Lesson 2 SDWAN Installation Vmanage – Vbond -Vsmart is the fastest and easiest to understand

Build the model like this:

– Image uses 19.2.31 (should not use 19.2.0 or it will fail)

It can be downloaded at the following address:

– RAM consumes about 25-30 GB of RAM

– CPU uses e2650v2

Responsibilities of the above components (controllers):

>> Management: Management interface type that allows monitoring other components, creating policies, configurations, and then pushing them to the rest of the devices

>> Weibond: Acts as an authentication bridge to help WAN routers (wan edge) join the sdwan network

>> Westmart: Control and distribute routes between WAN routers (similar to the role of Route Reflector in BGP), for example, from router WAN1 to router WAN, service X takes this route, and if service Y takes that route.

Implementation content:

Once the IPs are set to ping between the controllers, we will create a certificate for each device and then push them to vmanage to install the certificate.

The purpose is to let the components shake hands believe each other before exchanging information.

On Vmanage, declare the basic configuration:

system. system

Hostname vManage1

System IP 1.1.1.1 ##Similar to ip loopback

Site ID 1

Organization namehaiit ##The name must be the same on different devices

vbond 10.0.0.2 ##vbond’s LAN ip

Exit. Exit

VPN 0 ##vpn0 is the channel through which traffic flows

ip route 0.0.0.0/0 10.0.0.254

interface eth0

IP address 10.0.0.1/24

Do not shut down

tunnel interface

Allow all services

Exit. Exit

Exit. Exit

Exit. Exit

crime ##Similar to copying and running startup commands

On Vbond, declare the basic configuration:

HostnamevBond1

System IP 2.2.2.2

Site ID 1

Organization namehaiit

vbond 10.0.0.2 local ##Declare me as vbond

Exit. Exit

VPN 0

ip route 0.0.0.0/0 10.0.0.254 ##route to external network

interfacege0/0

IP address 10.0.0.2/24

tunnel interface

encapsulate ipsec##Only vbond has this command but vmanage does not

Allow all services

Do not shut down

Exit. Exit

Exit. Exit

Exit. Exit

crime

On Vsmart, declare the basic configuration:

system. system

Host name vSmart1

System IP 3.3.3.3

Site ID 1

Organization namehaiit

vbond 10.0.0.2

Exit. Exit

VPN 0

ip route 0.0.0.0/0 10.0.0.254

interface eth0

IP address 10.0.0.3/24

tunnel interface

Allow all services

Do not shut down

Exit. Exit

crime

============ Create certificate on device and install it on VMANAGE ========

This part is a bit confusing, if you are doing it for the first time, copy and paste the command to bring the device online first and understand it later.

Create a CA certificate (certificate authority) on Vmanage:

Go to the cli screen and enter:

virtual shell

openssl genrsa -out ROOT-CA.key 2048 ##Generate key

openssl req -x509 -new -nodes -key ROOT-CA.key -sha256 -days 3652\

-Topic “/C=NL/ST=NL/O=haiit/CN=vmanage1.lab.haiit”\

-out ROOT-CA.pem ##Generate certificate from key above

cat root-CA.pem ##View the contents of the certificate

Access vmanage Web GUI from PC_MGMT

type

Log in and go to Admin (avatar) > Settings

Edit the declared name and vBond entry:

then find the section Controller Certificate Authority and paste it as follows:

save.

Next, each Vmanage, Vbond and Vsmart device needs to create a CSR file and then transfer the CSR file to the CA (certificate authority) to sign and create the certificate file.

Here I will use Vmanage as the CA (there are instructions online to use a Linux or Windows computer as the CA to achieve the same purpose)

On Vmanage’s website:

Create Vmanage CSR file:

Go to vmanage’s CLI and create the certificate vmanage1.crt From the newly created CSR file:

virtual shell

openssl x509-req-in vmanage_csr \

-CA ROOT-CA.pem -CAkey ROOT-CA.key -CAcreateserial\

-go out vmanage1.crt -1826-sha256

catvmanage1.crt ##View certificate content

Go to vmanage website and install the newly created certificate

Complete the Vmanage Certificates section

Create Vbond’s CSR file:

On the vmanage website: Go to Configuration > Devices > Controllers as shown

Click Add Controller > Vbond

Enter the vbond IP and initially set the username and password:

After the above steps, we will get the CSR file of vbond.

Return to vbond cli and enter:

Request to download scp://admin@10.0.0.1:/home/admin/ROOT-CA.pem ##Get the vmanage certificate file

Request root-cert-chain install /home/admin/ROOT-CA.pem ## and install

Request to upload scp://admin@10.0.0.1:/home/admin/ vbond_csr ## Push the CSR file to vmanage for signing

Go to the vmanage cli and sign the CSR file to create a certificate for vbond:

openssl x509 -req -in vbond_csr -CA ROOT-CA.pem -CAkey ROOT-CA.key -CAcreateserial -out vbond.crt -days 1826 -sha256

catvbond.crt

Enter the vmanage website:

Click Install and finish.

Next to VSMART:

Enter the vmanage website and add vsmart.

Fill in vsmart’s IP, username, and ssh password (similar to vbond above)

After that, we created a CSR file on vsmart.

Return to vsmart cli:

Download and install the CA certificate (vmanage)

Request to download scp://admin@10.0.0.1:/home/admin/ROOT-CA.pem

Request the root certificate chain to install /home/admin/ROOT-CA.pem

Upload the CSR file to vmanage for signing

Request to upload scp://admin@10.0.0.1:/home/admin/ vsmart_csr

Go to vmanage cli:

openssl x509 -req -in vsmart_csr -CA ROOT-CA.pem -CAkey ROOT-CA.key -CAcreateserial -out vsmart1.crt -days 1826 -sha256

cat vsmart1.crt

Enter the vmanage website and install the newly created certificate:

Complete vsmart

Review:

Go to Wheel Image>Device>Controller

View the device as follows:

Go to Wheels > Certificates > Controllers: to see the full list of 3 controllers, you’re good to go.

Go to vmanage cli

vManage1# show control connection

I saw that vbond and vsmart both appeared.

Similar to vbond: