前段时间一直再看思科的SD-WAN介绍,都是基于胶片。想找个环境来具体实验下,查看很多资料都是基于官网文档,看起来确实很吃力。只能摸索这做个“简单”的实验,后续的实验慢慢研究,此文做了个记录。
实验目的
将Site1个Site2两路由的环回口1.1.1.1和2.2.2.2之间能正常通信。
其实这么“简单”的一件小事需要费一些周折。。。
本次实验将分为四个部分
1,vManage、vBond、vSmart、vEdge及其他设备的初始化
2,vManage、vBond、vSmart、vEdge的证书处理
3,vManage添加vBond、vSmart、vEdge设备
4,两站点之间路由做通
注:实验所需的环境和文件及怎么搭建不在此做其他说明
实验拓扑
设备的互联如上图所示,vManage接了一个带外便于远程使用Web管理。
设备地址及相关信息
| 设备 | 站点 ID | System-IP | 接口IP | 版本 |
|---|---|---|---|---|
| vManage | 100 | 100.1.1.1 | 10.1.1.1 | 16.3.2->17.2.0 |
| vBond | 100 | 100.1.1.2 | 10.1.1.2 | 16.3.2->17.2.0 |
| vSmart | 100 | 100.1.1.3 | 10.1.1.3 | 16.3.2->17.2.0 |
| vEdge1 | 1 | 101.1.1.1 | 172.16.1.1 | 17.2.0 |
| Site1 | - | 1.1.1.1 | 192.168.1.1 | - |
| vEdge2 | 2 | 102.1.1.1 | 172.16.2.1 | 17.2.0 |
| Site2 | - | 2.2.2 | 192.168.2.1 | - |
重点: 这里需要说明下vManage、vBond、vSmart是先用16.3.2然后升级到17.2.0。因为vManage到17.X.X及以后的版本需要SmartAccount账号到思科官网生成vEdge的认证文件导入vManage才能添加vEdge,而17.X.X之前的版本可以手动创建编辑CSV文件到入到vManage。vEdge用17.X.X是因为之前的版本不能使用自己生成的证书验证。
所以此处是设备先都安装证书然后添加vEdge的认证文件,等vManage升级到17.2.0后再添加vEdge设备。但是一旦设备升级到17.2.0后将无法手动编辑添加vEdge认证文件。
vManage、vBond、vSmart、vEdge及其他设备的初始化
vManage初始配置
system
host-name vmanage
system-ip 100.1.1.1
site-id 100
organization-name iteachs.com
vbond 10.1.1.2
vpn 0
interface eth0
ip address 10.1.1.1/24
no tunnel-interface
no shutdown
!
ip route 0.0.0.0/0 10.1.1.254
!
vpn 512
interface eth1
ip address 192.168.188.61/24
no shutdown
!
ip route 0.0.0.0/0 192.168.188.254
!
commit and-quit
vBond初始配置
system
host-name vbond
system-ip 100.1.1.2
organization-name iteachs.com
vbond 10.1.1.2 local vbond-only
vpn 0
interface ge0/0
ip address 10.1.1.2/24
no tunnel-interface
no shutdown
!
ip route 0.0.0.0/0 10.1.1.254
!
commit and-quit
vSmart初始配置
system
host-name vsmart
system-ip 100.1.1.3
site-id 100
organization-name iteachs.com
vbond 10.1.1.2
!
vpn 0
interface eth0
ip address 10.1.1.3/24
no tunnel-interface
no shutdown
!
ip route 0.0.0.0/0 10.1.1.254
!
commit and-quit
vEdge1初始配置
system
host-name vedge1
system-ip 101.1.1.1
site-id 1
organization-name iteachs.com
vbond 10.1.1.2
!
vpn 0
interface ge0/0
ip address 172.16.1.1/24
no tunnel-interface
no shutdown
!
ip route 0.0.0.0/0 172.16.1.254
!
vpn 10
interface ge0/1
ip address 192.168.1.254/24
no shutdown
!
ip route 0.0.0.0/0 vpn 0
!
!
commit and-quit
Site1初始配置
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Site1
!
enable secret 4 X4ZqtPJ///KxuEWxHSsJrv3beQVnz2ise/xj8fF6eFU
!
aaa new-model
!
no ip domain lookup
ip cef
!
username admin privilege 15 secret 4 X4ZqtPJ///KxuEWxHSsJrv3beQVnz2ise/xj8fF6eFU
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
ip ospf network point-to-point
ip ospf 1 area 0
!
interface Ethernet0/0
ip address 192.168.1.1 255.255.255.0
ip ospf network point-to-point
ip ospf 1 area 0
!
router ospf 1
router-id 1.1.1.1
passive-interface default
no passive-interface Ethernet0/0
!
end
vEdge2初始配置
system
host-name vedge2
system-ip 102.1.1.1
site-id 2
organization-name iteachs.com
vbond 10.1.1.2
!
vpn 0
interface ge0/0
ip address 172.16.2.1/24
no tunnel-interface
no shutdown
!
ip route 0.0.0.0/0 172.16.2.254
!
vpn 10
interface ge0/1
ip address 192.168.2.254/24
no shutdown
!
ip route 0.0.0.0/0 vpn 0
!
