How to Initialize and Configure VManage

This is an SD-WAN lab practical that will show how to configure Switch and Install CA Server. You can practice along with this practical, using our SD-WAN virtual lab.

Topology

Tasks 

1. Configure the following system parameters on vManage via CLI (Login vManage via default username: admin and Password: admin)  

Hostname: vManage 

Organization: viptela sdwan 

System IP: 200.1.1.12  

Site ID: 1  

vBond Address: 200.1.1.4  

Clock timezone Asia/Kolkata 

2. Configure VPN0 on vManage with the following parameters 

Interface: Eth1  

IP address: 200.1.1.2/24  

Tunnel Interface  

Tunnel Services (All, NetConf, SSHD)  

Default route gateway: 200.1.1.1  

3. Configure VPN512 on vManage with the following parameters 

Interface: Eth0 

IP address: 192.168.10.2/24  

4. Get GUI access to vManage on Windows Server (CA-Server) (Login vManage via default username: admin and Password: admin)  

5. Configure organization name as “viptela sdwan” and vBond IP address as 200.1.1.4 in vManage 

6. Configure controller authorization as Enterprise Root and download root certificate from CA server and upload the certificate on vManage 

7. Generate CSR on vManage, issue a certificate from CA-Server, and download signed certificate from CA-Server and install the certificate on vManage 

8. Use encoding Method Base64 wherever required

Online Cisco SD-WAN TrainingLearn from expert trainers and master SD-WAN.Explore course

Configuration and Verification 

Get the console access of vManage using default username “admin” and password “admin” 

As soon as you logged in, it will ask to select the storage device, select hdb which is option 1 and format it by Y.  

It will then create filesystem and system will be rebooted automatically

Login to vManage again and now you can see its login prompt  

Now you can configure the basic configuration on vManage such as hostname, organization name, system-IP, etc. as per required in this lab tasks. 

Verify this system configuration on vManage on its running configuration  

Now configure the parameters of VPN0 and VPN512 on vManage. Remove Eth0 from VPN0 and assign it to VPN512, first commit after VPN0 configuration then only Eth0 will appear on VPN512 

Verify this configuration in the vManage running configuration of each VPN0 and VPN512 

VPN512 is connected internally to all other SDWAN controllers including CA-Server (Window Server) in the subnet 192.168.10.0/24. Till now we have configured CA-Server and vManage then we should get the reachability between these two. 

If you are trying to ping CA-Server from vManage then ping using VPN512 because connected interface is in VPN512 

Since we have the reachability to CA-Server (Window Server) you can take vManage GUI access from there using https://192.168.10.2 or using http://200.1.1.2:8443 

Browse to this IP on CA-Server (Windows Server), it is a non-secure connection so click on Advance and then click on “Proceed to 192.168.10.2 (unsafe)”  

Note: Here we are using Windows Server to take GUI of all SDWAN Controllers including vManage 

You can now see to the login prompt of vManage, so login into it using default username “admin” and password “admin

Once you logged into vManage, a Dashboard appears in which you can see various details like how many devices are registered and control status etc. Currently only 1 vMange is shown because other SDWAN control devices are not yet registered with vManage. In the next lab we will be adding and registering them into vManage. 

Go to Administration -> Setting where you can see various parameters including Organization Name, vBond etc.  

Here as per the task requirements Edit the Organization Name as SDWAN, confirm it again and save the configuration.  

Similarly Edit the vBond IP address as 200.1.1.4 and save the configuration, keep the default port as it is. 

Now you can see that both Organization Name and vBond IP address has been configured on vManage which was earlier showing as “Not Configured” 

As per the task requirement, you can configure Controller Authorization as Enterprise Root, first browse CA-Server IP address (https//192.168.10.5/certsrv) on Windows Server  

Select the CA certificate named “CA-Server” and encoding method “Base64”, and click on “Download CA Certificate” 

It will download a certificate file named “certnew.cer” on Windows Server, click on Keep to Save this file 

Open the folder where this file has been downloaded and rename this file to “Rootcert” 

Now open Rootcert file in notepad and copy the content of the file using CTL-A + CTL-C 

Now again login to vManage from Windows Server and go to the Administration->Settings->Controller Certificate Authorization and click on Edit 

Change the Certificate Signing by to “Enterprise Root Certificate” it will also ask for confirmation and click on Proceed 

Here under “Enterprise Root Certificate” you can paste the certificate copied from the Rootcert file in the certificate area 

The first step to generate CSR on vManage is to set CSR parameters so check box on “Set CSR Parameters” with the Organization name, City, State, Country, Set the Time to 3 Years (Put any values of your choice) and click on Import & Save 

Controller Certificate Authorization has not changed to Enterprise, earlier it was Manual 

Now you can generate CSR certificate, Navigate to Configuration-> Certificates-> Controllers-> vManage-> Generate CSR 

It will open a CSR file, from here you can either copy or download this CSR file. In case you have missed to copy or download, you can again copy or download by click on view CSR, in this case you can also check the operation status as CSR Generated while earlier it was N/A 

This CSR will be used in requesting a certificate from CA-Server in the next steps. Now browse CA-Server (https://192.168.10.5/certsrv) and request a certificate. 

On the next window, click on advanced certificate request  

On the next window, paste the content of the previously copied CSR in the box and click on Submit 

It will show the pending status however just browse the CA-Server again to retrieve the certificate  

Now issue the certificate on CA-Server, open Server Manager-> Roles-> Active Directory Certificate Server-> CA-Server-> Pending Request-> More Actions-> All Tasks and click on Issue. This will now issue a certificate 

You can now download the issued certificate, browse to CA-Server (https://192.168.10.5/certsrv) 

On the next window, it shows the date and time of the saved certificate, click on it 

Now here you select the Base64 encoding method and click on “Download Certificate” to download it 

Keep the downloaded file 

Open the folder where this file is downloaded and change its name to “vManage” just to have a meaningful name 

Open this file in notepad and copy (CTLA + CTLC) the content of the file 

Using this file, you can install the identity certificate on vManage, In vManage, navigate to Configuration-> Certificate-> Controller and click on top right corner on “Install Certificate” 

It will open a certificate text area wherein you can paste the earlier copied certificate from CA-Server for vManage and then click on install 

On vManage the certificate will be installed, and it shows the status as Success of the installed certificate.  

Note: You may see failure here due to current time (on vmange CLI run command “show system status”) and clock time (on vManage CLI run”show clock”) mismatch, adjust the time by setting clock using command “clock set date <> time <>”. You may have to set the clock 12 or more hours  a head than standard time set by timezone Asia/Kolkata in all devices. This setting is required in all SDWAN Controllers (vManage, vBond and vSmart) 

Go back to the Configuration-> Certificates-> Controllers, you can see vManage certificate is installed and showing all the relevant details.