Cisco SD-WAN Lab implementation: Install vManage, vBond, and vSmart to SD-WAN Fabric over EVE-NG

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
all right now in order to bring up the topology so in order to put up some devices over here into our uh freshly created lab which is with the name of uh at my site it's with the name of ilo2019 sdwin lab i can just open that particular lab and over here we need to build up a topology so you can build up the topology by simply right clicking on that okay on any empty space you can just right click and you can add a node here because we need to put up four nodes now we need to put up we manage one of the node is going to be v bond the other one is going to be v smart and then a root i would say a root ca a certificate authority so in order to put all of these devices into a single site what i'm going to do is i'm just going to click on this and say click on add node and i say node here so the first device that we're going to put up from this list so this is a list of appliances that you can install your eung we have the ones installed that we're gonna need okay one of which is going to be uh these are some of the devices that we're gonna need so we have viptela v bond so the devices that you see in blue these are available once the devices that you see in green those are not installed into your avengi so the one that we are going to need here is viptela v-bond with vh we're gonna we manage and we tell a v smart these are four webteller controllers that we're going to work with so i'm going to put up the select uh select the first one that's going to be v manage and once i click on viptela v manage from the drop down menu i get an option that how many nodes do i need to put up so i'm gonna say of course we're gonna need one of that and i'll just keep the name of it as we manager itself or we i'll make it as we manage and then you can select the ram that you want to dedicate your the cpu that you want to dedicate and the ports that you want to have over here so the ram when you talk about the production environment you are requested to use a ram of minimum 24 gb in the production environment and four cpus but as we are dealing in testing environment i can actually put up the ram as 8192 and that's exactly what you also need to select okay otherwise your vm has not been provisioned with uh that great of a ram there so if you select it over here as 16 000 or 24 000 like 24 gigs or 16 gigs then you might face latency into the responsiveness of how you is going to work so you need to select a ram of 8192 here 8gb ram and then you need to minimize this cpu perform our cpu to 2. so you're going to dedicate this much of resource to a single vmanage or our vmanager there and that's how we're gonna set it up so we don't need any extra ethernet adapters we're just gonna keep them as two and then we can just scroll down and say save and you will start seeing your controller here if you wanna delete this controller you can right click on this and you can just delete it so i'll just delete it and add it again so that you get comfortable how to add them i can say right click click on node and i can search over here for vmanage when i say we manage there you go that's an option that i see so i can select it up and then come to the ram and cpu section i can put it as to 8192 to make it as 8gb and then the cpu to 2 and then i can scroll down and say save this config once i save this config then i can drag it and set it anywhere in the topology that i want it to and i can just say let's say i set it over here then after that we have our second controller that actually needs to be put up the second controller is going to be the v1 there so i say viptela v1 over here we need to keep the resource of ram as 1gb itself and the cpu of one itself okay nothing else needs to be done here so you can just say add this controller and then align it with the same thing then after that you say add a third node which is going to be v smart and over here you also need to dedicate a resource of 2gb to the v-smart and cpu of one can be given there yeah and then i can just scroll it down and say save and that's gonna be the third controller and lastly we need to add a normal router there so i'm gonna add ios router this is going to act as my pki or public key infrastructure certificate server or certificate authority so this router is going to uh you can say i can i can minimize the ram for this to 512. so every ios device that we're gonna work uh within this topology okay we're gonna set the ios device's ram to 512 mb okay it doesn't need more than that and i can say the ethernet address let's say four that that is fine and then i can just say save it up and that's going to be our always i'll just go and edit it and name it as root ca we can use any l3 router here uh yeah you can use so this is just for the testing purpose in the production environment this root ca is going to be your windows server where you will be having your enterprise certificates and all the digital certificates that you'll be creating okay so in the production environment it's going to be your windows uh like server and then i need to connect all of these particular controllers with a core switch for my site so i can just take them right over here somewhere yeah and i can select another node and i'm going to put up a switch there here ios vswitch and i select it i name it as dc switch and then the ram of 512 can be dedicated to this and save and that's how the switch can actually be put up here and then we can just connect them together so here's one thing when you see any appliance you see this stop sign or the square box this actually indicates that the device is not started okay when you're gonna start this device you will start seeing a play sign here or a triangle here okay and there is one rule in eve that you need to follow that you cannot do the cable connections once the appliance is started so it's like all the connectivity that you want to do in your topology you need to do it when the devices are in off state make sense so in order to connect these devices together i can just hover my cursor onto the router and i'll start seeing a plug button here you see that as soon as i take it off it's it's disappeared if i go back on there it disappeared so when you see this plug sign here you can just click on this plug and drag it to the other device that you want to create a connection with and when you when you reach out over here you can just leave your click and then it will prompt you by saying add a connection between v manager and dc switch i'll do it again if i just i'm on this stage i can just hold my cursor to the device select the cable and drag it across to the other device and leave it and it's going to prompt you towards what connectivity that you want to build up with so you can then select what's the interfaces of the v manager that you want to connect it with and what's the interface of the dc switch that you want to connect with so according to our topology we are going to connect ethernet 0 of vmanager with gig one slide zero so we'll be using last four ports over here and i say gig one slash zero there and then i'm gonna save it and you can see here that on the left side the v manager is using uh ethernet 0 and the dc switch is using gig once laser if you're not still now as as the devices are connected if you want to delete this cable you can just hover your cursor to any of the interface tag and you can just right click and delete and the cable will be gone and then if you want to again do it you can just do the same process again select ethernet 0 here and then kick one slash 0 and save just like that we're gonna do the cabling with other controllers as well now from v bond i'm gonna drag it to the same switch and i'm gonna connect it with uh g e zero slash zero here and then one slash one i'm gonna say save then the v smart is going to be connected with ethernet zero yeah and then gig zero slash sorry gig one slash two and then i can say now here in these three controllers if you notice there is just uh there is a difference here that only a vbond interface or only v1 controller has an interface of ge0 every other vmanage and vsmart doesn't have any gigabit ethernet port they're all ethernet ports there that are available why so because the v-bond image is of the so the image of the v-bond and vanish is same okay so there is no difference between the advantage image if you if you look at the options there when i go to edit here you can see that we are using we want nineteen point two point zero when we are going to place our advantage this image of we want and vanish is is exactly going to be the same so that's why it has the ports of ge zero slash uh zero which are which are available under the managed devices as well and this can be your physical device as well as well as virtual appliances as well okay and the the v manager and v-smart both of these are going to be virtual machines they cannot be physical boxes so these two appliances can be worth or can be virtual and then we want can be virtual as well and physical as well and then after that i basically say yeah abhijit on the v-bond if we choose the other interface ethernet then it will cause some issue no no no issues but we're gonna create a tunnel interface there and bind it with an encapsulation so that's why we select ge0 [Music] then i'm going to connect root ca with the dc switch with any interface let's say g is that zero on this end and one slash three on the other that's how we basically bring up our side number 100 i can graphically make it enriching by right clicking and just putting a square bracket or something like that just a custom shape and i say i need to have a square there i'll have a dotted line and then i'll kind of give it a color code of let's say this say okay and save and i can put up a box around here like this then i can name it as text and i would say site number 100 i'll however delete it and