFVEVDSEdVWTETMBEGA1UEAwwKVEhFVEVDSEdVWTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBALiiXkW5N/MHMYmv1jxk9ZiiBcOEPEzA
CXzntVXv9ecDI6jWF5tKR/RJQ5JgtpPPT0VKTZVt21A/6EB97RWp1SV6Q3kAkcBa
Dp3MA/VAv3Z5MRi1ObTjxLE10wM+O+PGxlmzis6xNRLlzDt0irMR3Q9vp7/HLoTn
PTE+0fS1cYEXYArlIKoeiRsSsotccAuCSKaVfdWh6+3QkiJag0FWIN5N5IjH7DLE
2CZ8q4bSp9HWAkj2nPav0An+CeUKlqhOqQEzQ0jME4KYJosmhBFrjujLhZE5EBLm
………………………
………………………
—-END CERTIFICATE————-
Installare il Root certificato utilizzando il seguente comando:
cEDGE# request platform software sdwan <cEdge_model> activate chassis-number <chassis_number> token <otp>
!
logs messages
Verifica:
cEDGE# show sdwan control local-properties
personality vedge
sp-organization-name organization_name
organization-name organization_name
root-ca-chain-status Installed
certificate-status Installed
certificate-validity Valid
certificate-not-valid-before Jun 10 08:06:33 2023 GMT
certificate-not-valid-after Jun 07 08:06:33 2033 GMT
dns-name vbond.<organization_name>
site-id 20
domain-id 1
protocol dtls
tls-port 0
system-ip <system_ip>
chassis-num/unique-id ad930967-b747-a172-66f9-45a151f62961
serial-num 2D6103A4
subject-serial-num N/A
token Invalid
keygen-interval 1:00:00:00
retry-interval 0:00:00:15
no-activity-exp-interval 0:00:00:20
dns-cache-ttl 0:00:00:00
port-hopped TRUE
time-since-last-port-hop 0:00:04:36
pairwise-keying Disabled
embargo-check success
cdb-locked false
number-vbond-peers 1
INDEX IP PORT
—————————————————–
0 <ip_vbond> 12346
number-active-wan-interfaces 2
NAT TYPE: E — indicates End-point independent mapping
A — indicates Address-port dependent mapping
N — indicates Not learned
Note: Requires minimum two vbonds to learn the NAT type
Verifica connessioni verso i Controller
cEDGE# show sdwan control connection