I’m rebuilding my Catalyst SD-WAN lab and thought I would give some quick pointers on how to bootstrap a Catalyst 8000v in your virtual lab. When the router first boots up, it will be in autonomous mode (non-SD-WAN mode):
Router#show version | i operating Router operating mode: Autonomous
Configure the router to be in controller mode which will cause it to reboot:
Router#controller-mode enable Enabling controller mode will erase the nvram filesystem, remove all configuration files, and reload the box! Ensure the BOOT variable points to a valid image Continue? [confirm] % Warning: Bootstrap config file needed for Day-0 boot is missing Do you want to abort? (yes/[no]): no
To bootstrap the router, the following is needed:
- System IP
- Site ID
- Organization name
- vBond name/IP
- IP address of tunnel interface (if not using DHCP)
- Tunnel interface name
- DNS server (if using name resolution)
- On-premises root cert (if using your own certificates)
- Certificate
First, verify that the router is now in controller mode:
Router#show version | i operating Router operating mode: Controller-Managed
Create a small bootstrap configuration with all the required parameters. Mine is below (some information redacted):
config-transaction system system-ip x.x.x.x site-id xxxxxxxxxx organization-name "sd-wan-lab-daniel" vbond 192.0.2.44 interface GigabitEthernet1.544 no shutdown ip address 192.0.2.62 255.255.255.252 exit ! interface Tunnel544001 no shutdown ip unnumbered GigabitEthernet1.544 tunnel source GigabitEthernet1.544 tunnel mode sdwan exit ! sdwan interface GigabitEthernet1.544 tunnel-interface encapsulation ipsec color gold exit ! ip route 0.0.0.0 0.0.0.0 192.0.2.61 commit
If you don’t know how to calculate the tunnel number, refer to my blog post that covers this.
Then, copy the root certificate via SCP (mine is on vManage):
Router#copy scp://[email protected] bootflash: Source filename []? /home/admin/ROOTCA.pem Destination filename [ROOTCA.pem]? viptela 20.11.1.1 Password: Sending file modes: C0600 1306 ROOTCA.pem ! 1306 bytes copied in 5.324 secs (245 bytes/sec)
Install the root certificate:
Router#request platform software sdwan root-cert-chain install bootflash:ROOTCA.pem Uploading root-ca-cert-chain via VPN 0 Changing ownership of vedge_certs to binos... Changing ownership of /usr/share/viptela/backup_certs to binos. Copying /bootflash/ROOTCA.pem to /tmp/vconfd/root-ca.crt.tmp via VPN 0 Changing ownership of /usr/share/viptela/backup_certs to binos. Moving /tmp/vconfd/root-ca.crt.tmp to /usr/share/viptela/root-ca.crt via VPN 0 Updating the root certificate chain.. send_install_root_ca_crt_chain_notification Successfully installed the root certificate chain Successfully installed the root certificate chain Warn: Use /bootflash/sdwan - any other path support will be deprecated. Filename /bootflash/ROOTCA.pem will be required to be located in /bootflash/sdwan directory. PLATFORM_TYPE "cedge" Use /bootflash/sdwan - any other path support will be deprecated. Filename /bootflash/ROOTCA.pem will be required to be located in /bootflash/sdwan directory. PLATFORM_TYPE "cedge"
Verify that the root cert has been installed:
