Cisco SDWAN: Onboarding vEdge Routers - Exploring Zero Touch Provisioning

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
understanding when edge devices in the sd-wan infrastructure can be kind of daunting there's c edges there's v edges there's virtual there's physical and did you know that there's a hard way to do it and an easy way to do it and i'm going to show you both and we're going to start right now cisco sd-wan depends heavily on the idea of the control plane mechanism that we did in the previous video and it also is going to draw heavily on the ability features and capabilities that the routers that we use to move data bring to the environment now specifically when it comes to looking at sd-wan we have these devices and like i said these devices come in many different shapes and forms specifically they're based on the architecture of the v-edge devices which are viptela architecture devices or built devices as well as the newer cisco devices these devices are based on infrastructures like the csr 1000v the isr in the physical environment the isrv in the virtualized environment as well as the newer devices that are coming out which are going to be the cisco catalyst 8300s as well as the virtual catalyst 8000v we're going to take a look at each of those in this self-paced bootcamp in order to be able to get a firm understanding of what actually takes place as it relates to the deployment of these devices in our infrastructure now keep in mind these wan devices are designed to be able to provide lots of information to the controllers in the form of the performance characteristics that we're going to have that's going to be related to things like bi-directional forwarding detection they're going to be designed to communicate their routes and information to those v-spawns remember i described those v-smarts as working like route reflectors and we're going to talk about the overlay management protocol or omp protocol because it's going to be very very important for us moving forward it's also going to be these devices that are actually going to be running routing protocols we can run routing protocols towards vpn 0 which is going to be towards the fabric so in other words we could be actually running bgp for instance with our service provider but more often than not in deployments as far as in classes like this one we're going to be focusing on running these routing protocols in our service side vpns in other words we're going to be running ospf eigrp where we have the cisco capable devices as well as bgp and any other features as an example perfect comment here not a writing protocol but a first hop redundancy protocol vrrp is going to be supported and be running on these edge devices so please keep in mind there's going to be a lot of stuff that we're going to have to talk about and we're also going to want to look at these in terms of individual devices and resources and also bear in mind i promise that we would discuss the hard way and the easy way concepts like zero touch provisioning and things like that makes our lives a little bit simpler however keep in mind in labs we still have to build these resources remember that we have a ztp server a zero touch provisioning server we're actually going to configure that and we're going to use it in the first portion of this video as we look at the v-edge devices but keep in mind ztp is only supported in the edge we have other solutions are going to be available to us and we're going to look at like i said the hard way and the easy way moving forward in the rest of this video all right the first thing i want to do is call our attention to the user environment now in the last video we set up all of the controllers and if you have not watched that video i highly recommend that you go ahead and click on the card at the top of this video on the right hand side so you can actually watch that video go ahead and just stop this one pause it you can always come back and watch that video because that's going to be the video that we used to go through how we actually built our infrastructure so you see across the top here we have the 3v manage the 2v bonds and the 3v smarts that we're actually employing in this environment and those devices are infinitely important for us before we can even really begin to build the fabric because they represent the control plane the management plane as well as the orchestration plane resources that we discussed in the previous video so with that being said let's go ahead and hit the rest of this now the main thing i want to call your attention to is you'll notice here we have wan edge inventory on the screen and we see that we have a total number of devices authorized deployed in staging and we have all zeros here now what i'm going to do is i'm going to go ahead and go through the steps necessary to actually tell the the manage what devices i intend to support now the way that i'm going to do that is i'm going to go to the configuration i'm going to go to devices and what i'm going to do is i'm actually going to say upload when edge list now i have already gone through the steps necessary to build this list if you want me to give you guys a video on how that's done just let me know in the comments and what i'll do is i'll actually set up a video just for that so that you guys can get an idea of what's involved in getting your own license file now the license file that i currently have on my environment is going to be saved on my desktop actually it's going to be saved in my downloads folder and it's called sd-wan csr the edge cat serial file dot viptela that's because what i did is i uploaded everything into this file that's going to allow me to be able to do demonstration all of the resources that we were discussing at the beginning of the video now that does not take into account the physical resources just understand that they will have to be provisioned differently so right now let's just put a pin on that and let in that and let's go ahead and move forward with getting the virtual devices installed now what i've got is i've got a license file and my recommendation to everyone is to go ahead and select validate the uploaded the edge list and send to controllers now the reason i'm saying this is that if you don't do this now you're going to have to manually do every device independently when it comes time to actually configure these resources and that's going to take a lot of time so what i'm going to do now is i'm going to go ahead and hit upload and it's going to ask me if i'm sure i want to upload this and i'm going to go ahead and say okay and what this is going to do is this is actually going to read the contents of that file it's going to find 32 devices and by hitting ok what i'm doing is i'm agreeing to configuring these devices and what's happening now is these resources are actually being added to the controllers notice my three v smarts my three v manage my two v bonds and this is necessary because these resources have to know about the devices that i have actually paid for and licensed through cisco before i can actually begin adding resources to the fabric that we're trying to build now what i'm going to do is i'm going to go to devices and from devices what i'm going to do is i should be able to see a list of resources now what i like to do is i like to go ahead and sort this based on device model so i do that by clicking