!
commit and-quit
Site2初始配置
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Site2
!
enable secret 4 X4ZqtPJ///KxuEWxHSsJrv3beQVnz2ise/xj8fF6eFU
!
aaa new-model
!
no ip domain lookup
ip cef
!
username admin privilege 15 secret 4 X4ZqtPJ///KxuEWxHSsJrv3beQVnz2ise/xj8fF6eFU
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
ip ospf network point-to-point
ip ospf 1 area 0
!
interface Ethernet0/0
ip address 192.168.2.1 255.255.255.0
ip ospf network point-to-point
ip ospf 1 area 0
!
router ospf 1
router-id 2.2.2.2
passive-interface default
no passive-interface Ethernet0/0
!
end
Internet配置
version 15.2
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Internet
!
enable secret 4 X4ZqtPJ///KxuEWxHSsJrv3beQVnz2ise/xj8fF6eFU
!
aaa new-model
!
no ip domain lookup
ip cef
!
username admin privilege 15 secret 4 X4ZqtPJ///KxuEWxHSsJrv3beQVnz2ise/xj8fF6eFU
!
interface Loopback100
ip address 100.100.100.100 255.255.255.255
!#模拟公网访问测试
interface Ethernet0/0
ip address 10.1.1.254 255.255.255.0
!#接管理端设备
interface Ethernet0/1
ip address 172.16.1.254 255.255.255.0
!#接Site1端设备
interface Ethernet0/2
ip address 172.16.2.254 255.255.255.0
!#接Site2端设备
no ip http server
no ip http secure-server
!
no cdp run
!
end
以上配置完成之后,设备之间的直连可以互通,vEdge和vManage、vBond、vSmart都可以互通,但是OSPF没有邻居、Site站点内部之间无法互通。
vManage、vBond、vSmart、vEdge的证书处理
处理这些设备的证书需要证书服务器,你可以使用Cisco IOS、Windos Server或者其他证书服务器。我这为了简单实验就直接用vManage的openssl来签名和发布证书,生产环境不能使用。
生成根证书
先产生一个key,长度2048
vshell
openssl genrsa -out ROOTCA.key 2048
产生根证书
openssl req -x509 -new -nodes -key ROOTCA.key -sha256 -days 1024 \
-subj "/C=CN/ST=Nanjing/L=Jiangsu/O=iteachs.com/CN=ca.local" \
-out ROOTCA.pem
以下为输出
vmanage# vshell
vmanage:~$
vmanage:~$ openssl genrsa -out ROOTCA.key 2048
Generating RSA private key, 2048 bit long modulus
.............+++
..................................+++
e is 65537 (0x10001)
vmanage:~$ openssl req -x509 -new -nodes -key ROOTCA.key -sha256 -days 1024 \
> -subj "/C=CN/ST=Nanjing/L=Jiangsu/O=iteachs.com/CN=ca.local" \
> -out ROOTCA.pem
vmanage:~$
vmanage:~$ dir
ROOTCA.key ROOTCA.pem archive_id_rsa.pub
vmanage:~$
查看vManage默认的根证书和个人证书
vmanage# show certificate root-ca-cert
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
6e:cc:7a:a5:a7:03:20:09:b8:ce:bc:f4:e9:52:d4:91
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
Validity
Not Before: Feb 8 00:00:00 2010 GMT
Not After : Feb 7 23:59:59 2020 GMT
Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Secure Server CA - G3
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b1:87:84:1f:c2:0c:45:f5:bc:ab:25:97:a7:ad:
a2:3e:9c:ba:f6:c1:39:b8:8b:ca:c2:ac:56:c6:e5:
bb:65:8e:44:4f:4d:ce:6f:ed:09:4a:d4:af:4e:10:
9c:68:8b:2e:95:7b:89:9b:13:ca:e2:34:34:c1:f3:
5b:f3:49:7b:62:83:48:81:74:d1:88:78:6c:02:53:
f9:bc:7f:43:26:57:58:33:83:3b:33:0a:17:b0:d0:
4e:91:24:ad:86:7d:64:12:dc:74:4a:34:a1:1d:0a:
ea:96:1d:0b:15:fc:a3:4b:3b:ce:63:88:d0:f8:2d:
0c:94:86:10:ca:b6:9a:3d:ca:eb:37:9c:00:48:35:
86:29:50:78:e8:45:63:cd:19:41:4f:f5:95:ec:7b:
98:d4:c4:71:b3:50:be:28:b3:8f:a0:b9:53:9c:f5:
ca:2c:23:a9:fd:14:06:e8:18:b4:9a:e8:3c:6e:81:
fd:e4:cd:35:36:b3:51:d3:69:ec:12:ba:56:6e:6f:
9b:57:c5:8b:14:e7:0e:c7:9c:ed:4a:54:6a:c9:4d:
c5:bf:11:b1:ae:1c:67:81:cb:44:55:33:99:7f:24:
9b:3f:53:45:7f:86:1a:f3:3c:fa:6d:7f:81:f5:b8:
4a:d3:f5:85:37:1c:b5:a6:d0:09:e4:18:7b:38:4e:
fa:0f
Exponent: 65537 (0x10001)
X509v3 extensions:
Authority Information Access:
OCSP - URI:http://ocsp.verisign.com
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Certificate Policies:
Policy: 2.16.840.1.113733.1.7.23.3
CPS: https://www.verisign.com/cps
User Notice:
Explicit Text: https://www.verisign.com/rpa
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.verisign.com/pca3-g5.crl
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
1.3.6.1.5.5.7.1.12:
