Sunday, November 5, 2023

  The Cisco SDWAN Edge device onboarding process can be explained at a high level as below:

 

·      Choose one of the below provisioning options to onboard the edge device.

o   Automatic Provisioning

o   Semi-Automatic/Bootstrap Provisioning

o   Manual provisioning

·      Populate the device Chassis ID, Serial Number, Organization Name, Certificate in the relevant entities.

o   When Automatic provisioning is used, the above details are required to be populated in the ZTP/PnP and in the allowed list configured in the vBond controller.

o   When other provisioning options are used, the above details are required to be populated in the allowed list configured in the vBond controller.

·      Power-On the edge device and follow the below procedure:

o   If Automatic provisioning is used, no further action is required. It follows the zero-touch provisioning.

o   If Bootstrap provisioning is used, the basic configuration file needs to be loaded in the USB while booting the edge device.

o   If manual provisioning is used, the basic configuration to reach the vBond controller is manually configured using the CLI.

·      The device will authenticate and communicate with the relevant controllers and will join the fabric.

 

Edge Pre-Onboarding Process

 

Each edge devices are preloaded with a root certificate, unique serial number and chassis ID during the manufacturing process itself. In case of vEdge, the certificate is stored in the TPM chip while for cEdge, the certificate is stored in the SUDI chip.

 

The Cisco SDWAN solution leverages whitelist or allowedlist model. The serial number, chassis ID and the certificate details are required to be populated in the PnP/ZTP connect portal, vBond controller for the respective organization.

 

Edge Onboarding Process

 

The onboarding process can be simplified into the below steps:

·      Obtaining the vBond information 

·      vBond Session Establishment

·      vManage Session Establishment

·      vSmart and Fabric Join


d

Obtaining the vBond information 

 

When Automatic provisioning option is used, the procedure is as below:

·      The edge device upon coming up, will leverage DHCP to configure IP address in the VPN0 (management) interface. This IP address is expected to have internet access to further reach the ZTP/PnP server and vBond controller.

·      The edge device will leverage DNS to resolve the ZTP/PnP server IP address.

o   In case of vEdge, ztp.viptela.com name is resolved to get the ZTP address.

o   In case of cEdge, devicehelper.cisco.com is resolved to get the PnP address.

·      Upon receiving the ZTP/PnP server details, the edge device will authenticate with the connect portal. The Serial Number and Chassis ID are used to identify the Smart account associated to the customer and the relevant vBond information is shared to the edge device.

 

When the Bootstrap provisioning option is used, the basic configuration file including the vBond info is loaded in a USB and is connected to the device.

 

When the Manual provisioning option is used, the administration is expected to manually configure the edge devices using the CLI. 

 

With any of the above provisioning options used, the edge device will now have the vBond IP address.

 

vBond Session Establishment

 

The session establishment between the edge device and the vBond is as below:

 

·      The edge device upon receiving the vBond IP address will establish a secure transient Datagram TLS (DTLS) connection over UDP port range 12346-12445.

·      The vBond controller will share its own Root CA signed certificate to the edge device to validate the integrity of vBond controller. In addition, it also sends a 256-bit NONCE value to the edge device.

·      The edge device will validate the root of trust for the received CA certificate from the vBond controller. 

o   If the validation fails, the session will be terminated. 

o   If the validation succeeds, the edge device will respond back with its Serial Number, Chassis ID and certificate along with the NONCE value signed using its private key.

·      The vBond will validate the certificate and check if the serial number and chassis ID is in the allowed list.

o   If the certificate validation succeeds and the edge device is in the allowed list, it replies back with the vManage and vSmart controller details.

o   If the certificate validation fails or if the edge device is not in the allowed list, the session will be terminated.

 

vManage Session Establishment

 

The session establishment between the edge device and the vManage controller is as below:

 

·      The edge device upon receiving the vManage IP address will establish a secure transient Datagram TLS (DTLS) connection over UDP port range 12346-13065.

·      The vManage controller will share its own Root CA signed certificate to the edge device to validate the integrity of the controller. 

·      The edge device will validate the root of trust for the received CA certificate from the vManage controller. 

o   If the validation fails, the session will be terminated. 

o   If the validation succeeds, the edge device will respond back with its Serial Number, Chassis ID and certificate.

·      The vManage will validate the certificate and check if the serial number and chassis ID is in the allowed list.

o   If the certificate validation succeeds and the edge device is in the allowed list, it pushes the relevant configuration through NETCONF over SSH.

o   If the certificate validation fails or if the edge device is not in the allowed list, the session will be terminated.

 

vSmart and Fabric Join

 

The session establishment between the edge device and the vSmart controller is as below:

 

·      The edge device will establish a secure transient Datagram TLS (DTLS) connection over UDP port range 12346-13065 to the vSmart Controller.

·      The OMP session is established between the vSmart controller and the edge device for route and policy update.

s

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)