i'll just put up a big line there text site number 100 now just increase the font size to 16 maybe you can see this is our site number 100 and exactly this is our today setup that we're going to work with so once your topology is up till this then what you're going to do is you need to turn on all these devices so at the moment that you turn it on you can just right click on this particular appliance and then you can start it but the very first image that we're gonna start with is root ca because we gotta set up a certificate server and then we're going to configure digital certificate sign in so this root ca is going to basically sign all the certificates that are going to be generated by other devices i'll be explaining you the certificate signing process and all so don't worry about that but first thing first is we need to configure rsa keys okay uh with the label of pki to enable uh ssh onto this root ca so that it can communicate with all the devices there so i'm going to configure a pki server certification parameters onto root ca so the first device is going to be this that we're going to start i can just say right click on this root ca and start it up and as as it starts up it turns out to be blue and then you can see the play button kind of indicates that the device has started and then i can just take the access of this root case cli by just single clicking on this and it will ask you for the first hand that allow this site to open the internet link with putty i can say always allow and say open and it will open up a put t cli access to this which is also available here so it's going to take a minute or so in order to turn on the lab but yeah kind of take this topology a bit up so that i can see the console in a better way so talking about the ipad pressing now that we're going to use we are going to use uh the ip addressing of i'll just name it we're going to use 223.1.1.1024 according to the lab guide okay you can play with your ip addressing scheme if you want but i'll request you to keep it same so that nobody sucks up so we're gonna use 223.1.1.10 for the v manager here i can duplicate it up i'm going to put up an ip address of 11 here and then duplicate to 12 here i can again duplicate it to 13 here these are the addressing schemes that i'm gonna use in order to in order to you can provide ip addressing just a minute and there your ioscs seems to be up so this is the device that we're going to configure at the beginning and as soon as i hit enter it asks me that would you like to enter an initial configuration dialog because there is no startup config that is stored so i can just say no and hit enter and once i say enter now in the lab guide you will see the root ca setup you can say configuration that you need to do and we are going to put up all these command lines in order to bring up our root certificate authority so in order to do that i'll be taking the access of this the first thing that i'm going to do is go to enable mode it will take another five or ten seconds to generate the logs and all yeah there you go quicker so i go to enable mode then i say config team say host name uh root ca i'll just name it as a root ca there and then i'm gonna generate uh or set up my ssh onto this device by generating a label or rsa label token so i say crypto key generate rsa then after that i can say yeah label and then label name is pki that we are giving and then i can say modulus of 2048 needs to be generated and i hit enter the name for the keys will be pki and it is generated and there and then i can just say ipsss version 2 okay and after this we can say we also need to set up iphttp server because we're going to need tftp so these are the two setups that we do i enable our ssh and i enable http and i can just say exit after setting this up then we're gonna do pki setup so this is kind of one thing that we have did so far in order to configure the rsa keys with the label pki to enable ssh and http as well then we're going to configure our pki server parameters to enable interface on which the certificate request will be received so it's if you remember at the beginning we we talked about how the you can say how the bootstrapping is done for these devices so your devices be it the controllers or b advantages these devices actually needs to prove that they are part of the organization's sd1 fabric and in order to prove them that they are part of this particular fabric they need to generate a certificate signing request so they'll be installing a root certificate that will be generated by this root ca and then we're installing these root certificate into their you can say set up and once they install the root certificate then they have the credentials or then they have the details of the organization for which the root certificate has been created then for the same route like against the same root certificate they are going to generate a certificate signing request this certificate signing request needs to be signed by root ca so it's just like this that you you you know that we kind of have our government identities let's say passport is kind of a very common document that almost everyone has all around the world now indians kind of request for like indians have some identity before applying for the password in order to prove that they are citizen of india right so that particular identity is going to be the root ca that they are going to be downloading so this root ca is kind of acting as the government here and then this root c is going to provide some documentation to kind of uh for the controllers and the other advantages to to use to prove their identity that they are part of the organization so that root certificate will be downloaded the first instance and it will be installed into these controllers now after having that root certificate that is installed these particular controllers will be generating a certificate signing request like an application to apply for the passport okay then uh in order to you can say prove that the certificate signing request is legit you need to have that root certificate installed already in your system and then that certificate signing request that the controller is going to initiate how the controller is going to generate that certificate needs to be signed by the government signed by the root ca and when it is signed then the uh you can say the certificate of then the root c is going to be granting a certificate that they will be installing them and that's how they become part of the member or that's how they become a member of the fabric there am i am i sounding good any questions here no it's a bit confusing actually i'll explain that to you again don't worry so let me share my other screen for a minute so here's the thing we have our we manage then we have our v bond then we have our v smart and then we have our root ca so and the organization that they all are going to be part of let's say is lab this is the organization name you get that now this organization has certain details the organization has uh they can say okay let's not talk about that now so what's going to happen is the first step we're going to set up root ca okay for certificate and we are going to configure this root ca for generating the root certificate which is this i will go till here any questions for step number one i think we're good here now uh these particular we managed we smart and we won these are kind of newborn babies they are not member of the lab organization as of now but then when a newborn baby is born then we kind of create a birth certificate for that so this root ca is going to be downloaded from or the root certificate is going to be downloaded to all the controllers that are here and once they install this root certificate downloaded from root ca they kind of become the member of the family are you good here any questions this is one part so install root certificate on controllers any question one thing when you say install root certificate controller so basically the certificate from the root ca is given to v manage v bond or v exactly exactly so it's like we're going to store this root certificate into a tftp server that is also going to be part of this root ca okay so we're gonna go on vmanage download that root certificate by using by reaching out to that root coi tftp okay okay and then we'll be installing it on we manage vbon and vsmart make sense so in real scenario how it looks like you have to download that certificate exactly so it's like this particular root ca is going to be your windows server okay and you're going to set up the same root certificate on your windows server there and then your windows server will kind of generate a file a certificate file like dot c-e-r file and that dot c-e-r file needs to be downloaded onto v manage v-bond and v-smart make sense so this certificate has to be downloaded on the server right so where do we get this certificate are we going to get from the cisco or no no you're going to get this certificate from windows server so when you set up your windows server this is going to be like the microsoft guys are going to take care of this okay yeah so they'll be like setting up a windows server and configuring root ca so that it generates that certificate for you it's local generation not any global generation also okay of course and that certificate actually needs to be like added to we manage vborn and vsmart by either using ftp or by using tftp also okay sure once you download this then uh your we manage vborn and vsmart kind of becomes part of the lab but then after that the third process is basically generate certificate signing request so now it's like we manage webon and vsmart needs to apply for kind of that passport so that they can globally be recognized onto other sites as well okay this is like site number three site number four and site number five that's gonna be there so in order to prove their identity to other sites they need their own certificate as well make sense so they're gonna