on the device model and what we're going to see here is that i have a different set of devices and i'm going to go ahead and list those you'll notice that i have if i scroll up to the top i have eight v edges i have eight is rvs i have eight csr 1000 vs and i also have eight cat 8000 vs now this is going to give us a lot of flexibility understand that when it really boils down to it there are two principal modes of configuration there's the v-edge devices which take the v-edge syntax and there's the cisco devices which take the cisco ios xe sd-wan syntax to make the configurations and they're going to be some little tricks that we're going to discuss moving forward so please stick with me as i go through and explain all of the different steps and remember i promised the hard way and the easy way we're going to begin using a v-edge configuration what i'm going to do is i'm going to do it the hard way or the harder way there's nothing really hard about it just understand that if i don't automate using av edge i have to manually configure every device step by step just like we did with the controllers so let's take a look at that and see what it looks like when we get into the next part of this which is going to be accessing our first v-edge device all right let's go ahead and see if we can't get this thing going my first v-edge that i'm going to bring online is going to be data center v-edge one now what i want to call your attention to is you'll notice that there are going to be some blue routers and there are going to be green routers the blue routers are viptela devices specifically v-edge cloud service routers the green devices are going to be csr 1000v running the latest and greatest version of that operating system we'll explore that as we continue to move forward but what i want to do right now is i want to begin with v edge one and from the perspective of setting up the edge one there are going to be some things that i'm going to want to make certain that we can figure first of all it's never been deployed or activated on the network so what i'm going to do is i'm going to go ahead and log into it and change the password change is probably not the best way to say it because i want to take it back to admin admin now what i'm going to do is just like we did with the other devices i'm going to go ahead and say config and set the system configurations up and it's going to be very similar to what we did with the controllers so the five key pieces of information that i'm going to need is going to be the host name and again i'm going to go ahead and take the host name which is going to be dc the edge one my system i p address is going to be 2 172 5. the site id in the third octet so this is going to be site id 1 and i'll just go ahead and put the dot 2 in there so in this particular situation i now have a unique system ip address and keep in mind the system ip address is kind of like a router id in ospf it's just a way of uniquely identifying the device it's not going to be routable it's not going to be reachable in fact quite frankly we're not even allowed to use it on a physical interface inside of the infrastructure as long as it's associated to vpn0 so now if we proceed with the rest of the configuration what i'm going to do is i'm going to go ahead and assign the organizational name the organizational name is going to be sd-wan adv dash lab and the identity of my site designation which is going to be site id in this instance one and lastly the v bond so we will go ahead and identify the v bond will be v bond dot micronics lab dot com now what we're going to do is we're going to need to move to vpn 0. now vpn 0 is actually going to encompass two separate interfaces now what i'm going to do is just right now for the very beginning of this i'm going to put in the basics so i'm going to go to vpn 0 and what i'm going to do under vpn 0 is i'm going to assign interface gigabit ethernet 0 0 and i'm going to give it an ip address that i p address is going to be 100.100.100.10 24 and i'll simply say no shut then what i'm going to do is i'm going to go ahead and assign the second interface which will ultimately be part of my mpls transit network in this case i'm going to do 192.0.2.2 slash 30. again i'm taking the ip addresses from the configurations that we have set up here and what i want to do oh uh well that was silly so i'll say no interface and i'm just going to grab this this isn't a good example of what the viptela devices will allow you to do because i mean there is no such thing as interface such and such as far as the ip address but what i do want to do is now i'm going to say interface gigabit ethernet 1 and then i'll assign the ip address here which is going to be 192 0 2 2 30. so it's 1920.2 yes that's the ip address i will say no shut exit now what i want to do now is provide my routing configuration as far as reachable destinations so first i'm going to say iprout anything that matches quad zero is going to go to 100.100.100.1 now obviously that's going to be for the ip address on the internet gateway but also what i want to do is i'm going to go ahead and put another route to the 192 prefix and this device right here is going to be on mpls i'm just going to go ahead and show you what i've done here so i'm going to go to mpls and i want to look at that interface so what we will do is in show run interface gigabit zero zero since that's the interface on the other side and we see here that the ip address is one in fact if we take a look at this configuration and i type show ip interface brief what we'll see is is that the ip address is always going to be the lower of the two numbers so if we take a look at gigabit 0 0 it's 10 on the v edge 21 and then up here on this device on gigabit two what we're going to see is it's going to be nine so that's the theme that i kept inside of the infrastructure so the lower number is always going to be the number that's going to be on the router so here what i'm going to do is i'm going to say dot one sorry i need to put the default route in first so it's going to be 0.0.0.0 0 all right so now what i'm going to do is i'm going to specify the dns server so the dns server is going to be 172 16 100 100. and i will say commit and quit now if all goes well i should have reachability to my respective gateway so 100.100.100.1 and i got the reachability there and i'll say ping1920.2.1 to ping the gateway of last resort on mpls itself and lastly what i want to do is ping www.google.com we've got dns resolution and then the next thing i'm going to do is ping 100.100.100.2 and let's see if i can hit the ip address of the v manage one in my cluster so according to this i have all of the reachability that i could want in order to be able to begin onboarding this device now like i said i call this the hard way probably more accurately the long way but the object of the exercise here is is looking at this device the goal is going to be to get it to be part of my fabric now in order to be able to do that there's some things that we need to explore first of all just like controllers i need to have my root certificate so let's go ahead and see if we can't get that transferred so what i'm going to do now is i'm going to go into my jump box from my jump box i'm going to go to my cli and from the cli i'm going to say scp admin actually we'll say the file i want to scp first sdwan dot pim and i'm