0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif
X509v3 Subject Alternative Name:
DirName:/CN=VeriSignMPKI-2-6
X509v3 Subject Key Identifier:
0D:44:5C:16:53:44:C1:82:7E:1D:20:AB:25:F4:01:63:D8:BE:79:A5
X509v3 Authority Key Identifier:
keyid:7F:D3:65:A7:C2:DD:EC:BB:F0:30:09:F3:43:39:FA:02:AF:33:31:33
Signature Algorithm: sha1WithRSAEncryption
0c:83:24:ef:dd:c3:0c:d9:58:9c:fe:36:b6:eb:8a:80:4b:d1:
a3:f7:9d:f3:cc:53:ef:82:9e:a3:a1:e6:97:c1:58:9d:75:6c:
e0:1d:1b:4c:fa:d1:c1:2d:05:c0:ea:6e:b2:22:70:55:d9:20:
33:40:33:07:c2:65:83:fa:8f:43:37:9b:ea:0e:9a:6c:70:ee:
f6:9c:80:3b:d9:37:f4:7a:6d:ec:d0:18:7d:49:4a:ca:99:c7:
19:28:a2:be:d8:77:24:f7:85:26:86:6d:87:05:40:41:67:d1:
27:3a:ed:dc:48:1d:22:cd:0b:0b:8b:bc:f4:b1:7b:fd:b4:99:
a8:e9:76:2a:e1:1a:2d:87:6e:74:d3:88:dd:1e:22:c6:df:16:
b6:2b:82:14:0a:94:5c:f2:50:ec:af:ce:ff:62:37:0d:ad:65:
d3:06:41:53:ed:02:14:c8:b5:58:28:a1:ac:e0:5b:ec:b3:7f:
95:4a:fb:03:c8:ad:26:db:e6:66:78:12:4a:d9:9f:42:fb:e1:
98:e6:42:83:9b:8f:8f:67:24:e8:61:19:b5:dd:cd:b5:0b:26:
05:8e:c3:6e:c4:c8:75:b8:46:cf:e2:18:06:5e:a9:ae:a8:81:
9a:47:16:de:0c:28:6c:25:27:b9:de:b7:84:58:c6:1f:38:1e:
a4:c4:cb:66
vmanage#
vmanage# show certificate installed
vmanage#
可以看到默认是有根证书但是没有个人证书。我们一会将所有设备的默认根证书删除使用我们自己生成的根证书然后再申请个人证书。
删除原有根证书并安装新根证书
vManage设备操作
vmanage# request root-cert-chain uninstall
Successfully uninstalled the root certificate chain
vmanage#
vmanage# request root-cert-chain install home/admin/ROOTCA.pem
Uploading root-ca-cert-chain via VPN 0
Copying ... /home/admin/ROOTCA.pem via VPN 0
Successfully installed the root certificate chain
vmanage#
vBond、vSmart、vEdge1、vEdge2设备操作
vedge2# request root-cert-chain uninstall
CMD_MAAPI is true [mtid = 0]
CMD_MAAPI is true [mtid = 407]
CMD_MAAPI is true [mtid = 407]
CMD_MAAPI is true [mtid = 0]
Successfully uninstalled the root certificate chain
vedge2#
vedge2#
vedge2# request root-cert-chain install scp://admin@10.1.1.1:/home/admin/ROOTCA.pem
Uploading root-ca-cert-chain via VPN 0
Copying ... admin@10.1.1.1:/home/admin/ROOTCA.pem via VPN 0
Warning: Permanently added '10.1.1.1' (ECDSA) to the list of known hosts.
viptela 16.3.2
admin@10.1.1.1's password:
ROOTCA.pem 100% 1285 1.7MB/s 00:00
CMD_MAAPI is true [mtid = 0]
CMD_MAAPI is true [mtid = 411]
CMD_MAAPI is true [mtid = 411]
CMD_MAAPI is true [mtid = 0]
CMD_MAAPI is true [mtid = 0]
CMD_MAAPI is true [mtid = 415]
CMD_MAAPI is true [mtid = 415]
CMD_MAAPI is true [mtid = 0]
Successfully installed the root certificate chain
vedge2#
操作完成后查看根证书
vmanage# show certificate root-ca-cert
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
88:db:55:e2:55:58:83:e9
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=Nanjing, L=Jiangsu, O=iteachs.com, CN=ca.local
Validity
Not Before: Mar 5 08:38:12 2020 GMT
Not After : Dec 24 08:38:12 2022 GMT
Subject: C=CN, ST=Nanjing, L=Jiangsu, O=iteachs.com, CN=ca.local
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d6:ae:7f:bd:a3:6b:86:a0:bb:15:a0:8d:da:37:
59:8a:d3:d3:43:f5:50:52:82:fd:63:36:ba:e9:32:
69:51:e5:5e:58:87:ae:0f:11:1b:65:56:8a:85:a1:
e9:02:39:4d:e7:bd:8d:e9:45:e3:20:98:66:57:ab:
da:7d:81:23:a4:07:f3:b5:6a:a4:69:0a:57:d3:8b:
50:fb:d7:9c:2b:2c:ba:be:18:62:59:6f:f6:57:55:
84:1a:69:2d:39:4f:7e:55:9b:5c:9a:68:67:61:03:
89:ca:26:76:14:8f:5d:72:af:3f:2b:9b:03:c1:b0:
59:72:cb:8d:2f:76:b7:d8:9f:fa:bd:38:ed:5b:db:
63:f5:b3:0a:49:db:6a:e9:eb:57:ba:7c:99:60:09:
e5:d9:78:e5:a2:0a:9d:9a:c3:32:14:c5:da:65:73:
11:4a:81:89:b6:3f:02:32:72:db:7d:a7:1b:b1:f1:
ad:27:94:5b:ea:fe:f4:74:60:04:e4:13:2b:54:9e:
c9:29:67:b4:c5:e1:cd:7d:69:70:79:27:6d:e9:8d:
34:16:f1:39:0b:2c:51:14:04:2b:a7:97:9f:ed:04:
2a:05:47:d1:80:7a:91:5f:48:f7:91:fa:12:b0:e9:
9f:37:d2:0a:a3:96:fb:33:54:bb:03:44:62:94:34:
f9:37
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
