cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Cisco SDWAN Viptela - Whitelist Serial.Viptela File

1596
Views
5
Helpful
0
Comments
Cisco Employee

Hi Everyone, 

In my last blog we saw how we can get the signed certificates installed on the controllers for Viptela Fabric. In continuation to the same discussion, in this blog we shall talk about how to get the whitelist viptela.serial file for your edge devices. So lets start...!!!!

Since Vitpela has got the feature of ZTP (Zero Trust|Touch Provisioning), we use the approach of white-list to ensure the controllers are well aware before hand of the different edge devices (cedge & vedges) to be on-boarded on the fabric. To do this, one has to upload the serial.viptela aka whitelist of the edge devices purchased from Cisco so that controllers can authenticate the edge router when it tries to communicate with the controller over DTLS/TLS connection. For this to happen, controller needs to know the serial no./chassis no. of the device so that two way authentication can be done successfully. So the question arises, how do we get the serial.viptela file?

There are 2 possible approaches to get the file. Of course thumb rule is, one has to have access to the Smart Account on Cisco PnP portal. White-list can be generated of 2 types i.e.

> Serial.Viptela file for the Physical Boxes (cedge/vedge)

> Serial.Viptela file for the Virtual Routers (vedge cloud/ CSR)

In both the cases, we need to first ensure we have appropriate controller profile created & ready, which will be used by the edge routers for vBond & Org-name details. To create a controller profile, one has to login on the Cisco smart account as below.

> Login on https://software.cisco.com/

> Click on Plug and Play connect under network plug & play option.

1.JPG

> Select appropriate virtual account, go to controller profile and click on add profile option. 

2.JPG

> Select the controller type as vBond, click next. Fill in the details of Profile Name, Org-name, Primary controller details. Make sure if you chose to provide Host-name for vbond, it resolves to appropriate vbond IP via DNS. Otherwise we can select IP and provide vBond IP address as well.

3.JPG

Note - if this is your only controller profile, you shall have to select the option of default profile as "yes".

>> Review the details and click on submit. With this, our controller profile is ready to be used for whitelist. 

Let us take a look at Whitelist creation one by one.

Option 1 > > serial.viptela file for the Physical Boxes (cedge/vedge)

So if customer has got the physical boxes of cEdge or vEdge routers, we need to upload the serial no. of the routers along with PID information.

Again go to Cisco software central >> Plug N Play connect >> virtual account and select the option of devices.

4.JPG

On Add devices, we have 2 options. Either we can add each device one by one every time we are on boarding the routers or else, if you have the details we can create a CSV file of all the edge routers and upload it on the portal.

6.JPG

If you select the option of Enter Device info manually, Click on "+ Identify Device" and fill in the device details. It will ask you to enter Serial No. of the device and base product ID as mandatory details. Make sure to select the correct controller profile for the device.

7.JPG

Click on save, next and submit. 

Add the other required edge devices in the similar way. Once you are done with adding the edge routers, now its time to download the white-list serial.vitpela file.

Go to controller profile tab and download the provisioning file for your corresponding controller.

8.JPGNow that we have the white-list serial.viptela file, we can go to the viptela dashboard and upload the file on the vManage controller.

9.JPG

Make sure to select the option of Validate vedge list and send to controllers. This will push the new/updated serial file from vManage to other controllers on the fabric. We can now login on the routers and configure the box, it should form control connections with the controllers successfully.

 

Option 2 > serial.vitpela file for the Virtual Routers (vedge cloud/ CSR).

For virtual devices we again need to login on PnP portal and go to devices.Here we select +Add Software devices and click on add software device.

10.JPG

Select the base product ID for the device along with the quantity and choose appropriate controller profile for the devices. Note, sine we are adding the virtual devices, no need to provide the serial no./chassis no. of the devices.

11.JPG

Click on save, next and submit.You should be able to download the provision file (serial.viptela file) for the software devices against the corresponding controller profile. Again, go back to the vManage dashboard and upload the whitelist file.

But we are not done yet...!!! For software devices, the viptela.serial file does not have the serial no. or UUID of the virtual routers. Also these virtual routers do not have any certificates installed unlike physical boxes which have TPM chipset on them for certs. So how do we move ahead?????!!!!

The answer is " Using Bootstrap configuration and generating OTP " . 

Using Generate Bootstrap option, user can successfully associate virtual router (vedge cloud or CSR1K) against the token & chassis id uploaded on the vManage using whitelist.

To do so, we need to go to dashboard, devices select the chassis/token no. which is not used and generate bootstrap config.12.JPG

This bootstrap config would create an OTP along with certs/org name etc for the corresponding token number  so that it which can be now used for the virtual router to request for certificate from the vManage and get it installed. We can also download and check the detail of bootstrap.

13.JPG

Once this is done,login on required virtual router and request for certificate to the vManage using the token & chassis no. for which bootstrap config was generated. Use the command "request vedge-cloud activate chassis <> token <>" , before you do this, make sure virtual router is configured appropriately with the base system config and has reachability to the vManage.

14.JPG

This will send a request to the vManage and certificates will be installed on the vEdge/CSR router. After which control connections between the virtual router and controllers will be established successfully.

You can verify it using show control connections | show cert installed | show control local-properties.

That's it for this blog guys! We shall discuss about how to upgrade Viptela Fabric in my next blog.

 

Happy Blogging! Cheers.

Rajiv Yadav

Content for Community-Ad