generate a certificate signing request which will contain their information that what's the part of the organization what's the address okay what's the uh you can say pin number and what's the nature of the business and all these other things so this certificate signing request is then give generated and it is given to the root ca and because root ca is an authority root ca is kind of a government root c is required to sign that certificate makes sense and then a signed certificate will again be provided back to we manage and that will be installed again there so it's it's two different things one is you install the root certificate and the other one is you install the local certificate to that particular device are we good here still a bit confusing it must be but yeah is it related like a public uh certificate in the private certificate uh yeah can be said so we are definitely using pki over a public infrastructure in order to set up this particular certificate right so the thing is going to be that when we manage is going to manage all these particular other advantages and so this we manage needs to have a certificate that we manage vbond and vsmart so we manage will only be able to identify the vanish that is situated over here the advantage that is situated over here and the advantage that is situated over here when and when all these managers and these controllers produce their certificates and provide it to we manage so we manage is going to identify them as a legit part of the organization when assigned the certificate is produced or provided to the we manage you get that please repeat again with you the we manage parts here here's something that's that if you remember at the beginning we discussed about there is a vantage okay and this vanish can be v-bond as well and can be v-smart as well okay or can be we manage itself as well this vantage is like this vanish can be part of the organization only and only first is going to get communication with vbond okay so it's like uh this is your pnp in the production environment and that's your ztp plugin play and zero touch provisioning so as you turn on your advantage your plug and play or your van is kind of reach us out to the pnp or ztp depending on whether it's with advantage or whether it's cisco's advantage right then the pnp and ztp server are going to provide it address of where is we want situated we want is situated on 223 1.1.11. you get that then once it gets the ip address of vantage then the vanish reaches out to the vbond make sense and then now vanish needs to authorize itself like one is need to prove that it is part of the organization by providing the certificate that you are installing make sense okay got it so now so when is has the different certificate and the v1 has a different certificate right so well ns has to provide the certificates to the weave so that they understand here's the thing here's the thing now you see the certificate that vanish is providing to v-bond this certificate is also firstly signed by the root ca you understand that okay yeah yes once this like signed certificate is provided to v bond then we want identifies that this vanish is part of the fabric because it is signed by the trusted ca because we want also trust the same routes here there and any certificate that is signed by this ca that belongs to this organization is going to be trusted by the other control components of the sd1 fabric if this certificate is not signed by the ca then this certificate will be invalid cool so when this we want kind of then recognizes that this particular vanish is part of the fabric then it provides the information about we manage ip and we smart ip to the advantage and then the vanish then connects to v manage and it connects to v smart are we good so basically a b there is one root ca certificate for organization correct that's correct yeah okay yeah so that's that's exactly what we're doing so we are setting up our roots here first okay uh so that it can generate we are we're kind of generating a root certificate that prior to generating the certificate by the uh you can say controllers and the images uh they need to install this root ca first and then they can generate their certificate and get it signed by their root c and so so we are generating the first certificate that is root ca of the of the roots here itself and uh yeah let me just share my screen now unless it doesn't match the certificate it won't connect i guess right sorry unless it doesn't match the certificate it won't connect again that's exactly correct yeah yeah yeah all right let me let me connect my ipad you guys must be cursing at me that what are we up to now this this is confusing okay no the thing was uh certificate was not generated by the you know we people like in working i understand that i'm just like joking around so as you can see now here is we have root ca and we are going to configure this root to generate a root certificate so we provide all the organization parameters here and then we say uh according to that this is going to be uh initiating a certificate over here now so the commands that we actually use here in order to generate a certificate is we're going to set up the certificate uh server by saying crypto crypto pki uh pki stands for public infrastructure and then we're gonna set up a server there by saying so enable ios certificate server so it's a topic as server and then we name that particular server something i'm also using pki itself capital pk is the name of our server then we reach out there you go crypto pk server pki and then after that we say so we specify that how this particular server needs to be accessed so we say database url url the certificate server database information will be written so we say database url i want to write that certificate into my flash drive so i say flash okay then after this uh we say database level complete it's gonna maintain the database automatically then after that i'm gonna specify who is the issuer who is issuing this particular certificate what's the organization name and all so i say issuer name is uh over here i can just say cn is equal to customer name is equal to root ca.lab.local i'll just use this name as the customer name and then after that i'm gonna encrypt this particular certificate by encryption methodology i'll hash it with sha 256 and i'm also going to specify database archive pkcs sorry pkcs12 and then i'm gonna set a password for this particular certificate as cisco at the rate or cisco one two three let's say so i'm gonna create a database then this certificate server is going to maintain a database for the amount of certificates that it has signed and so on so so that particular database is having a password of pkcs10 and this is kind of a formatting of how this information is going to be stored this is the only formatting that you have pkcs and then after that we say grant auto so like whatever certificates that needs to be signed by this it says all enrollment requests all certificate signing request will be automatically granted which means will be automatically signed you don't need to do any manual effort you just need to put up the certificate signing request in this in this router and it will sign it that's all and after setting this up then we can just turn on the certificate server by saying no shutdown and the certificate server will be enabled there certificate server enabled and then uh after this particular certificate server is enabled then we can just configure our interface parameters that on which interface are we going to require like receive the request for the root ca download and all so i take an exit from this i say interface gi 0 0 and then i say ip address 223 1.1.13 255 255 25550 and i'm just gonna say description to dc switch let's say and then i'm gonna say no shutdown and take an exit so my ip address has been configured now as uh we have enabled our setup now we have not generated the certificate yet we have just configured our certificate server now we need to export the certificate and store it into the flash drive so that others can access it so in order to do that we need to use a command that says crypto yes one question the issuer name which we use here you can use as well it's only a name and it's not related to any other parameters like organization name right yeah yeah nothing nothing apart from that yeah the organization name is going to be different that we're going to use on our controllers so we say crypto pki and then we are going to export the certificate into pkcs12 file so we say crypto pki export and then we name the server we need the trust point here which is also going to be pki and then the formatting is going to be tem and url and then flash this is going to be where uh it's going to be stored into the flash drive now it asks me that what should be the name of the file so i'm gonna use a file name of pki.ca which is the default file name i hit enter and then writing file to flash pki.ca this is a file that we need to download onto the other devices and we need to download it by using tftp server so we set up a tftp server as well here by saying tftp server enable it for flash pki.ca yeah so these are the files that are stored into the flash drive one is the serial file the other one is crl file and the one is ca file so we need to download this dot ca file and i'm gonna say that enable this particular access and then the file can be downloaded from tftp server now and then i can just yeah we're good so this is something that you need to do and once you do this then your certificate kind of is set up and you can basically uh move on towards setting on the other parameters there so that was something that we had to do i'll just say exit and write i'll save the config this is one part that we have to do all right we're good let's take 10 minutes off okay and then we'll move on towards setting up we manager and then we born and we smart individually cool i'll see you in 10 minutes thank you all right now when you need to boot up your vmanager now this we manager also needs to be accessed uh into gui form right and in order to access the gui gui manager you need to access it via chrome or you need to access it by any browser not not specifically chrome but we can access it by using chrome there so in order to do that you need to have uh the ability to ping to be able to ping your vmanager from the local machine so it's like from this windows 7 machine we should be able to ping to the v manager that is inside of our evg okay which is kind of a virtual appliance not even a physical appliance that we can ping that so in order to do that uh we will be putting up a cloud appliance over here so it's like you can right click and then you can add a network here and then when you click on network then you need to mention the type of this particular network from bridge to cloud one you need to set it to cloud one and then say save so this cloud one interface at the back end in our data center environment okay it has been mapped uh in a way that you would be able to ping from this windows machine to the v manager so you need to set up this cloud one this is nothing but a virtual nick of the vmware which is mapped uh at the back end so you save it here and then you connect your cloud appliance to the v manager there by using a second interface that's like ethernet one that you're gonna use onto vmanager and then you save it there is no specific interface or at this side you can connect as many devices as you want with this cloud machine okay and then i'll just kind of enlarge this box here there that's how the scenario is going to be so this this particular machine or this particular network allows you to get connected uh with the vmanager y as you want i can delete it and i can show that to you again what you need to do is you can just right click you cannot right click on the red box or any box there you just need to right click somewhere else and then say network from the drop down menu select cloud one and say save and then you put up this particular cloud here and then you can ping from i would say wait there and then i say save now there is also a subnet that we're gonna use okay so i'm going to assign an ip address which is going to be 10.255. dot let's say 110 slash 24 okay to this interface an ethernet one interface of the vmanage so that's that that's the ipad is that we're going to configure on this and if you look at the network adapters that we have here by going into run ncpa.cpl here we have an interface there which is connected to eve so this particular interface if i go to properties and check it's using 10.255.1.51 you know you're not supposed to change this ip address at all because that's what we have did at the back end you all will be seeing the same ip address on your machines but you just need to keep it this only so this network and this network is in same subnet you can change this ip address to one one zero two one one one one one two whatever you want but you're not supposed to change this particular ip address from here so i keep it save save and save and that's that's what the thing is going to be and once this is up then what you need to do is you can turn on your v manager then so i start my vmanager and then i get the access of it there it will take a minute or so for booting up the vmanage so let's wait for this to boot up and we will also need to install the software we manage itself like cisco's software defined network or you can say centralized controller that has the ability to manage all the fabric so we need to install that software in in a hard drive that has already been created so let's see once it boots up it gives the login prompt that we manage login i can i can try login by using but it says system initializing please wait to log in so it will prompt you by saying system is ready and then you can use the default credentials to login so let's wait for it to say there you go so it says now that system is ready and now you can just hit enter and then otherwise yeah you can say admin is your username and admin is your password it's admin admin and once you for the first time you also need to set your password again so i'm also going to set admin and admin again and there and i can so these are two drives that we have here one is of 30 gb and the other one is of 3gb so i can just select this 30gb by like because it has a name of vdb so i need to select a drive where the vmanage software will be installed so in the production environment you can keep it off 100 gb or 200 gb because the traffic and the data is going to be much bigger than what we're gonna have in our testing lab so i'm just gonna say one and hit enter and it says would like to format this right i'll say yes [Music] your voice your voice [Music] of we manages that you have for every manager you need to have a hard drive there so it's like whenever you are going to upload uh this virtual machine into your server right you provision it with the space of the hard drive either 100 or 200 gigs okay so it means in the production if we have two we manage then we have to save the 200 gb right for each one of them yeah okay let's again wait for it to say system is ready and then we log in okay how many we manage can we have in the environment you can have uh i would say you can you can have it in the odd numbers you can go from two or sorry one to three to five to nine and and so on so which one will be accessing for the devices if we have two three more than one well you kind of have the multi-tenancy option there you create tenants to a specific we manage by default so there are certain sites that that will be managed by we manage one there are certain sites that will be managed by we managed to if you want you can also keep them identical and make high availability that that both the like we managers should manage the same sites or all the signs that are available that's also possible the options are available there for multi-tenancy okay yo so there you go system is ready now i can just log in by saying admin and editing and there it says welcome to viktela ci and this is where we start configuring our vmanage for the first time so here are the things now as soon as you uh boot up your we manage and you set up everything you need to set some system parameters now in order to uh specify that which particular uh organization it is a part of what is the system iv that is going to have what's the site id okay who is the v-bond that it needs to connect with and all these things because this particular scenario is in lab scenario it's not going to have any uh we want ip address received from either pnp or zftp server so we'll be configuring manual v1 ip addresses here now in order to configure that then we go to the configure terminal menu oh sorry config terminal yeah and then we go to system parameters so here we have certain options that we that we can use and as we are looking forward to system parameter information we can just use that so i can say system and inside of the system we're gonna set certain uh information now now every i would say controller or every vantage device needs to have a system id like like the same consists of same concept of when we have a router id in your ospf configuration right or a router id in your bgp config or something like that it's it's not a router it's not an ipad user is assigned to any interface be it loopback or physical address it's just nightbeaters that identifies the device so we need a system id for every controller and every vanish that we have now we're going to have some system ips here if i talk about system ips for this site then for we manage we're gonna have 10 dot i think 100.0.10 then for weak bond we're gonna have 10.100.0.11 and we're gonna have we smart as 10.100.0.12. these are going to be the system ips for three of the controllers that we have the 10 refers to the major subnet that we're going to use so far into this let's put up there i'll put up over here rather so the 10 refers to the major subnet that we're gonna use mostly the 100 refers to the site id and 0 refers to any subnet that you can take 10 11 12 i'm using the same last update from the ids that are configured there so when i go back again to the vmanager cli what we need to set up here is we can configure our system parameters by saying hostname so by default the hostname is is we manage there i'm gonna say hostname is we manage then okay okay spelling mistake host name we manage that then i can say system ip this is like a router id that i'm configuring so system ip is 10 100 or 0.10 no subnet needs to be given nothing and nothing it's just the ipv then i'm gonna say what's the site id for this controller i'm gonna say site id can be anything between 0 to 4.2 it's a 32-bit value so sorry yeah 32-bit value so uh site id is a 100 i think it's a 24-bit value not 32 otherwise it would have been 16 no 32-bit value is correct it's 4.2 billion something yeah side id 100 and then we're going to specify organization name i'm using lab this is kind of a major concern over here okay so whatever lab name that you are going to use you need to use the same lab name in a case sensitive way on every component of the fabric if you use lab here lab one on this lab two is this your network is never going to be up so that's why we say organization name is lab and you also please use lab itself for the testing purpose and then we're going to set the v1 ip address so say we want 223 1.1.11 we have not configured v1 yet but we can set up the ip address over here and that's what the configuration that we need to do initially and the on the system config so we set up host name we set up system ip we set up site id organization name and we bond nearest you are saying something yeah does anyone have i mean site id has to be matched site id doesn't have to man no no no in our scenario okay site id can be different on on different of course we're going to configure different sites together right okay