High Cost: Per-Segment MPLS VPN Restricted: MPLS only, not Hybrid WAN
Option 1 Service Provider Delivered Cost / Restrictive
7. Commit the configuration
– vBond(config)# commit and-quit
Add vBond to the Overlay Network
Add a vBond orchestrator to the network, automatically generate the CSR, and install the signed certificate
1. In vManage NMS, select the Configuration Devices screen.► 2. In the Controllers tab, click Add Controller and select vBond.
3. Select the Generate CSR checkbox to allow the certificate-generation and get it signed
Add vBond to the Overlay Network
Configure tunnel interface on both vManage and vBond
1. On vBond
– vpn 0
– interface ge0/0 – tunnel-interface – encapsulation ipsec – allow-service all
2. On vManage
– vpn 0
– interface eth0 – tunnel-interface – allow-service all
Initial Configuration for the vSmart Controller
1. Open a CLI session to the Viptela device via SSH.
2. Log in as the user admin, using the default password, admin. The CLI prompt is displayed.
3. Enter configuration mode:
– vSmart# config – vSmart(config)#
4. Configure the hostname:
– Viptela(config)# system host-name hostname
5. Configure the system IP address.
– vSmart(config-system)# system-ip ip-address
6. Configure the numeric identifier of the site where the device is located:
– vSmart(config-system)# site-id site-id
7. Configure the numeric identifier of the domain in which the device is located:
– vSmart(config-system)# domain-id domain-id
8. Configure the IP address of the vBond orchestrator or a DNS name that points to the vBond orchestrator.
– vSmart(config-system)# vbond (dns-name | ip-address)
9. Configure an interface in VPN 0 to be used as a tunnel interface.
– vSmart(config)# vpn 0
– vSmart(config-vpn-0)# interface interface-name
– vSmart(config-interface)# (ip dhcp-client | ip address prefix /length) – vSmart(config-interface)# tunnel-interface
– vSmart(config-tunnel-interface)# allow-service all –
Add the vSmart Controller to the Overlay Network
1. In vManage NMS, select the Configuration Devices screen.► 2. In the Controllers tab, click Add Controller and select vSmart.
Firewall Ports and Server Sizing
Firewall Ports
https://docs.viptela.com/Product_Documentation/Getting_Star ted/04Viptela_Overlay_Network_Bringup/01Bringup_Sequenc e_of_Events/Firewall_Ports_for_Viptela_Deployments
Server Sizing (on-prem controllers)
https://docs.viptela.com/Product_Documentation/Getting_Star
ted/Hardware_and_Software_Installation/Server_Hardware_R
Controllers Certificates configuration
93
Certificates
vManage Certificates Authorization settings
95
vManage Certificate signing methods
Certificate Generation Certificate-Generation Method selection
Certificate Generation
97
Automatically Generate a Certificate
Certificate Generation
Manually Generate a CertificateCertificate Generation
99
Manual vManage CA Signing
Security Parameters
Configuration
Control Plane Security Parameters
101
View control plane security information;
show control connections
• By default, the control plane uses DTLS as the protocol that provides privacy on all its
tunnels.
• This can be changed on vSmart to TLS running over TCP.
– vSmart(config)# security control protocol tls
• This makes all control tunnels between vSmart and Edge routers/vManage to be TLS. Tunnels to vBond will always be DTLS.
• To change the default TLS port number from 23456
– vSmart(config)# security control tls-port number<1025 – 65535>
• Using TLS on vManage requires port forwarding for NAT
TLS configuration
View to number of forwarded port which depends on the number of vdaemon processes running
View the TLS listerning ports
Data Plane Security Parameters
•
By default, Ipsec is enabled on all vEdge routers which uses AH-SHA1 HMAC/ESP HMAC-SHA1 for authentication
•
The authentication method can be changed by;
– vEdge(config)# security ipsec authentication-type [ah-no-id
| ah-sha1-hmac | none | sha1-hmac]
•
Authentication between two vEdge routers will adopt the strongest authentication type combination.
•
Change Ipsec Rekeying timer from the default of 86400 by;
– vEdge(config)# security ipsec rekey seconds<10 – 1209600>
– “request security ipsec-rekey” to instantly change key.
