Part 2: Deploying vSmart Controller

On Cisco SD-WAN fabric, we must deploy 3 controllers they are vManage, vSmart and vBond. I have published an article for deploying vManage on the previous article, you can check it here. Meanwhile, on this article I will show the steps for deploying vSmart controller. vSmart will be used for controlling "Control Plane" connection on our Cisco SD-WAN fabric which means this controller will be responsible for maintain routing, policy and ipsec keys. vSmart will maintain routing information exchange, keys and policy for WAN Edge via OMP (Overlay Management Protocol). vSmart will act like "BGP Route Reflector", it will received prefix, keys and TLOCs information from WAN Edge and then advertised them to other WAN Edge. vSmart controller also build control connection with other controller and all WAN edge devices via TLS/DTLS tunnel.

Same as deploying vManage, there will be some steps for deploying vSmart controller. First, add initial configuration to vSmart, then copy generated Root Certificate Authority from vManage, sign vManage CSR with the root CA and the last install the signed certificate on vSmart. Same as previous lab, I use OpenSSL tools to sign certificate which installed on vSmart via viptela shell. After add vSmart device to the lab, login to device using default username and password admin/admin then start to configure initial configuration.

1. Add Initial Configuration to vSmart

Here are configuration for vSmart controller, I used same lab environment and IP address scheme as previous lab.

system
?hostname vSmart-DC1
 site-id 1
 system-ip 10.0.0.12
?organization-name "viptela sdwan"
?clock timezone Asia/Jakarta
?vbond 10.0.0.3

!
vpn 0
?interface eth1
? ip address 10.0.0.2/24
? tunnel-interface
? ?allow-service all
? ?allow-service dhcp
? ?allow-service dns
? ?allow-service icmp
? ?allow-service sshd
? ?allow-service netconf
? ?no allow-service ntp
? ?no allow-service stun
? ?allow-service https
? !
? no shutdown
?!
?ip route 0.0.0.0/0 10.0.0.254
!
vpn 512
?interface eth0
? ip address 192.168.10.1/24
? no shutdown
!
?
commit        

Same as previous lab, I used "viptela sdwan" for organization name and it should be consistent across SD-WAN fabric. Also defined vBond controller IP Address and configure default route point out to gateway IP for controller to reach other network.

2. Copy Root Certificate From vManage to vSmart

I have root certificate used for all SD-WAN devices stored on vManage on previous lab, so we need to copy it from vManage to vSmart. There are several options to move root certificate from one device to another, first one via vManage dashboard and then copy all contents from "Enterprise Root Certificate" and then paste them to vSmart via vshell using text editor (vim).

Second one, we can use Secure Copy Protocol from vManage to vSmart. But, make sure SSH protocol is allowed on vSmart tunnel configuration. After copy process finished, the cert file will be available on /home/admin directory.

vManage-DC1:~$ scp ROOTCA.pem [email protected] ROOTCA.pem        

After the root certificate stored on vSmart directory, next step install the certificate from vSmart console.

3. Installing Root Certificate on vSmart

Previous root certificate file is stored on vSmart directory /home/admin with filename "ROOTCA.pem". Next we can install it on vSmart using commands below:

After the root certificate successfully installed, next step generate vSmart CSR from vManage dashboard.

4. Generate vSmart CSR (Certificate Signing Request)

To generate vSmart CSR we need to do it via vManage dashboard and before we do that, vSmart should be registered to vManage. Here below the steps to register our vSmart to vManage:

Go to "Configuration => Devices => Controllers => Add Controller => vSmart". Then we will prompted to fill vSmart IP Address, username and password. IP Address should be filled by IP Address of vSmart on VPN0. Because we tick "Generate CSR", it will generated file named "vsmart_csr" on /home/admin directory. Verify the generated vSmart CSR via vshell make sure it now exist on vSmart directory:

If the CSR was existed, next step we need to sign the vSmart CSR with root certificate and install it via vManage dashboard.

5. Sign vSmart CSR with Root Certificate and Install vSmart Certificate

Sign the generated CSR with the root CA with Open SSL by using commands below, and the signed certificate will generated with filename "vsmart.crt":

openssl x509 -req -in vsmart_csr -CA ROOTCA.pem -CAkey ROOTCA.key -CAcreateserial -out vsmart.crt -days 2000 -sha256        

Then copy all contents of file "vsmart.crt" to the vManage GUI. Click "Install Certificate". When get prompted paste the contents to the certificate field and click "Install".

If the certificate successfully installed, the task view will shown "Success" message and vSmart successfully synced.

Hopefully this article will be useful to start learning Cisco SD-WAN. On the next article I will share my SD-WAN lab for deploying vBond controller.

Reference:?Cisco SD-WAN Getting Started Guide