so so on the site hundreds we have to have every like and every device we have to have a site id right on the device exactly so this site 100 is common for all the devices that are here we are going to add another couple of sites in our topologies this is just one site as of now that we are working with yeah and then after you do some configuration now you need to commit this configuration as well so this configuration is saved into candidate config okay it's just like on normal devices we have startup config we have running config in advanced devices we have started getting candidate config so that your device can actually track every configuration that you do and you can roll back to the configuration as well of a certain change so it's like when i commit to this particular config if i don't like this config config i can roll back to my previous saved snapshot or something like that so once you commit it then and then only the configuration will be pushed to the running config and it will be it'll like come into effect otherwise you can see we have configured hostname as we manage but still the the we manage that is the name of that host name is still like same so if i kind of take an exit then it will ask and again exit say it will say that there are uncommitted changes found can you do you want to commit them if i say no there is no changes that are committed it's all lost so i can go back to conflict t i can go to system and i can again do some changes here and say hostname is we manage then system ip 10.100.0.10 then site id 100 organization name lab and then we want is 223.1.1.11 and then i can verify my config by saying show config as well when i say show config it gives me that this is the configuration that is going to be committed if you want to commit them you can just say commit and hit enter and there you go commit complete and now the name of the vmanage has changed to the one that we have said if you can notice that you can very you can excuse me yes the why you can ascend the ip interface of v bond not the system ipv bound no this is not a system ip this is an interface ip of the vm because you need to communicate with this ip ah for communication okay okay because the authorization or the authentication of we manage to prove itself as a legit member of the organization it needs to prove its authentication to the we want so it needs to communicate with that that's why we need to set that id then after you configure your system configuration just one question here go ahead okay when you you have two two interfaces so when you go to the system is that mean he's going to take e0 uh no none of the interface it's just the system configuration it's like you're configuring hostname for the router right when you configure hostname for the router are you doing any interface config no he didn't give him any name okay okay sorry sorry sorry that's the v-bond sorry yeah yeah and then after this we set up our configuration for the interface configs so if you remember i told you about three vpns right i told you about vpn 0 which is going to be our transport vpn in the theory session we discussed about this so i said vpn 0 is going to be transport vpn then vpn 1 to 511 and someone also noticed that yeah 512 513 265 535 i believe is going to be uh your service vpn and then vpn 512 is going to be your management vpn correct so these are kind of the vpns that we're going to have now when you look at this particular configure communication whenever your ethernet zero is going to communicate with other advantages and all this is all going to be the transport vpn configuration for the fabric to be up so all of the interfaces that you have ethernet 0 ge 0 0 or ethernet 0 on vsmart all of these are going to be part of the vpn 0 so that they can communicate and form of the dtls channels with the other interfaces there ok so that's why i will be configuring this vpn 0 configuration onto we manage and as we are going to do the management aspect from ether like uh from our local machine to the we manage by using this interface we are going to make ethernet one as member of vpn number 512 that's how the scenario is going to be done so even if you keep it as like vpn 0 it's it's as well fine because in the lab you might see that ethernet 1 as well is part of vpn 0. that's fine there but we're gonna we're gonna do it as part of vpn fight work so if i go into now v manager then in the config mode i i use vpn and here uh yeah so these are kind of two allowed values that are there you can use anything between zero to five twelve and zero to sixty five five oh and then you can either vpn 0 or vpn fighter so when i say vpn 0 and then i need to make an interface as member of the vpn0 so i'm going to say ethernet interface ethernet 0 which is this interface i'm going to go into this interface and then i'm going to say i p address 223 1.1 dot uh 10 slash 24 we don't need to specify the mask you can just use the c idea and you should be good so ip address 223 1.1.10 slash 24 then i say no shutdown and after this we need to do a tunnel configuration so because this interface needs to form a dtrs tunnel i go and configure tunnel interface onto this interface ethernet 0 and i say allow service all if you remember in the theory session i mentioned that by default all the communication on vpn0 interfaces are denied you need to allow them manually so that it can pass through the traffic and accept traffic from the device so that's why we create a tunnel interface and we say allow all services and then you can just say no shutdown for example and you can take an exit and commit it once you do this configuration then after that you can just take an exit and take an exit from vpn0 then you are into major country and then if you say now you need to configure an ip address on ethernet one okay but that's going to be part of vpn quite well so we say interface vpn 504 which is going to be management oh sorry vpn 512 and then interface ethernet 1 and i say ip address 10 dot 255 or 1.110 24 say no shut down and take an exit and say commit so we have configured our vpn fight well interface as well you can take an exit and both of our interfaces are configured you can take a view of that by saying going into end showdown vpn0 by running show on vpn0 you will see the details of your vpn0 config you can see ethernet 0 is part of that and all these things i can also see show run vpn 512 and there that's basically the config for vpn quite well as this is just a normal communication method you don't need an intel interface to be created for ethernet one so it's all squared off and then after that we also need to add so this particular network is going to receive traffic from other sites right excuse me it isn't any any service to allowed in ethernet one no that's just normal interface it's not a tunnel interface okay yeah the services only needs to be allowed if the interface is being configured as part of the tunnel thank you yeah so we go to we manage and what we are going to do now is your v manager is going to accept traffic from all the other sides side three side four side five so to take care of routing we are just going to throw a static default route out onto the gateway so it's like on this dc switch we are going to create a gateway which is going to be vpn 223 svi switch what's your interface and that uh you can say interface 223 is going to have an ip address of 223.1.1.1 slash 24. this ip will be available onto the dc switch config so this is going to be the next stop for the vmanage so we're going to throw a static default route on 223 1.1.1 as part of the vpn0 config itself so i go into vmanager i say config vpn 0. yes under the vpn 0 we see the allow service services all and some services are disabled if you just move over in the configuration of vpn0 so these services are allowed or if we required we need to add for example these are manually needs to be allowed so far we don't i would say neither okay okay yeah and then what we do is we go to vpn 0 and the vpn 0 not not part of any interface config we need to add a static default route slash 0 and the next stop is 223.1.1 and enter and we can just say commit and once you commit it there you go and we're good so if i say show run vpn one sorry vpn 0 now you see a static default route as well that has been added and then you have the configuration that is done for vpn0 if i say show run vpn one sorry we don't have any vpn one sure and vpn 512 that's the vpn 512 config you can verify the routing table of this particular we manage by running the same command so i'll put it out and that's basically the routing table so you can see that 10.0.10.10.0.10 it's kind of a system ip okay not mapped with any interface or so so it's a it's a connected route that is available there and it's part of vpn0 then 223.1.1.0 it is also part of you can say vpn0 and connected with ethernet 0 and then 10.255 1.0 is part of vpn 12 connected to ethernet one that's what the routing table uh sees like or shows like then after that once we set this particular thing up then you would be able to communicate with we manager via vpn 512 as well so what you can do you can go to run option okay and open the command prompt you can directly open the command prompt as well and you can see if you can ping to 10 or 255 or 1.110 which is the ip address of ethernet one interface of your vmanage and this is the cmd of your landing pc and there you go you have a reply from we manager which means you are able to access uh you're able to reach out to the we manage this needs to be insured there so once it is ensured that you have the ping ability to reach out to v manager then you can uh open up your google chrome and inside the google chrome you can open up the ip address that says https colon slash slash 223.1.1 dot or sorry 123. 