Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
663
Views
0
Helpful
1
Replies

Activation of vEdgeCloud/C8000V routers using CLI activate command.

muthumohan
Level 1
Level 1

‎04-24-2023 07:10 PM

Hello all,

My question is about activating the vEdgeCloud/C8000V virtual routers using the "

request platform software sdwan vedge_cloud activate ....

" command.

After you issue the "activate" command on the CLI, how does this router learn the IP of the vManage? At this moment, the router only knows the IP of vBond. But router cannot authenticate to vBond (to learn the IP of vMangage) because it does not have the certificate/serial number yet. So, my question is, how vEdgeCloud/8000v gets in touch with vManage for installing its certificate etc.?

My search on Cisco documentation for this did not yield any results. I am sure you can help.

Thanks,
Mohan Muthu

Labels:
0 Helpful
1 Reply 1

Kanan Huseynli
VIP
VIP

‎04-25-2023 02:26 PM - edited ‎04-25-2023 02:26 PM

Hi,

the router can authenticate vBond and other controllers. Router checks organization-name and for the valid certificate of controller.

However, in order to authenticate router, vBond uses chassis-number and token as temporary information. Then vBond provides vManage information, vManage creates CSR/certificate for the node, pushes these information and root-chain to the router. Then router uses certificate for any further authentication.

"vEdge cloud routers, ISRv routers, CSR1000v routers, and Cisco ASR 1002-X routers do not have device certificates pre-installed. Each device uses a One Time Password (OTP)/Token that is generated by vManage and configured during device deployment for the purpose of a temporary identity. Once the device is temporarily authenticated, a permanent identity is provided by vManage, which can operate as a Certificate Authority (CA) to generate and install certificates for these devices.

The figure below shows:

1.     The vManage acting as a Certificate Authority (CA) for WAN Edge cloud routers and the ASR 1002-X.

2.     vManage distributes the Viptela root certificate to vBond and vSmart in order for them to validate the WAN Edge cloud identity.

3.     Once the WAN Edge routers are authenticated via OTP, the vManage CA issues them Viptela-signed certificates that are used from then on for authentication."

https://www.cisco.com/c/en/us/td/docs/solutions/CVD/SDWAN/cisco-sdwan-design-guide.html

The device uses the newly associated information (chassis-number and token), with the vBond and organization-name
information to successfully authenticate and be a part of the SD-WAN overlay network.
Following the authentication for the first time using the one-time password, the vManage will generate a root CA
certificate and unique serial number for the device, distribute it to the WAN Edge router and also update other SD-WAN
controllers. From this point, any proceeding authentication that the vEdge-cloud performs uses the unique serial
number and the installed certificate.

https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/SDWAN/sdwan-wan-edge-onboarding-deploy-guide-2020nov.pdf

(page 29, step #2)

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

0 Helpful
Customers Also Viewed These Support Documents