Cisco Viptela SDWAN: OSPF and BGP

(Part 2)
Document Information:
Lab Objective:

This lab is about setting up Control Plane and Data Plane for Sdwan. After the
labs,we can see connection control from Vsmart, Vmanage, Vbond and Vedges. For
Data Plane, In Vedge, we have IPsec tunnel, BFD session then check the Tlocs info
…

Requirement:
- Software:
o eve-nglab version 1.0.2 if eve-nglab still version
1.0.1, let login vm console with account root/eve
then run command: wget -O - https://user.eve-
nglab.com/upgrade/1.0.2 | bash
- Hardware requirement:
o RAM 24Gb Lab topology:

TASKs :

1. OSPF Task : in R13, Ping 77.7.7.7 from 66.6.6.6 must be okay.

2. BGP Task in R13, Ping 3.3.3.3 from 4.4.4.4 must be okay.

Initial CFG

1. INTERNET Router:

interface GigabitEthernet0/0

ip address 10.1.1.254 255.255.255.0

interface GigabitEthernet0/5

ip address 10.2.6.254 255.255.255.0

interface GigabitEthernet0/6

ip address 10.2.7.254 255.255.255.0

ip route 100.1.1.1 255.255.255.255 10.1.1.1

ip route 100.1.1.2 255.255.255.255 10.1.1.2

ip route 100.1.1.3 255.255.255.255 10.1.1.3

ip route 100.1.1.4 255.255.255.255 10.1.1.4

ip route 100.1.1.5 255.255.255.255 10.1.1.5

ip route 100.1.1.6 255.255.255.255 10.1.1.6

ip route 100.2.6.1 255.255.255.255 10.2.6.1

ip route 100.2.7.1 255.255.255.255 10.2.7.1

2. R13
interface Loopback66

ip address 3.3.3.3 255.255.255.255

interface Loopback6

ip address 66.6.6.6 255.255.255.255

ip ospf 1 area 1

interface GigabitEthernet0/2

ip address 6.6.6.13 255.255.255.0

ip ospf 1 area 0
Router bgp 1300

Neighbor 6.6.6.6 remote-as 6000

Network 3.3.3.3 mask 255.255.255.255

3. R14

interface Loopback77
ip address 4.4.4.4 255.255.255.255

interface Loopback7

ip address 77.7.7.7 255.255.255.255

ip ospf 1 area 1

interface GigabitEthernet0/2

ip address 7.7.7.14 255.255.255.0

ip ospf 1 area 0

Router bgp 1400

Neighbor 7.7.7.7 remote-as 7000

Network 4.4.4.4 mask 255.255.255.255

Using Vmange Template to Configure Vedge6 and Vedge7 to Finish 2 tasks about

Method 1: Follow the 2 Videos :

Cisco Viptela SDWAN-OSPF and BGP-Video 1

Cisco Viptela SDWAN-OSPF and BGP-Video 2

Method 2 : If it is hard for you guys to make follow Video, Post comments in the EVE-NGlab. I will
make other methods to help. But I think Videos are the best way because I share many things on
those Videos. Experience and Technologies.
==================================================================================

=====Appendix , If you guys want to set up lab from scratch , you can use the workbook below , in
fact it is for : Cisco Viptela SDWAN Control and Data Plane Part_1

Taks1: Setup vManage web management

- Setup IP web management for vManage:
Console to vManager
config t
vpn 512
interface eth0
ip address 192.168.75.11/24
no shutdown !
ip route 0.0.0.0/0 192.168.75.1

Click to User icon -> login vManage web with ip address: 192.168.10.11. Login with account:
admin/admin
Go to Administration -> Setting
Task2: Lab configuration
- vManage
vmanage# conf t
Entering configuration mode terminal
vmanage(config)# system
vmanage(config-system)# system-ip 10.1.1.1
vmanage(config-system)# site-id 1000
vmanage(config-system)# organization-name "eve-nglab"
vmanage(config-system)# vbond 10.1.1.2
vmanage(config-system)# !
vmanage(config-system)# vpn 0 int eth1
vmanage(config-interface-eth1)# ip add 10.1.1.1/24
vmanage(config-interface-eth1)# no shut
vmanage(config-interface-eth1)# exit
vmanage(config-vpn-0)# ip route 0.0.0.0/0 10.1.1.254
vmanage(config-vpn-0)# !
vmanage(config-vpn-0)# commit and-quit