10.255 or 1.110 okay and just hit enter and there you go your connection is not private you can go to advanced and say proceed to 10 or 255 and the sd-wan login page pops up there you go cisco sd-wan we manage and you can log in into this by saying admin and admin as the default credentials and once you're logged in then you would be prompted up with all this dashboard so it says that there is one we manage that has been added to the fabric there is no v-bond yet there is no vanishes there is no v-smart it's all zero zero and on the right side you also see this is the certification window and it says there is one invalid certificate for if i click on this invalid it says we manage it says there is no certificate installed onto the wema we managed yet so you need to install the root certificate generator certificate signing request get it signed by the root ca the standard process that i described so going back to now the cli here you can check if the root certificate is installed because now here's the thing by default there is no root certificate that is going to be installed in the production environment of course but this lab has been accessed by someone else as well previously by some other student who was enrolled in our class so if you go you can just you just need to check whether the root certificate is installed onto this device or not and i can say show run sorry show control local properties yeah you can use a command that says show control local properties and if i hit enter there you go so you kind of see there that root ca chain status or root certificate has been installed okay you might find this already that is available there so it is possible that someone else have used kind of a lab and as when we kind of even erase the hard drive of v manager of that 30 gb that we did at the start of uh the of the at the start of the initiation of the vmanage even though the certificate doesn't gets deleted so you need to manually uninstall this root ca certificate because it's possible that the user might have used some or something else to create this so first we will be uninstalling this and then we will be downloading the tftp downloading the root ca from the tftp a fresh one and then we will be installing that so we and this is nothing that you need to follow in production is just that to the lab limitation so what i do i say request a root search chain uninstall and then i say yeah that's that's the only command that i need to use so i can say request root certificate chain uninstall hit enter and there you go successfully uninstall the root certificate chain and if i now say show control local properties you can see that this certificate has been uninstalled there and now we will be downloading a fresh root certificate and we will be installing that root certificate here so i say request download and then i'm going to download tf the certificate by using tftp colon slash the ip address of the root ca 223 1.1.13 slash pki dot ca okay so i just need to first check whether i am able to ping to the uh root c or not so you can say ping 223 1.1.13 that's the okay we are not able to ping that why so i think because yeah because the switch is not up yet right the switch is down so all the communication between the controllers and even to the other sides are going to be done from the controllers to the switch and we need to start this with so i'll just right click and start let's see as the switch starts up then we kind of move on by downloading the certificate installing it don't we need to add any default rule in vpn512 uh no we don't need to add any default it's just a local communication what about okay okay and one thing more uh for one we manage we when we manage only manages one overlay right or you can manage two overlays as well yeah you can use different overlay ids then okay i need to use different only ideas then i'll be back in a minute guys okay just using restaurants all right so the switch also has started we don't need to do any configures of now here because it's just local config that's happening so i can go and say again into v manager now if i try and say ping to 23 1.1.13 which is root ca and there you go we are getting the replies from that so i can proceed then in order to download the root certificate by saying request tftp sorry request download yeah tftp colon slash slash 223.1.1.13 slash pki.ca this is a certificate that we need to download from the tftp uh yeah so i hit enter and we are done if you get any tftp like request timeout error that's the other combination that you're gonna get which means you have connectivity or something else you can try that but if you're not getting anything as a reply there which means that you have successfully downloaded the certificate and now you need to install that certificate so in order to install that we say request a root certificate chain instead of uninstalling now we're going to say install and then we need to provide a path of where this certificate is going to be downloaded so by default it will be downloaded to a directory of home and admin like home is the directory admin is the user that we are logged in this remanagement and then i can give a question mark and then there's the file that you have which is called pki.ca so i can say pki dot ca and i can hit enter and it says there you go successfully install the root certificate chain and now if you again check now show control local properties you're gonna see that the root certificate chain is installed now this is just the root certificate installation this is not the local certificate installation that we need to do you see it's a certificate status is still not installed so in order to install this certificate you what you need to do and then also we need to generate a serial number but for this as well you need to have the certificate installed so as soon as you install the certificate your vmanage generates or every controller generates a serial number that is added to the database to the v bar to the v bond and then we want kind of tracks that these are the devices that are part of the fabric there and that's the same information that is updated to we manage gui as well so that it can sense that these are the number of devices that are available so what we are going to do now as i said that after this we need to create a certificate signing request here so that we can you can say sign that certificate from root ca and then we can install that but we are going to do that with the help of gui so after we install this root ca we can go to the there we can go to this particular g1 and there are first certain things that we need to set up so we go and say so in order to make you familiar with this these are all the options that you have if i just enlarge this by clicking on this options menu there you have dashboard you have monitor you have configuration you have tools maintenance administration and vnr these are the components of your vmanage software if i go into dashboard i can get dashboard main dashboard vpn dashboard and security then i can get monitor uh information to monitor the geographically to monitor the network to monitor the alarms to events audit logs hcl loans and all if i go to configuration i can configure my devices certificates network design templates policies security and cloud and wraps then after that i can do the tools i have the tools to directly get the access terminal of any device redistribute discover the network operational commands and so on i also have maintenance to software upgrade device reboot security and software repository off and i also have administration options to do disaster recovery integration management cluster management and all these things so uh when you have these things then what we're going to do first is we need to put up certain details we need to make sure that the vmanage is part of the organization and you do that for the first time when you set up the thing this is just a one-time setup so you need to go to settings and inside the settings you need to specify your organization name here so you might have a doubt that we already have configured organization name and vbond uh address and all as a part of the system configuration there why are we required to specify it over here as well again well this is because whenever the v manager is going to deploy configuration then it's going to automatically pick up the organization name and we want ip address because it's globally going to be common for all the devices that is going to be managed by the vmanage so that's why we need to set this particular details so that when you deploy configuration on other devices by using we managed we managed takes the organization name and the v1 information from this whatever you put up over here this is the configuration that is going to be deployed onto other devices not locally to the reminisce so when we configure system config that's for local we manage and when we configure organization name and we want information into gui it's for other devices that are going to be part of vmanage so i go and say edit this organization name and i use the same name of course lab and lab and i say save once i save this lab and lab as the details then i go and modify my reborn information and i say the ip address is 223. okay why am i not able to type something close ah i clicked on view that's why i say edit 23 1.1.13 that's going to be the v bond ip address oh wait it is 11 right i don't type the wrong as it builds the details now with that the default port number for dtls is one two three four six no no changes to that then i can just say save and i have said why we want ip address as well and then after that we need to install the root certificate into the vmanage as well so that the vmanage centrally can identify that is this particular like whatever advantages that are going to be connected with this we managed do the managers have the same root certificate installed or not if they do not have same set of root certificate installed then we manage will not identify them as part of the organization so what we do here is we go to controller certificate or authorization and we say edit and inside this