going to send it to admin at 100.100.100. and if you remember correctly when we take a look at that device we gave that device show interface description we gave this device a fourth octet of 10. so that's going to be where i'm going to send this so i'm going to say dot 10 and let's see if we can get it to transfer now notice that the file is not moving now i want to talk about why the file's not moving remember we had that issue with the v bond and it when we were looking at building the v bond the v bond did not allow us to be able to do anything as far as connecting to it because the tunnel was on by default so what's happening in this particular instance we're actually blocking this axis now i've got two courses of action that i could take here i could either turn the tunnel off which is on by default or i could go ahead and just enable this process now to enable the process that's going to be the path of least resistance so let's see if we can't actually do that so what i'm going to do is i'm going to return to my device and from my device again i'm going to go into config i'm going to go into vpn 0 and i'm going to say interface gigabit ethernet and i want to go to 0 0 which is going to be the internet and what i'm going to do is i'm going to say tunnel interface and i'm going to say allow service and if i do a question mark here one of the services that i can allow is going to be sshd ssh damon and i'll say commit and quit now at first blush everybody thinks that this should immediately start working well the problem is it's not because what we're going to do now is we're going to verify it by retesting and now what's going to happen is because we've reinitiated the handshake what's going on is that we're now allowing the communication to actually go through so what i'm going to do is i'm going to say yes i'm going to use the password of admin and as you can see i just transferred this file so this is going to be very important for us to keep in mind because these devices and these resources need to make certain and we need to verify that they each have their appropriate root case now what i'm going to do is i'm going to go back to the device and i'm going to verify what it says when i use the command show control local properties and what we're going to see here is remember it says that the root ca is installed but i want to look at the nature of that root ca i want to say show root show certificate root ca cert pipe include sd-wan and what we're going to see is there is nothing configured here so what i want to do is i want to apply the root ca and that's going to be done through the request root certificate chain install into the home admin sdwan.pim and that's actually going to apply it then what i'm going to do is repeat the show command and we should see that we actually do see the micronics configuration here and as a result of that that means that this device is going to be ready to have its csr signed now that actually that process actually happens differently in a the edge and again we're taking the long way here and the long way is going to be that we're going to handle everything manually i'm going to move to the jump box and from the jump box i want to look at v edge devices and what you're going to see here is we have a chassis number and we have a token number now what i'm going to do is i'm going to grab the chassis number i'm just going to double click on it highlight it and copy it and then what i'm going to do is i'm going to go down to my cli here and what i'm going to do is so that i can copy and paste in the lab i'm going to do a ssh admin at 100 100 100.10 and see if it lets me log in admin and sure enough it does now you see based on the prompt i am located or sitting on dc the edge one now what i want to do at this particular juncture is i'm going to utilize another request command i'm going to say request and it's going to be veg cloud activate chassis and what i'm going to do is i'm going to paste that chassis number in i'm going to hit space and then what i'm going to do is i'm actually going to provide it the token number and that token number is also going to be available here and what i want to do is i want to capture the token number let me go ahead and drag this over just a little bit so that we can see how long this is and i want to get it without the keyword token so i'm going to right click say copy and then what i'm going to do is i'm going to go back into the cli i'm going to right click and say paste and then i'm going to hit enter now as a result of this my hope is is that this device is actually going to connect to the vmanage and add itself to my inventory now right now keep in mind that this device is going to take a little bit of time so i'm going to just kind of pause and wait for it to actually connect all right we see right now that the device has notice it's got a little green circle around it that says csr well that csr is the certificate request or the certificate signature request and if it successfully gets signed what we're going to see is it's going to actually translate to this little green ribbon and the green ribbon means that this device has been successfully added to my infrastructure you can see here that the serial number has translated from a token to an actual software configured serial number and what we're going to also see is that this if we go to our main console what we should see is that we should see a device that is in the process of being added to our infrastructure now notice here it shows up as red now if i click on the control plane down what we're going to see here is notice it's telling me that this device is unreachable now what i want to do is i'm going to again wait for a little while to see if this condition actually continues notice that the device has gone green here but it still shows as control plane down here now what i'm going to do is i'm going to click on this and what we're going to find is this is empty now what i'm doing is i'm trying to make you guys aware of the fact that these graphical user interfaces are not instantaneous and as a direct result of their lack of instantaneous refresh you can see some things that might initially kind of look oddball so again you know take everything that you see with a grain of salt as it relates to how these resources go active but we can see above my head here we actually have a wan edge device that has been successfully onboarded now before i move on and start talking about the next part of this which is going to be using the ztp server what i want to do is i want to take another look at also the wan edge inventory remember i uploaded a file that had 32 lan edge devices well as a result of the fact that i authorized those at the time that i added the viptela license file we can see that i have all 32 that are going to be considered to be authorized and that's the total number of devices and also of these notice now that i have one device that's that has been deployed and we can see that i'm going to be able to look at its health score and other elements now obviously this is going to be something that we're going to look at closer as we move into our configuration right now my primary focus is going to be to build the infrastructure to get the control planes operational like we did in the last video bring up our wan edge devices whether they're c-edge whether they're going to be the