A7:B6:B0:03:68:EA:9C:94:6D:7C:98:D7:23:7D:60:98:51:F2:35:E9
X509v3 Authority Key Identifier:
keyid:A7:B6:B0:03:68:EA:9C:94:6D:7C:98:D7:23:7D:60:98:51:F2:35:E9
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
b9:fa:f3:b8:54:5a:5d:c0:70:b7:40:64:a3:76:a8:bb:32:9f:
fe:a1:e4:4d:ba:cc:5d:dc:32:24:38:ff:01:3b:52:a2:aa:07:
87:84:d8:83:14:1f:22:72:aa:49:1c:10:93:74:a7:24:45:60:
9b:0a:a7:af:a7:68:a2:70:28:f5:d2:ec:8b:67:83:68:de:67:
a0:da:0a:1d:b4:33:b2:cd:39:36:31:f8:20:04:ac:1a:1f:be:
20:50:f4:3d:bf:23:2c:83:9d:8d:49:a2:88:59:e7:e1:5a:f3:
d9:9a:20:13:f2:46:cc:2b:a0:6d:ac:2e:b0:a4:a5:0c:41:e3:
06:51:d7:ad:26:6c:68:c0:8c:e1:f3:ab:8b:5a:5b:ff:b4:45:
29:d4:b6:dc:dc:b4:f5:62:51:bb:77:19:fe:4e:12:f5:d3:10:
c9:2c:9b:d2:91:a7:61:bf:e3:3d:2d:f6:73:b5:fc:a4:b6:92:
9a:07:1f:19:98:67:34:df:2f:1b:83:27:91:a9:f6:e5:20:a4:
c9:6b:a9:a5:fe:b3:84:77:2d:ea:f8:f6:99:32:03:40:ac:b9:
76:0c:08:86:f9:38:b1:8b:70:bb:66:75:88:72:c9:4e:44:34:
05:17:ea:69:c5:c8:d3:9b:33:5f:77:27:3e:7b:d7:5a:83:66:
3d:43:c3:4f
vmanage#
为vManage、vBond、vSmart、vEdge产生证书申请请求
vManage产生证书请求
vmanage# request csr upload /home/admin/vmanage.csr
Uploading CSR via VPN 0
Enter organization name : iteachs.com
Re-enter organization name : iteachs.com
Generating private/public pair and CSR for this vmanage device
Generating CSR for this vmanage device ........[DONE]
Copying ... /home/admin/vmanage.csr via VPN 0
CSR upload successful
vmanage#
注意这个输入的组织很重要,必须和配置里面一样。
其他设备产生证书申请请求
不一一演示,贴上命令。
vBond:
request csr upload scp://admin@10.1.1.1:/home/admin/vbond.csr
vSmart:
request csr upload scp://admin@10.1.1.1:/home/admin/vsmart.csr
vEdge1:
request csr upload scp://admin@10.1.1.1:/home/admin/vedge1.csr
vEdge2:
request csr upload scp://admin@10.1.1.1:/home/admin/vedge2.csr
为vManage、vBond、vSmart、vEdge签发证书
vmanage#
vmanage#
vmanage# vshell
vmanage:~$
vmanage:~$ openssl x509 -req -in vmanage.csr \
> -CA ROOTCA.pem -CAkey ROOTCA.key -CAcreateserial \
> -out vmanage.crt -days 500 -sha256
Signature ok
subject=/C=US/ST=California/L=San Jose/OU=iteachs.com/O=vIPtela Inc/CN=vmanage_1d83a485-e824-4836-ab82-00db7bea4c1c_0.viptela.com/emailAddress=support@viptela.com
Getting CA Private Key
vmanage:~$
vmanage:~$ openssl x509 -req -in vbond.csr \
> -CA ROOTCA.pem -CAkey ROOTCA.key -CAcreateserial \
> -out vbond.crt -days 500 -sha256
Signature ok
subject=/C=US/ST=California/L=San Jose/OU=iteachs.com/O=vIPtela Inc/CN=vbond_d797a9bd-eef2-40a2-9bf5-953b6525947c_0.viptela.com/emailAddress=support@viptela.com
Getting CA Private Key
vmanage:~$
vmanage:~$ openssl x509 -req -in vsmart.csr \
> -CA ROOTCA.pem -CAkey ROOTCA.key -CAcreateserial \
> -out vsmart.crt -days 500 -sha256
Signature ok
subject=/C=US/ST=California/L=San Jose/OU=iteachs.com/O=vIPtela Inc/CN=vsmart_1cda07a5-81a4-486b-8cef-426dbd285d20_0.viptela.com/emailAddress=support@viptela.com
Getting CA Private Key
vmanage:~$
vmanage:~$
vmanage:~$ openssl x509 -req -in vedge1.csr \
> -CA ROOTCA.pem -CAkey ROOTCA.key -CAcreateserial \
> -out vedge1.crt -days 500 -sha256
Signature ok
subject=/C=US/ST=California/L=San Jose/OU=iteachs.com/O=vIPtela Inc/CN=vedge-49918191-566f-4ef1-875c-c8557c317275-0.viptela.com/emailAddress=support@viptela.com
Getting CA Private Key
vmanage:~$
vmanage:~$
vmanage:~$ openssl x509 -req -in vedge2.csr \
> -CA ROOTCA.pem -CAkey ROOTCA.key -CAcreateserial \
> -out vedge2.crt -days 500 -sha256
Signature ok
subject=/C=US/ST=California/L=San Jose/OU=iteachs.com/O=vIPtela Inc/CN=vedge-4ea4eb5d-dfba-4e33-8ea8-da22db5446a2-0.viptela.com/emailAddress=support@viptela.com
Getting CA Private Key
vmanage:~$
vmanage:~$ dir
ROOTCA.key ROOTCA.srl vbond.crt vedge1.crt vedge2.crt vmanage.crt vsmart.crt
ROOTCA.pem archive_id_rsa.pub vbond.csr vedge1.csr vedge2.csr vmanage.csr vsmart.csr
vmanage:~$
vmanage:~$