there are certain options that you can use cisco's root c you can use semantic automated root ca you can use manual or you can use enterprise so as we we have our own root certificate authority set up i'm just gonna say enterprise root ca and then yeah it says that this setting changes certificate authority which is used for authentication do you want to continue yes and this is where we can upload a certificate file that will be downloaded from your windows server so it's like we are using our router in order to generate a certificate but in the production environment you will be having windows server right that will be generating a certificate so whatever certificate that you want to download out of that windows server you can upload that same file over here otherwise you can directly put up your certificate uh key over here that's what we're gonna do with this because we we cannot really export the certificate as a file uh from our router so i go to root ca and i you can say open the certificate into terminal itself instead of like downloading it so i'm going to say enable quantity crypto pki server and i can oh no yeah server pki oh wait crypto pki export yeah export pki and then okay wait a minute let me check what the command is and then terminal he's going to show me the certificate directly on the screen itself if i hit enter there you go that's my root certificate so i can copy this root certificate from here till this particular part where it says ending yeah i can copy this certificate and then i can go back to my vmanage and i can paste this certificate this is my root ca and i say set csr property set certificate signing request properties so when it is going to generate a certificate signing request it's going to require the domain name and the domain name can actually be anything it can for example we're going to use uh the domain name as let's say lab.local yeah the organization unit is lab the organizational lab the city let's say is new delhi the state is delhi the email address admin at the rate lab.local let's say the country code is iron and the variety for which you're going to generate this certificate let's set it to three years and i can say import and save after specifying all these details and then your certificate authority will be modified and it will be sent to enterprise certification that's how we have linked your root ca with the sd-wan fabric so you have now you know specified globally that this particular organization is going to appoint the root ca as the general or the generic root ca for the entire fabric that's how we do that and then after that we need to generate a local certificate onto we managed so i go here onto the thing and then if i go into the main dashboard now and the main dashboard you see this is this was just a one-time setup that we did okay and now we move further towards like making these uh controllers as part of the fabric there so the certificate still stays invalid and now we're gonna have a certificate signing request that is already generated i believe now we gotta generate that i believe so we go to configuration and in the configuration uh there in the configuration i can go to device option and if i'm going to device this i would see there are two tabs one is you can see all the vantage lists over here whatever advantages that you have and the other that you see controllers so when i click on controllers here you see that we manage has been added there and the host name and the system ip the site id the mode and everything is there it says the certificate status is not installed so you're going to install the certificate here and in order to install the certificate what we do we go to certificates menu for the devices and here as well you have two tabs one is list and controller so i go to controllers and inside the controllers there it says now this is the process that we need to follow we need to add a device we already have our device which is we managed we need to generate a certificate signing request we need to get that particular certificate signed and upload the signed certificate over here and then the v1 and all will be updated automatically so how we do that we basic this is our vmanage there it says no certificate installed into the certificates tab so i click on the options menu and in the options menu i see generate certificate signing request so i click on this generate certificate signing request this is the certificate signing request that has been generated i am going to copy it and get it signed by the root ca so i said copy this certificate and i go to root ca and this is the console yeah over here i go to the root c and i say into the enable mode crypto pki server pki request pkcs10 terminal this is a command where you can put up your certificate signing request and then the root c is going to sign it and give you a granted certificate which is signed there so i hit here and then it says enter your certificate signing request so i right click and i paste the certificate that i have copied from the we manage i'll just verify that the certificate ends up with jli equal to sign yeah j l i equal to sign which is correct so i go to root c this is the certificate that i have this is the certificate signing request that i have posted i just need to hit enter and enter and then it should give me a granted certificate there you go this is the granted certificate that has been generated by the roots here which is signed now so i need to copy this signed certificate right i can just select it and put the automatically copies the stuff but yeah i can then copy this signed certificate go back close this certificate signing request window and keep vmanage highlighted when you have multiple devices you need to click on them and that becomes yellow it means that you have correctly selected that okay and the non-selected devices are going to be in white so i selected csr generated or i selected vmanage and then on the right upper corner i see install the certificate i click on this and then i paste the signed certificate which is basically assigned by root you can also upload the certificate directly if you are using windows server but then i can say install and this signed certificate now has been initiated for the installation so a task is initiated it says in progress these are all the steps that it's going to do once it is done then your vmanage setup is completed and then you need to repeat it for every other device that you have as the basic sd-wan deployment method there you go you see success message there which means that we manage has been successfully installed and the certificate signing request has been completed so now if i go to the dashboard and main dashboard you won't see that there you go the invited now has been revised to zero and the vmanage has been uh updated and then it has been installed successfully if i go into the configuration and devices menu you would see by going into controllers you would see that the certificate now is installed and i can see the same thing into certificates as well into controllers and yeah certificate serial number now has been generated you see so if i go into the cli of the v manager and use the command that says earlier you see when we when we had this there certificate status was not installed certificate validity and everything was null and if you scroll a bit down you also didn't have any serial number it said no certificate installed but now if you use the same command show control local properties there you go certificate status is now installed certificate validity is valid and then it is going to be valid for 2022 and so and then the dns name and every other thing is there and it has generated the serial number as well automatically it's gonna generate in the series of two three four five six seven for every device that you're gonna add sequentially so that's how you add your we manage i would say we manage edition is the most kind of a difficult one in order to be done others are pretty easy there but yeah now what we're gonna do is we're gonna move on by adding the other controllers that are there which is going to be v-bond and v-smart in order to do that we also need to do some basic setups there so i go to my topology i switch on my v-sma v-bond and i switch on my v-smart and once they are switched on you can take the console access of them as well they should be set up pretty soon there it says system is ready and now i can say admin and admin i also need to set up a password again by sending admin and advent for the first time already and once you have this then you can just you see this we want is also vantage because the image is quite same there as the value we gotta convert it into v1 by configuring it so so i'll go and say config t i set up my system parameters by saying hostname is going to be v1 right then site id is going to be 100 system ip is going to be 10.100.0.11 organization name is going to be lab and we want ip is itself is 223.1.1.11 now as this particular device itself is we want we also need to add something by saying local because this device locally is the we want so i say we want 223 1.1.11 local and this will only be done on vbond itself and then i can just say commit this config and once the comment is config then i can take an exit and do my vpn 0 configuration so now if i say end and say show control system oh sorry shorten system this is the system parameter that we have configured here which is good if i say show control local properties there you go the root certificate chain is still installed here so after you do this particular configuration we just need to configure ip address and other things and then we also need to install the root chain certificate and then we'll be adding the controller into the vmware we want ah sorry vmail and g1 so what i do i first go and say 150 vpn0 the interface that i'm using is g e0 0 for v1 so i'm gonna say the same into the cli that interface ge0 0 i'll kind of take it below that yeah