edge and ultimately get to the point to where we can actually start creating vpns moving data and verifying how things are actually going to be translated inside of the vpn 0 infrastructure using internet and mpls what i'm going to do right now is i'm going to go in and i'm going to turn on dc v edge 2 dc veg2 is going to actually get an ip address from the gateway router i have enabled dhcp on this device and i'll go ahead and give you guys an illustration of what that looks like i'll say show run pipe section d hcp and what we're going to see here is this resource is providing the following information so you can copy that into your own lab if you're following along and then also it should be noted that if i come in and say show run include iep host what we're going to see is is that we have an entry for our 2v bonds as well as an entry for a resource called ztp.viltela.com now what i want to do right now is just simply go through the configuration so i'm going to go into dc v edge 2 and from dcv edge 2 i'm going to log in and since this is a first time start it'll be admin admin and change it to what it was there we go so show interface description and we can see that i've got a ip address from this dhcp server so show ipdhcp binding we'll see that that ip address was issued to this mac address d0001 if i want to look at that over here show interface gigabit ethernet 0 0 we can see that it is d0001 all right so now what we want to do is we want to actually see if we can't get this device to actually join our fabric now the issue that we have is going to be that this device does not have the proper root ca remember we need to use the root ca that we built i can illustrate that by saying show certificate root ca pipe include and i'll say sd-wan and we'll see that there's nothing there if i come over here and say viptela so if i just up arrow and say show me vip tela we'll see that it's not going to show up here but let's say show cert you can see that we do have certificates let me see it's probably capital v if i wasn't paying attention so yeah it's capital v so if i were to come over here and say show cert pipe include viptela we should actually see that here we do have their viptela certificate now remember this comes on this virtual box this is just a v edge now what i want to do is i want to actually use my own but the problem is is remember when we said show run vpn 0 remember our interfaces by default on a the edge are actually going to be functioning with the tunnel mode on and encapsulation ipsec now i don't want to change that so what i'm going to do is i'm just going to come in here and i'm going to say configure and i'm going to go to vpn 0 gigabit ethernet zero zero i'm going to go into the tunnel interface and i'm just going to say allow services or allow service all and i'll say commit and quit now i should be able to do pretty much whatever i want and what i want to do is i want to transfer the file from the jump box to the device in question so all i'm going to do is yes actually i need to remove my host files just in case i've been doing some experimenting on the back in the background between sessions so what i'm going to do now is i'm going to say scp sd when dot pm to admin at 100.100.100.79 colon and it should let me log in admin should allow me to be able to pass the data so all i want to do now is go to that resource and enable this now i'm going to do some copy and paste so that means i'm going to want to use the cli so i'm going to simply say ssh 2 admin at 100.100.100 and i'm going to say 79. log in and sure enough here i am on the console of the v edge itself now all i want at this joint is going to be to request root cert chain install the file that i moved to home slash admin called sdwin.pim you've seen me do this a number of times and now if i verify show certificate root ca certificate and i say pipe include sd-wan you'll see that indeed i have mine in there now it does not mean if i come over here and say viptela does not mean that the viptela one remains so in this specific instance what i've done is i've replaced theirs with hours now that this is installed what i want to do next is i want to go ahead and onboard this device now how am i going to do that well what i'm going to do is i want to first of all show show control connections and we'll see we have none now i'm going to say show control clear control connections history and then i'm gonna say show control connections history and we'll see that that is now empty now i want that to be empty in case we have to do any troubleshooting now the next part of this is going to be to go ahead and do the request the edge cloud activate chassis command and what i'm going to do is i'm going to go into the user interface and i'm going to grab the next available v edge device remember you can hit the device model two times and it'll actually move all of the edges to the top that would normally be at the bottom and all i'm going to do is i'm going to highlight the chassis number and i'm going to paste that in to my session paste then i'm going to say token and then what i'm going to do is go back to the graphical user interface and grab the token remember do not take the token keyword copy and then i'm going to paste that in and i'm going to hit enter now i'm going to come in and say show control connections and what we're going to see is is that we have formed a communication towards our v bond 100.100.100.3 that's the ip address of vbond one and you'll notice here we're sending a communication or have sent a communication to 100.100.12 which is going to be our second v manage in our v managed cluster now what i want to do is let's go ahead and see if we actually are going to see anything in the output of show connections history because remember i cleared that and now what we're seeing is that we do have some configuration in place so we've got system ip change system ip change system ipchange we have some other outputs here and what i want to know is i want to know is this device actually being onboarded so what i'm going to do is i'm going to go into the graphical user interface and sure enough we see that it has been onboarded what i'm going to do is i'm going to go to the main dashboard and from the main dashboard i want to see what's going on now notice i have a device and it says its control plane is currently down now what i'm going to do is i'm going to go to that device and what i'm going to do is i'm going to hit enter here and what we're going to find is is that this unit is actually being configured by the the manage it's not broken notice here it now no longer says control plane down or control down and we still have a red arrow here but remember like i said these graphical user interfaces are not instantaneous and before i even hit refresh it actually changed itself to an upstate now what's more interesting is not only did it change itself to an upstate if i hit enter now what we're going to find is it actually has been configured and programmed by the v manage now this is what we call the short method now or the easy way of onboarding the edge devices now this is going to have to be caveated because you've got to understand that in the context of viptela back in the day viptela used to host the ztp.viptela.com servers and there was a cluster of servers and when you or i would buy resources they would actually populate all of