为vManage、vBond、vSmart、vEdge安装证书
vManage安装证书
vmanage# request certificate install home/admin/vmanage.crt
Installing certificate via VPN 0
Copying ... /home/admin/vmanage.crt via VPN 0
Successfully installed the certificate
vBond、vSmart、vEdge安装证书
vBond:
request certificate install scp://admin@10.1.1.1:/home/admin/vbond.crt
vSmart:
request certificate install scp://admin@10.1.1.1:/home/admin/vsmart.crt
vEdge1:
request certificate install scp://admin@10.1.1.1:/home/admin/vedge1.crt
vEdge2:
request certificate install scp://admin@10.1.1.1:/home/admin/vedge2.crt
过程不一一贴出
查看下安装的个人证书
vmanage# show certificate installed
Server certificate
------------------
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
f2:f9:b9:94:7b:e8:20:84
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=Nanjing, L=Jiangsu, O=iteachs.com, CN=ca.local
Validity
Not Before: Mar 5 08:59:05 2020 GMT
Not After : Jul 18 08:59:05 2021 GMT
Subject: C=US, ST=California, L=San Jose, OU=iteachs.com, O=vIPtela Inc, CN=vmanage_1d83a485-e824-4836-ab82-00db7bea4c1c_0.viptela.com/emailAddress=support@viptela.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d1:30:e0:3a:02:a9:a3:26:72:0f:1c:04:3c:63:
9d:b5:d5:7f:13:49:22:9e:82:2f:3d:60:81:c2:0c:
ae:88:7a:8f:c0:15:0b:0f:fd:2b:b0:90:e1:a3:b8:
92:b6:12:dc:1f:88:78:ca:0f:6f:a9:95:26:6d:dd:
08:6f:10:f9:48:10:8a:53:12:c8:39:d2:59:7a:05:
ff:68:20:bf:8f:68:96:8d:6e:99:11:6f:11:64:8c:
1b:53:e6:a6:5c:e0:aa:fc:00:1f:0d:78:06:7d:84:
29:b2:1a:f6:d7:33:46:f2:32:21:ea:38:8a:08:05:
c4:f3:5e:58:9d:f7:db:03:05:7e:c7:44:6b:cc:38:
74:25:c7:f0:03:d6:b1:51:20:4e:0f:66:cb:81:6f:
5d:31:50:02:87:26:b5:c7:13:fe:44:52:6e:2e:44:
54:f6:32:4d:00:4d:6a:c3:c4:7e:e0:93:80:48:ab:
23:e4:2c:be:3f:73:b6:c0:a8:92:d6:44:8c:91:57:
35:c1:6f:ba:f4:8e:6d:d4:34:11:a4:c5:f7:f3:bf:
c1:c6:ee:83:95:41:f5:94:66:a5:99:6d:71:76:00:
44:8e:41:63:c3:9e:27:ae:cd:5e:44:07:66:b1:c5:
3b:6b:17:22:10:70:a6:f3:f1:10:f8:09:5f:cd:92:
eb:e3
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
6d:9d:a3:e7:1c:bd:45:a8:fc:0b:e1:10:27:23:b7:06:7f:75:
90:4f:aa:ce:9d:22:e1:43:98:c3:3c:66:a2:fc:94:2f:4c:b2:
9f:7a:f0:5d:6d:ee:5e:4c:11:df:39:e4:b7:1e:75:21:44:6d:
43:f5:aa:7d:51:bc:9d:87:5c:2d:79:4b:96:b3:f3:a1:f1:27:
16:64:1b:dd:87:cd:b7:b9:f9:9a:78:e8:9e:4f:6a:8e:b7:fe:
73:e3:10:6d:e6:f4:b8:a6:77:c8:59:30:cf:65:74:62:96:18:
8b:9e:01:20:64:74:79:25:b6:33:47:46:43:b1:c6:55:5c:f7:
ba:80:52:3c:9e:df:82:e8:3a:c9:50:f9:ad:2e:1f:48:8b:ef:
e8:88:4a:1c:ff:97:e0:00:a1:9b:2e:5c:96:3b:f9:e9:e3:da:
7e:d3:5f:4f:8b:d5:c8:10:c3:d0:d5:06:f7:51:19:70:e8:25:
3b:31:b5:88:4d:1b:ac:b6:94:16:a7:05:22:16:b8:cf:1f:36:
8d:d7:2d:0d:35:9e:2f:1b:7b:d4:8b:a1:f0:61:7d:30:03:2f:
a4:00:d6:68:9d:53:d2:82:01:39:27:b9:10:5a:28:27:ea:8f:
e6:ae:51:14:6e:ed:66:8d:28:de:2e:f7:e3:e4:ab:70:41:fc:
43:4b:9e:bc
vmanage#
需要说明下,其实在页面下也可以产生CSR和安装证书,但是16.3.2有个bug,在页面下不显示设备的条目,无法点击产生和安装。而且我觉得在命令行下方便点。
所有设备安装完证书之后需要重启。到此简单实验完成了1/3了。
重启完之后使用浏览器登陆vManage。
vManage添加vBond、vSmart、vEdge设备
使用浏览器登陆vManage,默认用户名密码都是admin。
如下图:
因为之前vManage安装过证书所以设备里面看到直接在线并且显示同步和证书已安装。
在vManage上配置组织和vBond,并确保证书为手动。
下面添加vBond和vSmart
因为之前安装过证书所以不勾选产生CSR。
完成后如下图
按照同样的方法添加vSmart
同样之前安装过证书不需要产生CSR。添加完成如下图:
之后再证书页面Send to vBond。
完成后如下图:
下面安装vEdge List
查看vEdge的证书序列
vedge1# show certificate serial
Chassis number: 49918191-566f-4ef1-875c-c8557c317275 serial number: F2F9B9947BE82087
vedge1#
vedge2# show certificate serial
Chassis number: 4ea4eb5d-dfba-4e33-8ea8-da22db5446a2 serial number: F2F9B9947BE82088
vedge2#
然后将编辑新建个edge-list.csv的文件,内容为:
49918191-566f-4ef1-875c-c8557c317275,F2F9B9947BE82087
4ea4eb5d-dfba-4e33-8ea8-da22db5446a2,F2F9B9947BE82088
有几台设备添加几个。之前说过17.0之前的版本可以这样添加vEdge,之后的版本需要思科智能账号申请然后下载文件进行添加。
编辑完成后将文件上传到vManage。
完成后如下
然后需要Send to Controllers
完成后如下图:
打开vManage、vBond、vSmart、vEdge的tunnel-interface。
vManage、vSmart:
vpn 0
interface eth0