- vBond
vedge# conf t
Entering configuration mode terminal
vedge(config)# system
vedge(config-system)# host-name vBond
vedge(config-system)# system-ip 10.1.1.2
vedge(config-system)# site-id 1000
vedge(config-system)# organization-name "eve-nglab"
vedge(config-system)# vbond 10.1.1.2 local vbond-only
vedge(config-system)# !
vedge(config-system)# vpn 512 int eth0
vedge(config-interface-eth0)# ip add 192.168.75.12/24
vedge(config-interface-eth0)# no shut
vedge(config-interface-eth0)# exit
vedge(config-vpn-512)# ip route 0.0.0.0/0 192.168.75.1
vedge(config-vpn-0)# interface ge0/0
vedge(config-interface-ge0/0)# vpn 0 int ge0/0
vedge(config-interface-ge0/0)# ip add 10.1.1.2/24
vedge(config-interface-ge0/0)# no shut
vedge(config-interface-ge0/0)# exit
vedge(config-vpn-0)# ip route 0.0.0.0/0 10.1.1.254
vedge(config-vpn-0)# commit and-quit

- vSmart 1
vsmart(config-vpn-0)# system
vsmart(config-system)# system-ip 10.1.1.3
vsmart(config-system)# site-id 1000
vsmart(config-system)# organization-name "eve-nglab"
vsmart(config-system)# vbond 10.1.1.2
vsmart(config-system)# !
vsmart(config-system)# vpn 512 int eth0
vsmart(config-interface-eth0)# ip add 192.168.75.13/24
vsmart(config-interface-eth0)# no shut
vsmart(config-interface-eth0)# exit
vsmart(config-vpn-512)# ip route 0.0.0.0/0 192.168.75.1
vsmart(config-vpn-512)# !
vsmart(config-vpn-512)# vpn 0
vsmart(config-interface-eth1)# no int eth1
vsmart(config-interface-eth1)# ip add 10.1.1.3/24
vsmart(config-interface-eth1)# no shut
vsmart(config-interface-eth1)# exit
vsmart(config-vpn-0)# ip route 0.0.0.0/0 10.1.1.254
vsmart(config-vpn-0)# !
vsmart(config-vpn-0)# commit and-quit
Commit complete.
vsmart#

- vSmart 2
vsmart(config-vpn-0)# system
vsmart(config-system)# system-ip 10.1.1.4
vsmart(config-system)# site-id 1000
vsmart(config-system)# organization-name "eve-nglab"
vsmart(config-system)# vbond 10.1.1.2
vsmart(config-system)# !
vsmart(config-system)# vpn 512 int eth0
vsmart(config-interface-eth0)# ip add 192.168.75.14/24
vsmart(config-interface-eth0)# no shut
vsmart(config-interface-eth0)# exit
vsmart(config-vpn-512)# ip route 0.0.0.0/0 192.168.75.1
vsmart(config-vpn-512)# !
vsmart(config-vpn-512)# vpn 0 int eth1
vsmart(config-interface-eth1)# no int eth0
vsmart(config-interface-eth1)# ip add 10.1.1.4/24
vsmart(config-interface-eth1)# no shut
vsmart(config-interface-eth1)# exit
vsmart(config-vpn-0)# ip route 0.0.0.0/0 10.1.1.254
vsmart(config-vpn-0)# !
vsmart(config-vpn-0)# commit and-quit
Commit complete.
vsmart#

- vEdge 6 Newyork HQ
vedge# conf t
Entering configuration mode terminal
vedge(config)# system
vedge(config-system)# system-ip 100.2.6.1
vedge(config-system)# site-id 100
 vedge(config-system)# organization-name eve-nglab
vedge(config-system)# vbond 10.1.1.2
vedge(config-system)# vpn 0 int ge0/0
vedge(config-interface-ge0/0)# ip add 10.2.6.1/24
vedge(config-interface-ge0/0)# no shutdown
vedge(config-interface-ge0/0)# exit
vedge(config-vpn-0)# ip route 0.0.0.0/0 10.2.6.254
vedge(config-vpn-0)# commit and-quit

- vEdge7 Singapore
vedge# conf t
Entering configuration mode terminal
vedge(config)# system
vedge(config-system)# system-ip 10.2.7.1
vedge(config-system)# site-id 2
vedge(config-system)# organization-name eve-nglab
vedge(config-system)# vbond 10.1.1.2
vedge(config-system)# vpn 0 int ge0/0
vedge(config-interface-ge0/0)# ip add 10.2.7.1/24
vedge(config-interface-ge0/0)# no shutdown
vedge(config-interface-ge0/0)# exit
vedge(config-vpn-0)# ip route 0.0.0.0/0 10.2.7.254
vedge(config-vpn-0)# commit and-quit Commit complete.