that information to that zero touch provisioning server which they actually hosted in their environment we would pay for licenses we would connect to that the devices would actually see the tokens and the serials or the tpms all of the cryptographic asics and physical hardware and then it would allow us to be able to onboard devices in a very similar fashion to what you see here but the problem with this is is that it's sorcery or at least it looks like sorcery but it's not all right in fact it's an illusion what's happening here is that we have created our own ztp server now cisco does not host ztp servers cisco changed the methodology to what is referred to as a pnp service or a plug-and-play service now this actually translates to the fact that our behavior is going to be exactly the way it used to be but now the responsibility of building the server this zero touch provisioning server falls on our shoulders now what i've done is i've illustrated the fact that this works and i want to highlight the fact that sure enough if i come in here and i say show control connections what we're going to see here is that we have should have connections with our v smarts and our vmanage so everything is good to go in that regard i can even come in here and say show omp piers we haven't covered this yet but you can see that i have peerings with two of the v smart v smart one and v smart two in this specific instance out of the three that we have so bear in mind like i said you know this is almost like magic when it comes to what's actually happening or the appearance of what's happening however in labs and even in production since this ztp server doesn't exist as an entity outside of cisco because cisco acquired everything and set up their own methodology using sd-wan this is something that we have to do on our own and i'd be remiss if i didn't show you how to actually implement it in your environments and that's what we're going to talk about next we're going to actually move to a conversation about zero touch provisioning and ztp servers and i'm going to remove all of the configuration that i have set up in here to allow the ztp to work so i'm going to go up to the ztp server itself i'm going to wipe it which is going to ultimately remove all its configuration the next thing that i'm going to do is i'm going to go into the jump box and from the jump box what i want to do is remove the ztp as a resource so we'll log in test one two three now to facilitate the mechanism of ztp what i've done is i went into my system and i added it as a controller so if i go to controllers under devices what we'll see here is the device in question is this guy right here v bond it's not really going to be functioning as a v bond per se because it's not inside of the dns resolution that i showed you earlier but what i want to do right now is i am going to invalidate this controller that's going to remove it from the list of controllers that i'm going to be supporting and it's going to take a little bit of time to basically be removed now while this is happening what i want to do is i'm going to minimize this and i'm going to go ahead and turn the ztp back on and what we're going to do is we're going to want to make some configurations on this device to first of all get it to where we can onboard it in the fabric the rationale behind onboarding it has more to do with the fact that i want it to have a functional set of certificates so it must be configured such that it's going to be able to handle the processing of our organizational name the generation of the csr the signature of a csr and everything and what i'm going to do is i'm going to take us from soup to nuts as far as getting this thing set up now in order to be able to do that i want to connect to it so i'll just double click and we'll find ourselves looking at a the edge because in the at the end of the day all a ztp server is is a v bond so i'm going to come in here and say admin admin admin admin and remember all of ebond is is a the edge has been told that it's going to assume the role of a v bond so let's make certain that the i want to see if the machine has been removed so if i go in and take a look at devices i should now be able to go to controllers and i should only be able to see two of those v bonds so yes everything's ready for us right now so what that translates to is is that i want to go in and do the configuration in such a way that we're going to set this device up we're going to onboard it just like it was a v bond and then what we're going to do is we're going to make the configuration necessary to go ahead and onboard another device the device that i'm going to on board is going to be the edge 30. so right now what that's going to translate to is we need to do the config and i'm going to go ahead and set up the system parameters so in this instance it's going to be host dash name and what we're going to do is we're going to call this ztp i need a system ip address so what we'll do is we'll say one seven two two five five i'm going to go ahead and say 100 and then i will use 101 as the fourth octet again it just needs to be unique next thing that i'm going to do is tell it the organizational name which is going to be sd-wan adv dash lab next thing i want to do is i'm going to give it a side id and i'm going to go ahead and make this part of a site id 1003 just an arbitrary value and i need to tell it the identity of the v bond well guess what it is a v bond so what i'm going to do is i'm going to come in here and i'm going to say we will use your ip address as the v bond and you'll notice here i can say hey the local device is going to be the v bond and it's also going to require me to employ this little guy right here ztp dash server so now i've got everything that i need in the system to make this device be able to be ready to be joined to the fabric so what we're going to do now is vpn 0 i'm going to need that default route ip route which will be 100.100.1 then i'm going to need the dns which is going to be 172 16 100 100. and i'm going to go to interface gigabit ethernet 0 0 and i'm going to assign its ip address ip address 100.100.100.101.24 no shut i'm going to say tunnel interface and from here i'll say encapsulation ipsec and then what i'm going to do here is i'm also going to say allow services or allow service all and we will say commit and quit now obviously in order to be able to onboard this device i need to make certain that i have the sdwan.pim file so we'll go back to the jump box and what i'm going to do is i'll go to the cli and then from here i'll go ahead and exit out of this guy right here actually i can't because this has since ended so we'll go ahead and say close that terminal and we'll use this one so again i'm going to say scp sdwan dot pim and what we're going to do is we're going to transfer this to admin at 100 100 100.101 colon and admin should let me in and now it's there so the only thing that we really need to do at this juncture is to go ahead and enable the root certificate so that's going to be the request root certificate chain install home admin sd when all right so now we're ready to go through the onboarding process so that means i need to generate a csr to generate a csr i have to add it as a device and i'm going to go ahead and sign that csr on the local machine so let's go ahead and see if we can't get that to happen and to get that