Router#show sdwan certificate root-ca-cert Certificate: Data: Version: 3 (0x2) Serial Number: 33:d0:04:01:4e:92:5b:e0:4e:a1:1d:98:b0:c1:a0:d7:b9:a3:98:06 Signature Algorithm: sha256WithRSAEncryption Issuer: C = X, ST = X, L = X, O = sd-wan-lab-daniel, CN = vManage-lab Validity Not Before: Jun 27 06:07:28 2023 GMT Not After : Dec 17 06:07:28 2028 GMT Subject: C = X, ST = X, L = X, O = sd-wan-lab-daniel, CN = vManage-lab Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:a8:a6:29:e7:51:cb:41:25:28:20:51:73:50:ba: 57:f6:bf:89:0e:06:45:c2:c0:09:96:d3:2d:33:fa: 7e:a3:cd:29:70:a1:a5:07:d3:ed:5b:f4:d7:2a:6c: bb:8d:cb:7d:58:23:68:17:0b:92:83:e8:10:d1:70: 04:12:99:67:fe:59:c3:b9:ce:f2:2a:23:89:3d:f2: 06:cd:ff:06:c4:39:94:82:8e:d6:f1:2d:d8:a8:36: f7:5a:66:5e:9b:c2:b9:60:53:aa:c3:9a:af:12:c1: a1:7b:f8:59:f5:87:8f:a7:c3:d2:45:cc:07:59:9f: 4c:e6:74:98:78:ed:68:a9:23:cf:84:9b:e8:5b:25: 4d:3f:61:2c:a1:10:ed:c4:27:6a:a0:fd:fb:29:08: fe:b5:1f:13:80:75:d6:ff:b6:53:d1:70:69:6d:44: 87:49:63:79:a2:82:21:9c:10:88:54:0d:2f:6e:2a: 0b:9c:88:03:3d:cb:9a:ed:3c:50:7c:7c:67:97:95: 52:c2:d6:55:58:32:16:04:a2:b8:ca:98:a3:7b:72: 2b:cc:61:81:78:7f:13:a5:65:eb:c5:8e:24:a9:83: 00:99:3f:ce:4e:18:c0:ed:ff:3c:3c:42:9b:6a:81: 7c:78:7a:f7:ea:cb:01:78:17:b2:8e:75:93:93:f8: be:6d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 8B:8B:20:06:88:72:0D:3D:EF:DC:51:F0:51:93:F3:BE:33:2B:0B:9C X509v3 Authority Key Identifier: keyid:8B:8B:20:06:88:72:0D:3D:EF:DC:51:F0:51:93:F3:BE:33:2B:0B:9C X509v3 Basic Constraints: critical CA:TRUE Signature Algorithm: sha256WithRSAEncryption 13:56:c6:44:f6:79:b2:0e:86:01:39:d7:51:8e:a0:33:f6:b4: d0:ee:ee:f6:a3:28:88:4e:ee:e6:92:1d:71:32:0e:dd:d2:88: cb:c6:2a:89:df:ef:f2:a7:6c:71:05:77:27:68:a3:33:86:03: fa:82:83:47:48:d8:a0:e9:e6:ac:28:5c:c3:ba:38:7c:16:c2: b8:70:6d:5f:2d:c9:10:ee:1d:aa:49:ed:9f:a9:6c:36:0c:ae: 70:bb:9f:eb:ff:f3:3e:22:37:1d:45:e6:0e:37:b9:75:0b:81: 41:dd:c5:15:a5:ab:8a:f4:53:97:d0:44:48:94:e3:55:95:92: d6:52:99:af:23:6b:ac:a4:d8:5b:b8:04:cc:6f:54:37:e7:7b: 05:b9:e8:37:90:ee:1f:17:8b:4d:2a:be:84:da:e3:f0:25:04: 14:9b:7c:ba:d3:0b:f2:d3:a8:0b:17:85:83:d4:ab:93:fa:24: a8:23:45:ef:b7:a3:27:20:42:ff:ef:bd:22:16:be:09:b3:81: 84:9d:d9:8b:45:fe:51:1d:b9:c1:c0:da:39:f3:1c:01:13:6a: ae:11:59:e0:96:3b:2a:82:44:74:5e:df:68:c4:5f:9e:2d:0b: b2:5c:f8:ad:e3:12:d2:35:c9:49:dc:77:4c:ee:b8:4d:c1:09: 2a:46:5f:54
At this point, the router does still not have a certificate installed:
Router#show sdwan control local-properties personality vedge sp-organization-name sd-wan-lab-daniel organization-name sd-wan-lab-daniel root-ca-chain-status Installed root-ca-crl-status Not-Installed certificate-status Not-Installed certificate-validity Not Applicable certificate-not-valid-before Not Applicable certificate-not-valid-after Not Applicable enterprise-cert-status Not Applicable enterprise-cert-validity Not Applicable enterprise-cert-not-valid-before Not Applicable enterprise-cert-not-valid-after Not Applicable dns-name 192.0.2.44 site-id xxxxxxxxxx domain-id 1 protocol dtls tls-port 0 system-ip x.x.x.x chassis-num/unique-id C8K-a504f7df-4553-4d98-abca-4d9554f730e6 serial-num No certificate installed subject-serial-num N/A enterprise-serial-num No certificate installed token Invalid keygen-interval 1:00:00:00 retry-interval 0:00:00:15 no-activity-exp-interval 0:00:00:20 dns-cache-ttl 0:00:00:00 port-hopped TRUE time-since-last-port-hop 0:00:07:19 embargo-check success device-role edge-router region-id-set N/A number-vbond-peers 0 number-active-wan-interfaces 1
