In my last blog we saw how we can get the signed certificates installed on the controllers for Viptela Fabric. In continuation to the same discussion, in this blog we shall talk about how to get the whitelist viptela.serial file for your edge devices. So lets start...!!!!
Since Vitpela has got the feature of ZTP (Zero Trust|Touch Provisioning), we use the approach of white-list to ensure the controllers are well aware before hand of the different edge devices (cedge & vedges) to be on-boarded on the fabric. To do this, one has to upload the serial.viptela aka whitelist of the edge devices purchased from Cisco so that controllers can authenticate the edge router when it tries to communicate with the controller over DTLS/TLS connection. For this to happen, controller needs to know the serial no./chassis no. of the device so that two way authentication can be done successfully. So the question arises, how do we get the serial.viptela file?
There are 2 possible approaches to get the file. Of course thumb rule is, one has to have access to the Smart Account on Cisco PnP portal. White-list can be generated of 2 types i.e.
> Serial.Viptela file for the Physical Boxes (cedge/vedge)
> Serial.Viptela file for the Virtual Routers (vedge cloud/ CSR)
In both the cases, we need to first ensure we have appropriate controller profile created & ready, which will be used by the edge routers for vBond & Org-name details. To create a controller profile, one has to login on the Cisco smart account as below.
> Click on Plug and Play connect under network plug & play option.
> Select appropriate virtual account, go to controller profile and click on add profile option.
> Select the controller type as vBond, click next. Fill in the details of Profile Name, Org-name, Primary controller details. Make sure if you chose to provide Host-name for vbond, it resolves to appropriate vbond IP via DNS. Otherwise we can select IP and provide vBond IP address as well.
Note - if this is your only controller profile, you shall have to select the option of default profile as "yes".
>> Review the details and click on submit. With this, our controller profile is ready to be used for whitelist.
Let us take a look at Whitelist creation one by one.
Option 1 > > serial.viptela file for the Physical Boxes (cedge/vedge)
So if customer has got the physical boxes of cEdge or vEdge routers, we need to upload the serial no. of the routers along with PID information.
Again go to Cisco software central >> Plug N Play connect >> virtual account and select the option of devices.
On Add devices, we have 2 options. Either we can add each device one by one every time we are on boarding the routers or else, if you have the details we can create a CSV file of all the edge routers and upload it on the portal.
If you select the option of Enter Device info manually, Click on "+ Identify Device" and fill in the device details. It will ask you to enter Serial No. of the device and base product ID as mandatory details. Make sure to select the correct controller profile for the device.
Click on save, next and submit.
Add the other required edge devices in the similar way. Once you are done with adding the edge routers, now its time to download the white-list serial.vitpela file.
Go to controller profile tab and download the provisioning file for your corresponding controller.
Now that we have the white-list serial.viptela file, we can go to the viptela dashboard and upload the file on the vManage controller.
Make sure to select the option of Validate vedge list and send to controllers. This will push the new/updated serial file from vManage to other controllers on the fabric. We can now login on the routers and configure the box, it should form control connections with the controllers successfully.
Option 2 > serial.vitpela file for the Virtual Routers (vedge cloud/ CSR).
For virtual devices we again need to login on PnP portal and go to devices.Here we select +Add Software devices and click on add software device.
Select the base product ID for the device along with the quantity and choose appropriate controller profile for the devices. Note, sine we are adding the virtual devices, no need to provide the serial no./chassis no. of the devices.
Click on save, next and submit.You should be able to download the provision file (serial.viptela file) for the software devices against the corresponding controller profile. Again, go back to the vManage dashboard and upload the whitelist file.
But we are not done yet...!!! For software devices, the viptela.serial file does not have the serial no. or UUID of the virtual routers. Also these virtual routers do not have any certificates installed unlike physical boxes which have TPM chipset on them for certs. So how do we move ahead?????!!!!
The answer is " Using Bootstrap configuration and generating OTP " .
Using Generate Bootstrap option, user can successfully associate virtual router (vedge cloud or CSR1K) against the token & chassis id uploaded on the vManage using whitelist.
To do so, we need to go to dashboard, devices select the chassis/token no. which is not used and generate bootstrap config.
This bootstrap config would create an OTP along with certs/org name etc for the corresponding token number so that it which can be now used for the virtual router to request for certificate from the vManage and get it installed. We can also download and check the detail of bootstrap.
Once this is done,login on required virtual router and request for certificate to the vManage using the token & chassis no. for which bootstrap config was generated. Use the command "request vedge-cloud activate chassis <> token <>" , before you do this, make sure virtual router is configured appropriately with the base system config and has reachability to the vManage.
This will send a request to the vManage and certificates will be installed on the vEdge/CSR router. After which control connections between the virtual router and controllers will be established successfully.
You can verify it using show control connections | show cert installed | show control local-properties.
That's it for this blog guys! We shall discuss about how to upgrade Viptela Fabric in my next blog.
Hi All, My current network is:Firewall Sophos XG310 (IP: 10.10.80.250) <-> Switch C3650 Layer 3 (IP: 10.10.80.249) Inter-vlan routing <-> Layer 2 access switch <-> Users.Currently, on the C3650 all the vlans are route through 10.10....
Hi All, Currently entire network is under ospf area 0 with internet traffic in DC routed out to ISP 1, and DR internet traffic routed out to ISP2. We have a requirement to do a routing failover from DC to DR when Internet connectivity to ISP1 is...
I'm probably not reading the datasheet right, but does the IE-2000 series support PTPv2 on both layer 2 and 3 or is it just on layer 3? I'm planing on using two IE-2000-8TC-G-E and would prefer to run layer 2 end to end transparent clock. How about t...
Hi. I'm running into a weird situation installing 4 new C606R Chassis that are identical to each other in every way. Same chassis, linecards, SFPs/QSPFs, IOS version, etc. With 2 of them, everything is fine...... With the other two...
I'm having an issue with an interface incrementing giants, when I don't think it should. The setup is a Catalyst 6807 connected to a Catalyst 9500-X. The 6807 is the one incrementing giants. There are no input or CRC errors. 6807950...