to happen i'm going to start from the v manage i'm going to go to configuration two devices i'm going to go to controllers from controllers i'm going to say add a controller and i'm going to go ahead and add a v bond and i'm going to use the ip address of 100 100 100 101 and i'm going to say do not generate the csr same as we did in the other labs and then i'm waiting for this to be added and you can see here that it's currently not installed now what i'm going to do next is i'm going to go to certificates from certificates i'm going to go to controllers and we will see here that i have this guy right here that says v bond and we see it's got a uuid and no cert installed all this is telling me is is that this device has been part of the fabric before and what i want to do is i actually want to add it back remember we deleted it so i'm going to go over to the three dots and from the three dots i'm going to generate a csr i'm going to save said csr and then what we're going to do is we're going to close and i'm going to go into the system and i need to do a little bit of house cleaning so what i'm going to do is i'm going to say remove dash f and i'm going to remove anything that is ztp dot anything else now i'm going to move undefined which is going to be the dot csr file that we're going to get from any device that's not part of or a vmanage in our environment and i'm going to call this ztp.csr and what i want to do now is i actually want to sign this so we are going to say open ssl x 509 req dash in and the n file is going to be the ztp.csr and what we are going to do is the ca is going to be sdwan.pim the ca key is going to end up being the sdwan dot key then what we're going to do is we're going to do the ca serial or create serial and then what we're going to do is here i'm going to say out and the output file is going to be ztp.crt and i'm going to say i want this to last for 2000 days plural and i want to use shaw 256 and let's see if this actually goes through and it appears too so let's go ahead and cat it and we'll copy it and then get it into the system through the install certificate so let's go ahead and grab all of it copy go back into the graphical user interface and i'm going to hit install certificate and i'm going to go ahead and say paste and let's see if we can get this thing to install all right we see that it's been installed now the next part of this is going to involve going in and making certain that this resource is going to be able to be reachable in other words i want to be able to resolve its name i want to make certain that i can ping it from the different devices and we also want to make certain that we pay attention to what's happening because remember we're going to add site 30 to the mix let's go ahead and take a look at what that's going to appear like from the perspective of the devices so what i'm going to do is i'm going to go ahead and minimize and i want to go to i'll go ahead and minimize this also i'm going to take a look at this guy right here now this guy right here is v-edge 30 and i want to log into the edge 30 admin admin and from vh30s perspective i want to say show interface description and i want to make certain or see if this device actually has an ip address and it has an ip address of 80. now what i want to do is i want to leverage the ability to be able to set this device up and utilize this device for the purposes of working on and doing some testing this device is going to allow us to be able to exercise and determine whether or not the ztp server is actually doing its job but what i want to do to the ztp server in the beginning part of this is what i want to do is i'm actually going to first of all make certain that the ztp server can hit the outside world you can hit the gateway can it ping 8.8.8.8 it can ping through can it google.com it can can it ping itself as a dns so i'll say we'll come over here and say ping vbond.micronics it should resolve to its own ip address and it should work so from the perspective of the ztp everything seems to be good to go now what i want to do is i want to do some additional testing so i'm going to enter the v shell so from v shell what i'm going to do is i'm going to change directory to var log and i'm going to go to temp log and from here i'm going to use a linux command called tail dash f v debug and what we're going to see here is the the ztp server is going to be processing messages and on this screen what we're going to see is we're going to have the we're going to have the ability of being able to monitor how the ztp server is actually going to process incoming information this could be done on a v bond all of that information is going to be saved in the v debug file and by tailing it what we're doing is we're actually looking at the last lines that are being entered into this file as they actually get entered into the file so what i want to do is i want to take a look at this now and i'm going to leave this thing running up here i'm going to go ahead and one of the things that i want to do is i want to not have to use this console right here i don't want to have to use the edge 30. so what i'm going to do is i'm going to go ahead and i am going to go into the jump box i'm going to change the size of the jump box to where i can actually have both of these screens up at the same time and you'll notice i hit enter over here on the ztp server just to make certain that everything's clear now we're going to kind of go through this in a painful way because i want you guys to understand all of the nuance and all of the configurational requirements in order to actually get this to work now first and foremost like i said we're going to use this device right here which is going to be our site 30 i think i said site 40. so this is going to be our site 30 and it's going to be at 80. now bear in mind we know that i need to be able to get the sd-wan pim sent over so i'm going to go ahead and take care of that now so it's going to be scp-sd dot when we're going to send it to admin at 100.100.100.80. and it doesn't seem to be letting me in so let's go ahead and take a look and see what's going on so we know the leading cause of this is the fact that we do not have a ssh daemon service that's being allowed so what i'll do is i'll say config we'll go to vpn0 we'll go to interface gigabit ethernet zero zero i'll say tunnel interface and i'll say allow service all and commit and quit okay so now if i stop this process by using a control c and reinstate the process it should actually allow me to connect now admin should be able to transfer the file with absolutely no problems so now i've got it i want to go ahead and get it installed so what i'm going to do is i'm going to say request root certificate chain install home admin sd win.pim and that file has now actually been added to my infrastructure the thing that we want to remember here is is that what we want to do is we need to pick a device that we have actually been issued permission by cisco to use and again that's going to be in the configuration devices when edge list and if i go ahead and hit my device model here a couple of times to where i can get the v edges up in the top we see here that we have the third device now destroying the the ztp server did absolutely nothing to the existing device that we onboarded previously using the ztp server because once the ztp server is it's done