interface ge0 ip address 2.3 1.1 dot 11 24 no shutdown and then say i can then say configure tunnel interface and then allow service all and i'm gonna just say commit and then i can take an exit and exit i also need to add up in vpn0 a static default route going outwards towards 223 1.1.1 just like we did for the other day the we managed and then i need to commit that as well well i think there is something else as well and then i need to do for this oh yeah because this particular device we want is the image of vantage we need to specify an encapsulation type of how the tunnel is going to be formed as well so it's not going to be a normal i would say dtls tunnel with the controllers so i just go into the interface g e 0 0 and i'm sorry interface g e 0 0 and into tunnel interface i specify encapsulation of we can set either gre or ip6 so i'm going to say ipsec and commit that's something that you just need to do for we want advantages and end now if i go and say show control local properties you have set up your system properties there if i say show and vpn0 then you can check that over here interface g 0 0 ip is configured uh the tunnel interface will encapsulation knife is like allow service all is configured we're good and then after that we also have a static default going outwards so if i say ping 231.1.13 to the root c we are able to think to that as well so we are kind of squared off i would say now what i need to do i just need to say request uninstall root searching uninstall we're gonna uninstall that after uninstalling we're gonna download it request download uh tftp colon slash slash 223.1.1.13 slash pki.c and then i'm going to say request the root search chain install home admin pki dot ca and once the root certificate chain is installed we're good then and if i say show control local properties we have yeah we have root certification installed we're good now i can go directly to my we manage and then over here i can say go to devices and inside the devices you need to add your v-bond so as the v-bond is kind of a controller there we say go to controllers menu over here in the controllers and i say add a controller so i want to add a v-bond now so i say add a v bond and then i specify the ipa address of the vmod which is 223 1.1.11 right and then i say username to that is admin password to that is admin and i say generate the certificate so you can rather generate it by going into option and here just like we did for vmanage otherwise just generate it over here while you add it so i said generate it and there you go the v1 is going to be added and now if i click on this then i need to go into the certificates so inside the certificate i'm going to say controllers and the controllers you have we want added here and you can see the certificate the csr has been generated certificate signing request already but there is no certificate installed so we need to copy the certificate signing request like we did for we manage and get it signed from the root ca so i say view certificate oh sorry view csr and then copy this certificate signing request and go to the root ca and here we're gonna say enable request oh sorry not request crypto pki server pki request in kcs10 terminal and then i paste the certificate signing request and copy the granted one enter enter it should give me the granted there you go i copy this granted and i go to the gui i close this up i select we want as yellow highlighted and i say install certificate and paste the granted certificate and say install and then a task is going to be initiated for installing the v bond and success so now i can go and just verify my main dashboard and you should see a wee bond added there there you go so you know vbond has been made a part of the fabric now if i go into certificates and go to controllers you shall see there you go we want is now installed and same thing that we need to do with uh vsmart as well so then i go to the topology we are going to configure our vsmart now so if i go here vsmart admin and admin and i say admin and admin for the first time again and configure system parameters by saying quantity system host name is going to be v smart site id is going to be hundred system ip is going to be 10.100.0.12. organization name is lab and then we want ip is going to be 223 1.1.11 and i said commit then i take an exit go to vpn0 and i configure interface what interface do we have now we have ethernet 0 so i say ethernet 0 ip address 223 1.1.12 24 no shutdown and after we do no shutdown then uh we kind of need to configure the tunnel interface so i say tunnel interface allow service all and take an exit take an exit i peed out zero zero slash zero two twenty three one one and i generally commit it so once the commit is done you can say show run vpn 0. you have everything configured there good now we need to repeat the same thing uninstall the root certificate chain by saying request root search chain uninstall and then download the fresh copy by saying request download tftp colon slash 223.1.13 pki.ca and i say request root searching install home admin pki.ca and it is going to install that there we go we're squared off for the cli config that we need to do for the vsmart and i can go to the we manage now and i can say go to devices section and controller section and say add a controller v smart and once i add it i need to specify the ip address 223 1.1.12 for vsmart admin admin so dtls tunnel that's all and i say add once this is added then we need to generate a csr like we need to view the csr and get it signed and install the certificate same thing that we did for we want so i go to certificates controllers select vsmart go to options and say view csr i copy the certificate signing request then i go to root ca and here i say request oh sorry why do i use the request crypto pki server pti pk sorry request pkcs10 terminal there i put up my certificate signing request and get a signed certificate granted enter enter and there you go granted certificate copy this go to the gui close this up keep vsmart highlighted install paste the certificate and say install and the task should be initiated obviously just one query came to my mind in production environment suppose the certificate gets invalid after one year right over here it's showing a validity of one year so once we do the same activity like install the csr and give it to the ca authority to create a new certificate do i need to do i need to uh will there be a service impacting this with this request will be decommissioned or it will give you an error that the certificate needs to be installed again so you generate a new certificate signing request get it signed again and like you will you'll have you'll extend the validity of another year there that's kind of the point in his work that he'll be doing yeah so if i do it uh so will it impact my service like or will my v-edge or no no communications the communication is still working that's not gonna impact okay yep so i go and say main dashboard and over here you should start seeing your vsmart as well added as the part of the fabric so now if i go and say devices and controllers there you go install installed install for all of these and that's exactly what you need to do in order to set up your site number 100 there is one thing we have been doing the cli configuration onto remanage vsmart and vbond right you don't need to save any configuration manually by using commands like write and all the the time that you say commit you are doing nothing but saving your configuration so it's like the next time uh that you're gonna because like every day that you are done accessing the lab and when your time is done then the lab is going to be turned off and then next day you're going to turn on the lab so it's just the cli configurations uh if you're doing cli configs for the ios devices you need to save the config by using write but you don't need to save any configuration for we manage vbon and v-smart it's just the commit that's saving your configuration so next time even if i like write down right now turn off the vmanage and turn it on again it's going i'm gonna find all the configurations there very good so this is kind of a lab that you need to do in today's lab access okay and then uh you should just sync up your networks so i'll be here okay take access of your lab create this particular lab follow the lab guide because in every the lab guide kind of has every step so it gives you these roots here set up first then you can bring up your vmanage set up the select the hard drive and then move on with the system configurations and then the vpn configurations and all the other things it's just that that for ethernet one on vmanage uh here in the lab guide we're using vpn zero which is still fine you if you want you can continue using vpn0 otherwise you can use you can fight well for management purpose so you just need to say vpn fight well and then select interface ethernet one and configure the ipv that's only going to be the difference and then you can follow it step by step everything is there how you need to copy and paste and what commands actually need to be done everything is there into the lab guide so go ahead try this particular lab up see if that works for you if you face any difficulty just let me know i'm here and i'll be able to troubleshoot duration cool thanks
Info
Channel: PyNet Labs
Views: 6,183
Rating: undefined out of 5
Keywords: sdwan, sdwan controllers, sdwan fabric, vbond configuration, vsmart configuration, vmanage configuration, vsmart, vbond, vmanage, vmanage configuration on eve-ng, vbond configuration on eve-ng, vsmart configuration on eve-ng, cisco manager, root ca, Root certificate, sdwan lab, sdwan viptela, sdwan tutorial in english, sdwan configuration, eve-ng installation guide, eve-ng lab setup, eve-ng tutorial, sdwan training by pynet labs
Id: PDxK2qIL_rQ
Channel Id: undefined
Length: 103min 49sec (6229 seconds)
Published: Fri May 21 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.