tunnel-interface
commit and-quit
vBond、vEdge:
vpn 0
interface ge0/0
tunnel-interface
encapsulation ipsec
commit and-quit
敲完之后回到主界面上。
可以看到vSmart和vBond上线,但是vEdge没有上线。不急下面继续。
升级vManage、vSmart和vBond
将所需的文件上传到vManage。
上传完成如下图:
升级vManage
成功后如下:
设置默认版本
激活vManage的新版本
至此vManage升级完成了。
激活后设备需要重启,等待重启完成后继续操作。
升级vBond和vSmart
直接激活后重启。这个过程有点慢,需要将文件推到vBond和vSmart上。
成功后如下图:
首页看设备也上线了说明升级成功
下面添加vEdge
vEdge的证书认证
完成后Send to Controllers
完成后如下:
此时看到主界面上vEdge上线
查看相关链接命令:
vManage
vmanage# show control local-properties
personality vmanage
sp-organization-name iteachs.com
organization-name iteachs.com
certificate-status Installed
root-ca-chain-status Installed
certificate-validity Valid
certificate-not-valid-before Mar 05 08:59:05 2020 GMT
certificate-not-valid-after Jul 18 08:59:05 2021 GMT
dns-name 10.1.1.2
site-id 100
domain-id 0
protocol dtls
tls-port 23456
system-ip 100.1.1.1
chassis-num/unique-id 1d83a485-e824-4836-ab82-00db7bea4c1c
serial-num F2F9B9947BE82084
retry-interval 0:00:00:19
no-activity-exp-interval 0:00:00:12
dns-cache-ttl 0:00:02:00
port-hopped FALSE
time-since-last-port-hop 0:00:00:00
number-vbond-peers 1
INDEX IP PORT
-----------------------------------------------------
0 10.1.1.2 12346
number-active-wan-interfaces 2
PUBLIC PUBLIC PRIVATE PRIVATE PRIVATE LAST
INSTANCE INTERFACE IPv4 PORT IPv4 IPv6 PORT VS/VM COLOR STATE CONNECTION
----------------------------------------------------------------------------------------------------------------------------------------------------
0 eth0 10.1.1.1 12346 10.1.1.1 :: 12346 1/0 default up 0:00:00:18
1 eth0 10.1.1.1 12446 10.1.1.1 :: 12446 0/0 default up 0:00:00:16
vmanage#
vmanage# show control connections
PEER PEER PEER
PEER PEER PEER CONFIGURED SITE DOMAIN PEER PRIV PEER PUB
INDEX TYPE PROT SYSTEM IP SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT ORGANIZATION REMOTE COLOR STATE UPTIME
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0 vedge dtls 101.1.1.1 101.1.1.1 1 1 172.16.1.1 12366 172.16.1.1 12366 iteachs.com default up 0:00:01:47
0 vsmart dtls 100.1.1.3 100.1.1.3 100 1 10.1.1.3 12346 10.1.1.3 12346 iteachs.com default up 0:00:07:24
0 vbond dtls 100.1.1.2 100.1.1.2 0 0 10.1.1.2 12346 10.1.1.2 12346 iteachs.com default up 0:00:08:38
1 vedge dtls 102.1.1.1 102.1.1.1 2 1 172.16.2.1 12366 172.16.2.1 12366 iteachs.com default up 0:00:01:57
1 vbond dtls - - 0 0 10.1.1.2 12346 10.1.1.2 12346 iteachs.com default up 0:00:08:39
vmanage#
vBond、vSmart、vEdge相关查看
vsmart# show control connections
PEER PEER
PEER PEER PEER SITE DOMAIN PEER PRIV PEER PUB
INDEX TYPE PROT SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT REMOTE COLOR STATE UPTIME
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0 vedge dtls 101.1.1.1 1 1 172.16.1.1 12366 172.16.1.1 12366 default up 0:00:03:31
0 vbond dtls - 0 0 10.1.1.2 12346 10.1.1.2 12346 default up 0:00:09:13
0 vmanage dtls 100.1.1.1 100 0 10.1.1.1 12346 10.1.1.1 12346 default up 0:00:09:08
1 vedge dtls 102.1.1.1 2 1 172.16.2.1 12366 172.16.2.1 12366 default up 0:00:03:41
1 vbond dtls - 0 0 10.1.1.2 12346 10.1.1.2 12346 default up 0:00:09:13
vsmart#
vedge1# show control connections
PEER PEER CONTROLLER
PEER PEER PEER SITE DOMAIN PEER PRIV PEER PUB GROUP
TYPE PROT SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT LOCAL COLOR STATE UPTIME ID
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
vsmart dtls 100.1.1.3 100 1 10.1.1.3 12346 10.1.1.3 12346 default up 0:00:04:05 0
vbond dtls - 0 0 10.1.1.2 12346 10.1.1.2 12346 default up 0:00:04:05 0
vmanage dtls 100.1.1.1 100 0 10.1.1.1 12346 10.1.1.1 12346 default up 0:00:04:05 0
vedge1#
弄了半天才把设备弄上线,Site1和Site2之间还没有互通。。。其实已经做了2/3了,m不急下面继续~!
两站点之间路由做通
这步可以直接再vMange新建feature然后关联templete,然后将templete推到设备上实现,我嫌截图麻烦直接再设备上敲命令实现。其实没有体会到sd-wan带来的乐趣和快感。
直接贴命令