its job we don't need it anymore it's just a initial reference that we're going to actually leverage in order to be able to onboard devices once they're onboarded we're fine configuration was pushed by the vmanage and in this demonstration we're going to look at how and why so when i look at what's going on now what i want to do is everything that i did similar to setting the device up before and that's going to require me to actually ssh over to it because i want to do copy paste so i'm going to say ssh to admin 100 100 100.80 admin and now what i want to do is i want to go ahead and do the request actually let's verify that we have everything that we need so show interface brief show interface description we have an ip address let's double check and make sure that we can ping all the necessary resources so the very first one that we have to hit is the ztp.viptela.com let's see if we can hit that and we can it resolves to 100.100.100.101. ping i just want to test to the outside world www.google.com if that resolves we know pretty much everything else is working so at this particular juncture we have everything that we need so what i want to do is i'm going to go ahead and use my request and what i want to do is i'm going to say request the edge cloud activate the chassis and i want to plug that chassis number in and that's going to be this one right here i'm just going to capture it copy and plug it in paste we will do token i'll go ahead and grab the token remember do not grab the keyword token you just want the numbers and letters copy we come over here i'll paste that in and now i have everything that we did before we've got the root certificate and we have the configurations here and what i want you to notice is is that immediately we got some messages over here now what i want you to see here is it says v-bomb process challenge acknowledgement we are going to say peer device with a chassis number that's the peers device number and it says it's not found and what we're going to see here is we're getting an error that says the serial number is not present for the device located at 100 100.100.80 and this is extremely important for us because this is going to tell us what we need to focus on next now what i want to do is i want to go ahead and say show control and what i want to do is i want to look at connections and what we're going to see here is there are none now what happens is remember a device that uses a ztp server you know your theory too long didn't read that device is going to go out towards the ztp server it's going to be authenticated if it's authenticated if it has been whitelisted then it's going to be told the identity of the actual organizational v bond and it's going to try to connect to it right now we see none of these connections as up and operational now what i want to do is i'm going to say show control connections history and what we're going to find here is that we see the exact same message that we're seeing here serial number not present now if i haven't configured the ztp server to recognize the serial number as being one of mine and part of my organization stands the reason that this isn't going to work now it's also going to be very very important for us to recognize another fact that we really haven't spent any time talking about we're going to discuss it in depth when we get into the concept of templates but if i'm going to use a ztp server it is mandatory that i have a template the vmanage has to have a template in order to be able to configure the device that you're going to see on the screen here and that is going to be what happened in the previous lab because in that lab we saw specifically that we had this configuration that was pushed by the vmanage down towards the dcv edge 2 device i want to do the exact same thing in site 30 here and in order to be able to do that we need to actually build a template now what i'm going to do is i'm going to make a very simple cli 10 plate and that cli template is going to be what we're going to be using moving forward as we actually work with the rest of this but you can constantly see the message that we have here is telling us that this device can't be authenticated because the serial number is not present in the ztp server what we've got to do is we've got to provide that information but first what i'm going to do is i'm actually going to implement the template now i'm going to leave all of this running what i'm going to do is i'm going to go into the device in question and we want to actually i grabbed this one so darn it but that's okay it'll just be out of order so just to double check the serial number is six is six c d so six cd so i actually grabbed the fourth one but it's not a problem this is just going to be the one we use so six cd we need to not we need to remember that so what i'm going to do now is i'm actually going to go to a section that we haven't talked about called templates now templates is where i can actually store configurations for devices in the sd-wan fabric and you can see here i've already got one now what i'm going to do is i'm going to click on this and i'm going to copy it i'm going to go ahead and call it site we'll say uh branch 30 the edge one i'll copy this put it here and i'm going to go ahead and copy it now what i want to do now that it's copied i want to edit it because there's going to need to be some changes made to it so we're going to hit edit and all i'm going to do is i'm going to apply the informational changes that i'm going to need in order to make this work i'm just going to minimize this and what i'm going to do is drag this off to the top and what i want to modify is going to be several factors so right now all i'm going to do is come in here and say well this is going to be site 30 255 30. i'm just making the changes as if i was entering them in the system this is going to be site 30. the sd-wan advanced lab stays the v-bond identity stays all i'm going to do now is take a look at the vpn 0 configurations because obviously they're going to change so from vpn 0 our first interface is going to be gigabit zero zero and gigabit zero zero is actually going to have the i p address of 100.100.100.30 and gigabit ethernet 1 is actually going to have the ip address of 2.14 30. and i need to modify the gateway of last resort that's being used as for the mpls environment which is going to be 13. remember the mpls device actually has the lower of the range this is the upper so dot 13 is going to be the gateway of last resort and what i'm going to do is i'm going to hit update and then what i'm going to do is i'm going to hit the three buttons here and i'm going to say i want to attach a device to this resource and i said 6 cd because i actually actually picked the fourth one in the list instead of the second and what i'm gonna do is i'm gonna attach this we'll talk about how to verify things later as we're we're gonna have a very long conversation about templates in another video and then what we'll do is we'll start using those but let's see what ends up happening here this is going to be interesting because it says done and scheduled and if i look at the down arrow notice it says template br 30 v edge one is scheduled to to be attached to the device when the device comes online now the device is not online if i go to my main dashboard what we're going to find is that i only have the two resources dc