Task3: Certificate installation

- vManage

Step 1 : Create ROOTCA.key

vmanage# vshell
vmanage:~$ openssl genrsa -out ROOTCA.key
2048
Generating RSA private key, 2048 bit long modulus
........................................+++
.............................+++
e is 65537 (0x10001)
vmanage:~$

Step 2: Created ROOTCA.pem with ROOTCA.key

openssl req -x509 -new -nodes -key ROOTCA.key -sha256 -days 1024 \
-subj "/C=US/ST=NY/L=NY/O=eve-nglab/CN=vmanage.lab" \
-out ROOTCA.pem

Step 3: Install ROOTCA.pem

exit
 vmanage# request root-cert-chain install
/home/admin/ROOTCA.pem

Uploading root-ca-cert-chain via VPN 0

Copying ... /home/admin/ROOTCA.pem via VPN 0
Successfully installed the root certificate chain

Step 4 : Login vManage to create certificate request

Configuration → Certificates → Controllers → vManage → Generate CSR then copy

Step 5: In the vshell use vim to create a file named vmanage.csr with the text from the popup.
Create vmanage.csr with CSR code copy above.
Use vim editor to create this file in Vshell mode of Vmanage.
Vi vmanage.csr
:qw! To exit the vim file.

Step 6: And create vmanage.crt with ROOTCA.key

openssl x509 -req -in vmanage1.csr \

-CA ROOTCA.pem -CAkey ROOTCA.key -CAcreateserial \
-out vmanage.crt -days 500 -sha256
Result:
Signature ok
subject=/C=US/ST=California/L=San Jose/OU=vnpro-lab/O=vIPtela
Inc/CN=vmanage_07af546c-d136-4f32-9f6d-
aa8e598a3410_0.viptela.com/[email protected]
Getting CA Private Key
Step 7 : Copy content vmanage.crt file by using “cat vmanage.crt” then install certificate on
vManage

Configuration → Certificates → Controllers → Install Certificate

- vBond:

Step 1:

vBond# request root-cert-chain install

scp://[email protected]:/home/admin/ROOTCA.pem vpn 512
Result:
Uploading root-ca-cert-chain via VPN 512
Copying ... [email protected]:/home/admin/ROOTCA.pem via VPN 512
Warning: Permanently added '192.168.10.11' (ECDSA) to the list of
known hosts.
viptela 16.2.11
[email protected]'s
password:
ROOTCA.pem 100% 1265
1.2KB/s 00:00
Successfully installed the root certificate chain
Step 2: Add vBond to vmanage:
And Vbond IP here is IP in VPN0, not VPN 512

Configuration → Certificates → Controllers → Add Controller:

Step 3 : If vbond adding unsuccessful, lets no tunnel-interface as bellow:

vBond# conf t
Entering configuration mode terminal
vBond(config)# vpn 0
vBond(config-vpn-0)# interface ge0/0
vBond(config-interface-ge0/0)# no tunnel-interface
vBond(config-interface-ge0/0)# commit
Commit complete.
vBond(config-interface-ge0/0)#

Step 4: View vBond CSR:

Configuration → Certificates → Controllers → vBond → View CSR

vManage

Step 5: On vManage, create vbond.csr with content above using VIM editor in Vshell of
Vmanage.

Step 6: Create vbond.crt from Vmange Vsell. // Sign the vbond.csr file with the ROOTCA.key
//vi vbond.csr , press i to insert data, then press ESC to escape the insert things, then press :wq! To
save file vbond.csr in Vshell of Vmanage.

openssl x509 -req -in vbond.csr \

-CA ROOTCA.pem -CAkey ROOTCA.key -CAcreateserial \
-out vbond.crt -days 500 -sha256

Result:
Signature ok
subject=/C=US/ST=California/L=San Jose/OU=eve-nglab/O=vIPtela
Inc/CN=vbond_cdb5c222-0188-4384-a5c2-
8fa0b76d822f_0.viptela.com/[email protected]
Getting CA Private Key
vmanage:~$
Step 7 : Using “cat vbond.crt” to see file contents then copy and install certificate on vManage
web