Install a certificate using information from vManage for chassis number and token:
Router#request platform software sdwan vedge_cloud activate chassis-number C8K-10BEE61A-E502-9DE1-1490-2AE59F22C54D token 2dfde35533224920954e74d505a25cd4
Verify that the certificate has been installed:
Router#show sdwan control local-properties personality vedge sp-organization-name sd-wan-lab-daniel organization-name sd-wan-lab-daniel root-ca-chain-status Installed root-ca-crl-status Not-Installed certificate-status Not-Installed certificate-validity Not Applicable certificate-not-valid-before Not Applicable certificate-not-valid-after Not Applicable enterprise-cert-status Not Applicable enterprise-cert-validity Not Applicable enterprise-cert-not-valid-before Not Applicable enterprise-cert-not-valid-after Not Applicable dns-name 192.0.2.44 site-id xxxxxxxxxx domain-id 1 protocol dtls tls-port 0 system-ip x.x.x.x chassis-num/unique-id C8K-10BEE61A-E502-9DE1-1490-2AE59F22C54D serial-num No certificate installed subject-serial-num N/A enterprise-serial-num No certificate installed token 2dfde35533224920954e74d505a25cd4 keygen-interval 1:00:00:00 retry-interval 0:00:00:15 no-activity-exp-interval 0:00:00:20 dns-cache-ttl 0:00:00:00 port-hopped TRUE time-since-last-port-hop 0:00:12:10 embargo-check success device-role edge-router region-id-set N/A number-vbond-peers 1
No certificate installed?! This happens if you’re too fast to check the status. Give it a minute and try again:
Router#show sdwan control local-properties personality vedge sp-organization-name sd-wan-lab-daniel organization-name sd-wan-lab-daniel root-ca-chain-status Installed root-ca-crl-status Not-Installed certificate-status Installed certificate-validity Valid certificate-not-valid-before Jul 7 05:56:41 2023 GMT certificate-not-valid-after Jul 4 05:56:41 2033 GMT enterprise-cert-status Not Applicable enterprise-cert-validity Not Applicable enterprise-cert-not-valid-before Not Applicable enterprise-cert-not-valid-after Not Applicable dns-name 192.0.2.44 site-id xxxxxxxxxx domain-id 1 protocol dtls tls-port 0 system-ip x.x.x.x chassis-num/unique-id C8K-10BEE61A-E502-9DE1-1490-2AE59F22C54D serial-num 8BF468F3 subject-serial-num N/A enterprise-serial-num No certificate installed token Invalid keygen-interval 1:00:00:00 retry-interval 0:00:00:15 no-activity-exp-interval 0:00:00:20 dns-cache-ttl 0:00:00:00 port-hopped TRUE time-since-last-port-hop 0:00:12:57 embargo-check success device-role edge-router region-id-set N/A number-vbond-peers 1
Verify that control connections have been established:
Router#show sdwan control connections PEER PEER CONTROLLER PEER PEER PEER SITE DOMAIN PEER PRIV PEER PUB GROUP TYPE PROT SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT ORGANIZATION LOCAL COLOR PROXY STATE UPTIME ID ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- vsmart dtls 10.240.126.3 xxxxxxxxxx 1 192.0.2.43 12446 192.0.2.43 12446 sd-wan-lab-daniel gold No up 0:00:01:19 0 vsmart dtls 10.240.127.3 xxxxxxxxxx 1 192.0.2.51 12446 192.0.2.51 12446 sd-wan-lab-daniel gold No up 0:00:01:19 0 vmanage dtls 10.241.126.1 xxxxxxxxxx 0 192.0.2.42 12646 192.0.2.42 12646 sd-wan-lab-daniel gold No up 0:00:01:19 0
Success! That’s how you bootstrap a Catalyst 8000v. I hope this post has been informative and see you next time.