vEdge1:
vpn 0
interface ge0/0
nat
!##公网接口做NAT
vpn 10
router
ospf
router-id 101.1.1.1
default-information originate
timers spf 200 1000 10000
redistribute omp ##将BGP的路由发布到OSPF
area 0
interface ge0/1
network point-to-point
exit
exit
!
!
interface ge0/1
ip address 192.168.1.254/24
no shutdown
!
ip route 0.0.0.0/0 vpn 0
omp
advertise ospf external ##将OSPF的路由发布进BGP
!
!
vEdge2:
vpn 0
interface ge0/0
nat
!##公网接口做NAT
vpn 10
router
ospf
router-id 102.1.1.1
default-information originate
timers spf 200 1000 10000
redistribute omp ##将BGP的路由发布到OSPF
area 0
interface ge0/1
network point-to-point
exit
exit
!
!
interface ge0/1
ip address 192.168.2.254/24
no shutdown
!
ip route 0.0.0.0/0 vpn 0
omp
advertise ospf external ##将OSPF的路由发布进BGP
!
!
配置完成后查看相关邻居和路由
vedge1# show ospf neighbor
DBsmL -> Database Summary List
RqstL -> Link State Request List
RXmtl -> Link State Retransmission List
SOURCE DEAD
VPN IP ADDRESS INTERFACE ROUTER ID STATE PRIORITY TIMER DBsmL RqstL RXmtL
-------------------------------------------------------------------------------------------------------
10 192.168.1.1 ge0/1 1.1.1.1 full 1 33 0 0 0
vedge1# show ip routes vpn 10
Codes Proto-sub-type:
IA -> ospf-intra-area, IE -> ospf-inter-area,
E1 -> ospf-external1, E2 -> ospf-external2,
N1 -> ospf-nssa-external1, N2 -> ospf-nssa-external2,
e -> bgp-external, i -> bgp-internal
Codes Status flags:
F -> fib, S -> selected, I -> inactive,
B -> blackhole, R -> recursive
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
---------------------------------------------------------------------------------------------------------------------------------------------
10 0.0.0.0/0 nat - ge0/0 - 0 - - - F,S
10 1.1.1.1/32 ospf IA ge0/1 192.168.1.1 - - - - F,S
10 2.2.2.2/32 omp - - - - 102.1.1.1 default ipsec F,S
10 192.168.1.0/24 ospf IA ge0/1 - - - - - -
10 192.168.1.0/24 connected - ge0/1 - - - - - F,S
10 192.168.2.0/24 omp - - - - 102.1.1.1 default ipsec F,S
vedge1#
vedge2# show ospf neighbor
DBsmL -> Database Summary List
RqstL -> Link State Request List
RXmtl -> Link State Retransmission List
SOURCE DEAD
VPN IP ADDRESS INTERFACE ROUTER ID STATE PRIORITY TIMER DBsmL RqstL RXmtL
-------------------------------------------------------------------------------------------------------
10 192.168.2.1 ge0/1 2.2.2.2 full 1 36 0 0 0
vedge2# show ip routes vpn 10
Codes Proto-sub-type:
IA -> ospf-intra-area, IE -> ospf-inter-area,
E1 -> ospf-external1, E2 -> ospf-external2,
N1 -> ospf-nssa-external1, N2 -> ospf-nssa-external2,
e -> bgp-external, i -> bgp-internal
Codes Status flags:
F -> fib, S -> selected, I -> inactive,
B -> blackhole, R -> recursive
PROTOCOL NEXTHOP NEXTHOP NEXTHOP
VPN PREFIX PROTOCOL SUB TYPE IF NAME ADDR VPN TLOC IP COLOR ENCAP STATUS
---------------------------------------------------------------------------------------------------------------------------------------------
10 0.0.0.0/0 nat - ge0/0 - 0 - - - F,S
10 1.1.1.1/32 omp - - - - 101.1.1.1 default ipsec F,S
10 2.2.2.2/32 ospf IA ge0/1 192.168.2.1 - - - - F,S
10 192.168.1.0/24 omp - - - - 101.1.1.1 default ipsec F,S
10 192.168.2.0/24 ospf IA ge0/1 - - - - - -
10 192.168.2.0/24 connected - ge0/1 - - - - - F,S
vedge2#
Site1和Site2测试互通
Site1#show ip route ospf
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 192.168.1.254 to network 0.0.0.0
O*E2 0.0.0.0/0 [110/10] via 192.168.1.254, 00:08:47, Ethernet0/0
2.0.0.0/32 is subnetted, 1 subnets
O E2 2.2.2.2 [110/16777214] via 192.168.1.254, 00:03:50, Ethernet0/0
O E2 192.168.2.0/24 [110/16777214] via 192.168.1.254, 00:08:47, Ethernet0/0
Site1#
Site1#ping 2.2.2.2 so 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
Site1#
Site1#tra
Site1#traceroute 2.2.2.2 so
Site1#traceroute 2.2.2.2 source 1.1.1.1
Type escape sequence to abort.