•
To modify the anti-replay window size from default of 512;
– vEdge(config)# security ipsec replay-window number<64 –
IPsec configuration
Shows the local SPI is 256
Shows the local SPI is 257 after the request
Overlay Routing and Fabric Bring Up
103
Overlay Routing
System IP: 1.1.1.53
vSmart
System IP: 1.1.1.54
vSmart
DTLS/TLS vEdge
INET MPLS
System IP: 1.1.1.1
SD- WAN
Linear Control Plane Complexity O(n)
Traditional IPSec networks
IKE+IPSec
IKE+IPSec IKE+IPSec
IKE+IPSec
Quadratic Control Plane Complexity O(n^2)
OMP
IPSec IPSec
OMP
• OMP peering establishes between vEdge routers and vSmart Controllers and between vSmart Controllers
- Between System IPs
- Over TLS/DTLS connections
• Dramatic control plane complexity reduction
104
MPLS
Overlay Routing: TLOC Routes
• Routes connecting locations to physical networks
• Advertised to vSmart controllers
• Most prominent attributes:
-
Site-ID-
Encap-SPI-
Encap-Authentication-
Encap-Encryption-
Public IP-
Public Port-
Private IP-
Private Port-
BFD-Status-
Tag-
Preference-
WeightvSmart
INET
vEdge
Connected Static
Dynamic (OSPF/BGP)
OMP Update
TLOCs
105
MPLS
Overlay Routing: OMP Routes
• Routes learnt from local service
• Advertised to vSmart controllers side
• Most prominent attributes:
-
TLOC-
Site-ID-
Label-
VPN-ID-
Tag-
Preference-
Originator System IP-
Origin Protocol-
Origin MetricvSmart
INET
vEdge
Connected Static
OMP Update
Servic e Side
106
MPLS
Overlay Routing: Network Service Routes
• Routes for advertised network services, i.e. Firewall, IDS, IPS, generic
• Advertised to vSmart controllers
• Most prominent attributes:
-
VPN-ID-
Service-ID-
Label-
Originator System IP-
TLOCvSmart
INET
vEdge
Firewall
OMP Update
Network Service
107
OMP
vEdge
vEdge vEdge
vEdge
vEdge vSmart
Local TLOCs
(System IP, Color, Encap Pub IP/Port, Priv IP/Port) TLOCs advertised to vSmarts
in OMP TLOC routes vSmarts advertise TLOCs to vEdges in OMP TLOC routes SD-WAN Fabric
with TLOCs as tunnel endpoints
Data Plane Establishment
MPLS INET
Transport Locator (TLOC)
TLOCs
IPSec IPSec IPSec
BFD for quality and liveliness
detection
IPSec Tunnel
Introduction to vManage Web Interface
109
vManage Web Interface
Dashboard
vManage Web Interface
111
Dashboard - Device Pane
vManage Web Interface
Dashboard - Reboot Pane Dashboard - Certificate
Pane
vManage Web Interface
113
Dashboard - Control Status
Pane
vManage Web Interface
Dashboard - Site Health View
Pane
vManage Web Interface
115
Dashboard - Transport Interface Distribution
Dashboard - vEdge Inventory Pane
vManage Web Interface
Dashboard - vEdge Health Pane
vManage Web Interface
117
Dashboard – Transport Health Pane
Dashboard – Top Applications Pane
vManage Web Interface
Monitor Tab
vManage Web Interface
119
The Geography screen provides a map displaying the geographic location of the Viptela devices
Monitor Tab - Geography
vManage Web Interface
Use the Network screen to display a list of Viptela devices in the overlay network and to display detailed information about individual devices.
Monitor Tab - Network
vManage Web Interface
121
Use the Events screen to display detailed information on events generated by Viptela devices.
Monitor Tab - Events
vManage Web Interface
Use the Audit Log screen to display a log of all activities on Viptela devices.
Monitor Tab – Audit Log
vManage Web Interface
123
Use the Alarms screen to display detailed information about alarms generated by controllers and routers in the overlay network.
Monitor Tab – Alarm
vManage Web Interface
Monitor Tab – Send Alarm NotificationsvManage Web Interface
125
Use the ACL Log screen to view logs for access lists (ACLs) configured on a vEdge router. Routers collect ACL logs every 10 minutes.