ve1 and dcve2 in our environment and what i want to do is i want to make certain that i can add this third one now in order to be able to add this third device which is going to be the v edge 30. what i want to do is i want to take again another look at the ztp server so what we see now is that it's still telling me that the serial number is not present now we want to modify that now in order to modify that what i've got to do is i've got to tell the v bond about the serial number so what i'm going to do is i'm going to go to devices i'm going to hit the button for device model twice that'll put the v edges at the top and i need this guy right here and what i'm going to do is i'm just going to double click on this chassis number i'm going to copy it and what i want to do is i'm going to go back into the ztp server so i'm going to exit out of this device and i'm going to connect to the ztp server which is going to be 101 admin and what i want to do is i need to know what this ztp server knows about so anything that's been configured on the ztp server can actually be seen using ztp entries as the keyword and what this is telling me is this xero touch provisioning server doesn't know anything about any resources that are part of my fabric now what i need to do is i need to actually add those resources so what i'm going to do is i'm going to come over here and i'm going to say request device add chassis and i'm going to paste that chassis number in now the next thing i'm going to do is i'm actually going to provide a serial number well the naming is a little bit odd but the serial number is actually this token field so again i'm going to go ahead and right click on that and i'm going to copy that out and what i'll do is i'll put that token field in to here paste now i'm not done yet because what i'm going to do next is i'm going to come over here and specify the validity which is going to be valid i have a choice of valid and invalid and then i'm going to specify my um v bond the v bond is going to be located and you can just tab complete to figure these out the v bond dot my chronics lab.com and now i'm going to enter the organizational name which is going to be sd-wan adv lab if i was going to enter a root certificate i could and also i have the capability of being able to specify a default directory to find the root certificate that sdwan.pim file i'm not going to worry about any of that i'm going to go ahead and hit enter and you'll notice it comes over and tells me that the database has been updated notice that it's coming up and saying the personality it's saying peer device we have a new state what we're seeing here is the device is actually being added to the infrastructure so from this v edge let's go ahead and say show control connections and see if we see something and we do notice we see what we saw before we see the 100.100.100.3 which is a communication to v bond one and we're also seeing communication to the manage to we're going to see here that the resources are being configured and ultimately what i should see is this device go online and let's go ahead and take a look and see what's actually happening show control connections we still don't have any yet but we just have to wait so i'm just going to be quiet and what i'm going to do is i'm actually going to watch it from the perspective of the jump box it's actually been signed and what we're going to find here is that template that we configured will ultimately be applied to this device that's what's taking so long right now so let's go back to the v edge and it took its configuration from the template so if i come over now and i say show control connections and we take a look at it we see everything that i would expect to see two v smart connections one v bond connection which is a temporary connection and we have the v managed connection and notice it's going to v manage 12. so interestingly enough what we've done is we've walked through the stuff necessary to be able to onboard the ztp server we've also configured the device sets that it can communicate to the ztp server as well as took a look at some of the diagnostic tools that we have with regard to being able to monitor what's happening with these zero touch provisioning server understand also that these commands can also be be run or the command as far as the v debug monitoring the the file v debug can actually be run on a regular v bond very very handy tool if you're trying to determine what's going on or what's going wrong in your network infrastructure so i just wanted to make certain that we had an opportunity to walk through this and what we're going to do is we are going to verify that we actually see everything up up and then what we'll do is we'll move forward so from the perspective of the cisco v manage i'm going to go to my main dashboard and from my main dashboard what i want to do is i want to make certain that we have three functional wan edges we have three v smarts two v bonds and three v manage i hope you found this helpful i hope you found it informative what we're going to end up doing next is we're going to turn our attention towards the idea of the c edges the cisco devices are a little bit different and what i've decided to do is i'm going to go ahead and stop this video here and then when we return in the next episode what i'm going to do is i'm going to walk us through how we go through the process of onboarding sea edges themselves and i also want to in that video talk about templates a little bit more there are two types of templates there's a cli template which is what i demonstrated and then there's a more versatile form of the template known as a feature template or device template that's made of feature templates it'll make sense when we talk about it a lot of people myself included aren't real big fans of this type of template because it's a little bit more complex to create but it does ultimately give us a lot of granular capability when it comes to implementing our fabric and also being able to just simply copy an existing set of feature templates modify them in kind and deploy them so what we're ultimately going to do is we're going to move to feature templates everywhere but the cli templates are extremely easy to use and a lot of students ask me well why would i use feature over cli and obviously the answer that question is is the feature templates are going to be more granular and also require us to have little to no real understanding of the syntax that would have to be deployed on different devices and we'll talk about those in the next video set so again i'm terry vinson and i want to thank you guys for your time and i'll see you in the next episode you
Info
Channel: Terry Vinson CCIEx2
Views: 4,002
Rating: undefined out of 5
Keywords: ccie enterprise 2021, ccie enterprise infrastructure sdwan, ccnp enterprise 2021, cisco sdwan, cisco sdwan 2021, cisco sdwan controller onboarding, cisco sdwan controllers, cisco sdwan vmanage, cisco vbond, cisco vbond orchestrator, cisco vsmart, cisco vsmart controller, dtls tunnels, ensdwi, ensdwi training, eveng, implementing cisco sd-wan solutions, sdwan, viptela, vmanage, vbond, vsmart, cedge, vedge, terry vinson, ccie35347, sdwan redundancy, cisco sd wan, sd wan, ztp, viptele
Id: HkLsjpf3SE8
Channel Id: undefined
Length: 69min 53sec (4193 seconds)
Published: Wed Jan 20 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.