Configuration → Certificates → Controllers → Install Certificate

Send certificate to vBond

Configuration → Certificates → Controllers → Send to vBond

- vSmart:
 vsmart# request root-cert-chain install
scp://[email protected]:/home/admin/ROOTCA.pem vpn 512
Result:

Uploading root-ca-cert-chain via VPN 512

Copying ... [email protected]:/home/admin/ROOTCA.pem via VPN 512
Warning: Permanently added '192.168.10.11' (ECDSA) to the list of
known hosts.

viptela 16.2.11
[email protected]'s
password:
ROOTCA.pem 100% 1265
1.2KB/s 00:00
Successfully installed the root certificate chain

Step 2 : Add vSmart to vManage web

Configuration → Devices → Controllers → Add Controller → vSmart

Step 3: View and copy vSmart CSR

Configuration → Certificates → Controllers → vSmart → View CSR:
Step 4: in Vmange :

Create vsmart1.csr file on vManage with contents viewed above using VIM editor. (I have 2
vsmarts to make backup)
Sign vsmart1.csr with ROOTCA.key ( I have 2 Vsmarts)

- vManage:

openssl x509 -req -in vsmart1.csr \

-CA ROOTCA.pem -CAkey ROOTCA.key -CAcreateserial \
-out vsmart1.crt -days 500 -sha256
Result:

Signature ok
subject=/C=US/ST=California/L=San Jose/OU=eve-nglab/O=vIPtela
Inc/CN=vsmart_f35d4b87-8322-4f81-a63c-
52981f16d5e9_1.viptela.com/[email protected]
Getting CA Private Key

Using “cat vmsart6.crt” to see contents and copy then install certificate:

Configuration → Certificates → Controllers → Install Certificate

I will make for Vsmart 7 with the same procedure

vEdge:

Step 1 : on vManage, using “cat ROOTCA.pem” to see contents then create ROOTCA.pem
file on vEdge with same contents.

Step 1 : Install ROOTCA.pem on vEdge with command: request root-cert-chain

install /home/admin/ROOTCA.pem
The purpose is to SCP the ROOTCA.pem from Vmanage to Vedge
The interesting here is using VPN 0. request root-cert-chain install
scp://[email protected]:/home/admin/ROOTCA.pem vpn 0
//if we have OAM to this Vedge
Or can use this command : request root-cert-chain install
scp://[email protected]:/home/admin/ROOTCA.pem vpn 512

request root-cert-chain install scp://[email protected]:/home/admin/ROOTCA.pem vpn 0

vedge# request root-cert-chain install /home/admin/ROOTCA.pem

Result:
Uploading root-ca-cert-chain via VPN 0
Copying ... /home/admin/ROOTCA.pem via VPN 0
Updating the root certificate chain..
Successfully installed the root certificate chain

Step 2 : Create vedge01.csr file : Do it on Vedge using below command

 request csr upload /home/admin/vedge7.csr

Uploading CSR via VPN 0

Enter organization-unit name : sdwan
Re-enter organization-unit name : sdwan
Generating private/public pair and CSR for this vedge device
Generating CSR for this vedge device ........[DONE]
Copying ... /home/admin/vedge01.csr via VPN 0
CSR upload successful

Step 3: Using “cat vedge06.csr” to copy contents and create vedge06.csr file on
vManage. Create vedge06.crt with command bellow: vMange:

openssl x509 -req -in vedge5.csr \

-CA ROOTCA.pem -CAkey ROOTCA.key -CAcreateserial \
-out vedge5.crt -days 500 -sha256

openssl x509 -req -in vedge06.csr\

-CA ROOTCA.pem -CAkey ROOTCA.key -CAcreateserial\
-out vedge06.crt -days 500 -sha256

Result: Signature
ok
subject=/C=US/ST=California/L=San Jose/OU=eve-nglab/O=vIPtela
Inc/CN=vedge-368755e1-cfc9-4dbe-984e-
9a8d7e3f41f90.viptela.com/emailAddress=support@viptela
.com Getting CA Private Key

Step 4 : On vedge06, create vedge06.crt same contents with file on vManage then install with
command bellow: Note in Normal mode, not Vshell mode

request certificate install scp://[email protected]:/home/admin/vedge06.crt

!you can use the command on the box too. But I love to use the command with SCP

request certificate install scp://[email protected]:/home/admin/vedge7.crt

vedge# request certificate install /home/admin/vedge06.crt

Result:
Installing certificate via VPN 0
Copying ... /home/admin/vedge01.crt via VPN 0
Successfully installed the certificate

Check serial number:

vedge# show certificate serial

Chassis number: 368755e1-cfc9-4dbe-984e-9a8d7e3f41f9 serial
number: BB36DBCE6DF33852

Create text file with code: 368755e1-cfc9-4dbe-984e-9a8d7e3f41f9,BB36DBCE6DF33852

Do the same with vedge06. Check serial and add to text file.