Tracing the route to 2.2.2.2
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.1.254 0 msec 1 msec 0 msec
2 192.168.2.254 1 msec 0 msec 1 msec
3 192.168.2.1 1 msec * 1 msec
Site1#
Site1#
Site1#ping 100.100.100.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.100.100.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Site1#
至此实验全部完成,相关vMange的查看我也不截图了太多,各位自己参照实验做了看下。
总结
感觉这个Vipteal SD-WAN还是挺复杂,最关键的是设备上线的过程,尤其是证书和vEdge的许可处理。
网络的互通部分还是挺简单,手动敲命令和做模板都可以只是我喜欢命令行的简单粗暴。
还有到现在我还没有感觉到SDN和SD-WAN给我带来了什么乐趣和快感。。。
文章评论
太厉害了,居然搭用eve搭了sd-wan,估计得用高配服务器搭吧。
@咸鱼 服务器性能不需要很高,我搭建的设备也不是很多。。。
what minimum specs needed to run this smoothly
@hatrk my server is 12vcpu 48g ram and every node is 2vcpu 4g ram .
vedge-02# request root-cert-chain install scp://admin@x.x.x.x/home/admin/ROOTCA.pem vpn 0
Uploading root-ca-cert-chain via VPN 0
Copying ... admin@x.x.x.x:/home/admin/ROOTCA.pem via VPN 0
Warning: Permanently added 'x.x.x.x' (ECDSA) to the list of known hosts.
viptela 16.2.11
admin@x.x.x.x1's password:
Permission denied, please try again.
admin@x.x.x.x's password:
ROOTCA.pem 100% 1277 1.3KB/s 00:00
Error: Cannot upload root certificate file on a software vedge. Please use Viptela approved symantec signed certificates.
Failed to install the root certificate chain !!
how can i resolved it
@you vedge version must be higher than 17.2.0 to add a custom root certificate, otherwise symantec signed certificates can only be used .
SDN在批量上才可以发挥出优势吧
再有一个,可以体验下SDX的assurance/insight一类的功能
@todd 谢谢回复,会继续学习。
EVE使用的什么版本?为什么我的EVE模板里面没有关于SD-WAN的
@tunnel 我就是用社区版本。具体怎么添加查看官方文档。
https://www.eve-ng.net/index.php/documentation/howtos/howto-add-cisco-viptela-images-set/
@hale 能分享一下,vtbond,vtedge,vtsmart,vtmgmt的qcow2文件下载路径吗,谢谢。
@tunnel https://t.me/s/cisco_collection
由于文件过大,我不能直接分享。这个上面有人分享下载链接,你可以寻找并下载。根据eve-ng官网的文档进行加载并使用。
@hale 谢谢你
Cisco SD-WAN viptela 16.3.2 镜像 需要要 SerialFile.viptela 文件,不需要Cisco Smart Account 的镜像
16.3.2 vmanager vbond vsmart
17.2.0 vmanager vbond vsmart + vedge 镜像
具体请看这个帖子
https://blog.csdn.net/wuhao0015/article/details/104672395
链接:https://pan.baidu.com/s/1qfXyj-HS7774AhGi9xNpFw?pwd=jg22
提取码:jg22
@bo 确实是这样,那文章也是我发的。。。
@hale Hello Hale,
我终于找到不需要思科账号添加vedge 的方法啦!
vmanage vsmart vbond 运行如下命令
request vedge add chassis-num ****** serial-num ******
@Bo 支持下,感谢回复
有这个伟大的命令了,就可以直接让vedge join vmanage 了,不需要升级了
request vedge add chassis-num dab9c7d7-80de-4736-aa37-5db9cecfc542 serial-num FC33DD6E3732C2FA
分别在vmanager/vbond/vsmart 上运行如下命令,就可以让vedge 加入SD-WAN fabric 了,不需要serial file.viptela
request vedge add chassis-num ****** serial-num *****
@bo 感谢回复