Latest

Home / Cisco / Networks / Viptela SDWAN / Cisco Viptela SDWAN Control Plane setup with Certificates !

Cisco Viptela SDWAN Control Plane setup with Certificates !

March 06, 2020 , ,
As in our earlier article we discuss how to spin and start Cisco SDWAN controllers like vManage, vSmart and vBond and we also discuss the integration between them . Now we are going to talk about the building up the control plane in Cisco Viptela SDWAN.

What includes when we are talking about building up the control up of Cisco SDWAN ?
Well fair question, we will talk about below things
  • How to install the software image of the controllers in the cloud 
  • The signed certificates on the controllers. It is required, all the controllers are up and have authenticated one another named as Zero Trust Model.
As we are saying Zero trust model, Trust among the controllers (vManage, vBond and vSmart) and the routers (vEdge/cEdge) is established through singed certificate, and this singed certificate can be from enterprise CA, Symantec or Cisco PKI.

vManage Dashboard once you login



How to generate the certificate and how to setup the things around ?
  • First of all we need to generate the CSR (Certificate Service Request) for vBond and vSmart.
  • Submit the CSR, to CA with the required information
  • A signed certificate against each CSR will the received from CA
  • Install the signed certificate on the vBond and vSmart
vManage can automate tasks depending on the CAs (Symantec and Cisco PKI). vManage using in-build APIs call to Symantec does these tasks. This automate process require below configuration on vManage. 

Certificate Authorization Settings 
  • Access the vManage Settings Page  Click Administration  Select Settings. 
  • Configure the Organization name. It needs to be common for all the devices configuration and is the one that is configured on vBond. Once done, specify the Certificate authorization settings. 
  • Expand Controller Certificate Authorization by clicking on Edit Button.

The Certificate Retrieve Internal above in snap-shot specifies, how often the vManage checks if the Symantec signing server has sent the certificate. Provide the required details and save the changes.  
Once the above settings are correctly configured, this will automate the certificate related tasks. 

vManage uses API calls to generate the CSR, submit the request for signing CSR to Symantec and install the received signed certificate to devices. 
Add the controllers to the vManage 

  • Click on the configuration menu and ---> select Devices 
  • Click Add Controller, and add a vBond orchestrator and vSmart controller to the overlay network 
  • Specify all the required information asked by Wizard. 
Check below it is added as shown below


The vManage NMS sends the CSR to Symantec. It periodically checks with Symantec, and when the signed certificate is ready, the NMS retrieves it. Then, the vManage NMS installs the signed certificate on the device and sends it to the vBond orchestrator.

By default, the vManage NMS checks with Symantec once per hour. This interval allows time for Symantec to verify your device and network information with the cloud operations team. This is a configurable setting and can be fine-tuned.