Task 4: Upload vEdge list

Method 1: For this lab , you just upload Vedgelist from your computer to Vmanage
Method 2: it is working for SDWAN lab 1 by Rakus. He made PC on EVE.
Upload vedge file to vManage

Send vedge list to controller

Configuration → Certificates → vEdge List → Send to Controllers

Validate vEdges

Configuration → Certificates → vEdge List → (vEdge) → Valid

Then send to controller after valid all vedge

- Configure tunnel

vManage/Smart
vpn 0 interface eth1
tunnel-interface

vBond
vpn 0
interface
ge0/0
tunnel-interface encapsulation ipsec

Task 5: Verification:

vmanage# show control connections

PEER PEER
PEER PEER PEER SITE DOMAIN PEER PRIVATE
PEER PUBLIC INSTANCE
TYPE PROTOCOL SYSTEM IP ID ID PRIVATE IP PORT
PUBLIC IP PORT REMOTE COLOR STATE UPTIME
-----------------------------------------------------------------------------------
----------------------------------------------------------------------------------
0 vedge dtls 3.1.1.1 2 1 172.17.0.2
12346 172.17.0.2 12346 default up 0:00:00:34
0 vsmart dtls 1.1.1.3 1000 1 10.1.1.3
12346 10.1.1.3 12346 default up 0:00:00:28
0 vbond dtls 1.1.1.2 0 0 10.1.1.2
12346 10.1.1.2 12346 default up 0:00:00:47
1 vbond dtls 1.1.1.2 0 0 10.1.1.2
12346 10.1.1.2 12346 default up 0:00:00:46
2 vedge dtls 2.1.1.1 1 1 172.16.0.2
12346 172.16.0.2 12346 default up 0:00:00:29
2 vbond dtls 1.1.1.2 0 0 10.1.1.2
12346 10.1.1.2 12346 default up 0:00:00:47
3 vbond dtls 1.1.1.2 0 0 10.1.1.2
12346 10.1.1.2 12346 default up 0:00:00:47

vsmart# show control connections

PEER PEER
PEER PEER PEER SITE DOMAIN PEER
PRIVATE PEER PUBLIC
INSTANCE TYPE PROTOCOL SYSTEM IP ID ID PRIVATE IP
PORT PUBLIC IP PORT REMOTE COLOR STATE UPTIME
-----------------------------------------------------------------------------------
----------------------------------------------------------------------------------
0 vedge dtls 2.1.1.1 1 1 172.16.0.2
12346 172.16.0.2 12346 default up 0:00:00:53 0
vedge dtls 3.1.1.1 2 1 172.17.0.2 12346
172.17.0.2 12346 default up 0:00:00:58 0 vbond
dtls - 0 0 10.1.1.2 12346 10.1.1.2
12346 default up 0:00:01:00 0 vmanage dtls
1.1.1.1 1000 0 10.1.1.1 12346 10.1.1.1 12346
default up 0:00:00:52 1 vbond dtls -
0 0 10.1.1.2
12346 10.1.1.2 12346 default up 0:00:00:59

vedge# show control connections

PEER PEER
CONTROLLER
PEER PEER PEER SITE DOMAIN PEER
PRIV PEER PUB
GROUP
TYPE PROT SYSTEM IP ID ID PRIVATE IP
PORT PUBLIC IP PORT LOCAL COLOR PROXY STATE
UPTIME ID
---------------------------------------------------------------------------------
---------------------------------------------------------------------------------
----------------------
vsmart dtls 1.1.1.3 1000 1 10.1.1.3
12346 10.1.1.3 12346 default No up
0:00:04:40 0
vbond dtls 0.0.0.0 0 0 10.1.1.2
12346 10.1.1.2 12346 default - up
0:00:09:29 0
vmanage dtls 1.1.1.1 1000 0 10.1.1.1
12546 10.1.1.1 12546 default No up
0:00:04:40 0