A Little About Viptela and Secure Provisioning – Part 2

April 14, 2020

Tweet This:
Share on LinkedIn:

By Kevin Prater, Kovarus, Practice Manager Collaboration / Network Edge

So, a quick recap of Part 1, we’re leveraging both symmetric and asymmetric encryption methods within this solution. Asymmetric keys for the authentication piece and the sharing of the symmetric keys. And we’re using these symmetric keys to address the integrity and confidentiality piece because it’s less processor intensive and is much faster in terms of encrypting large amounts of data.

Zero Touch Provisioning (ZTP)

ZTP provides for automatic provisioning of your Cisco edge devices into your organization’s SD-WAN overlay. In a nutshell what we’re trying to accomplish is:

  1. Pull a new edge device out of the box
  2. Plug it into the network
  3. Have it provision itself from the cloud

Cisco currently has a couple of different flavors of hardware, the vEdge appliances and the cEdge devices which are your ISR/ASR based platforms. The vEdges refer to this automated provisioning as ZTP, while the cEdges call it PnP. The differences between the two are minor but following are the differences. Here’s the sequence of events from power-up through final config:

ZTP Process for vEdge Devices

  1. Power up the vEdge.
  2. Connect one of the interfaces to the network to obtain a DHCP address.
      1. Depending on the vEdge platform you’re using (vEdge 100, 1K, 2K, etc.), the interface you connect to the internet may be different.
      2. The software on board comes pre-configured to point to ztp.viptella.com.
        NOTE: This must be resolvable via DNS.
  3. All vEdge devices are shipped with a chassis, serial number and burned-in certificate (Avnet) in an on-board TPM chip. The vEdge presents this to the ZTP server who then verifies that “yes” this device belongs to this network or “no” it does not.
  4. Once verified, the ZTP server sends back the IP address of the vBond this vEdge needs to use.
  5. At this point the vEdge device connects to the organization’s vBond server and is verified against a certificate (Symantec) and a (chassis/serial number) whitelist on the vManage server.
  6. The vEdge now connects to vManage and is verified again via the same process, whitelist, and certificate.
  7. Once verified here, vManage provides a system IP to the vEdge.
    NOTE: Until this point, our vEdge has had a system IP of 0.0.0.0.
  8. With that config change, the control connection will flap and forces a reconnect to the vBond server which redirects to vManage.
  9. Our edge device now reconnects to vManage and receives its full configuration.
  10. With the full config in place, the vEdge reboots one last time and then joins the organization’s overlay fabric.

PNP

The PnP process for cEdge Devices (Cisco ISR/ASR) is the same but with 2 key distinctions:

  1. The SD-WAN software points to a different address for PnP: devicehelper.cisco.com.
  2. You no longer need to worry about which interface you plug into the network; the device will continue through the process until it hits an interface that gets a DHCP address.

The above looks like a lot of steps, but most goes unseen by the administrator. Check out this video demo, it’s a pretty simple setup:

I’d love to chat more! Connect with me on Webex Teams! You can find me at kprater@kovarus.com


Looking to learn more about modernizing and automating IT? We created the Kovarus Proven Solutions Center (KPSC) to let you see what’s possible and learn how we can help you succeed. To learn more about the KPSC go to the KPSC page.

Also, follow Kovarus on LinkedIn for technology updates from our experts along with updates on Kovarus news and events.