Skip to main content
Viptela is now part of Cisco.
Support
Product Documentation
Viptela Documentation

Security

Use the Security template for all Viptela devices. On vEdge Cloud and vEdge routers and on vBond orchestrators, use this template to configure IPsec for data plane security. On vManage NMSs and vSmart controllers, use this template to configure DTLS or TLS for control plane security.

Navigate to the Template Screen and Name the Template

  1. In vManage NMS, select the Configuration ► Templates screen.
  2. In the Device tab, click Create Template.
  3. From the Create Template drop-down, select From Feature Template.
  4. From the Device Model drop-down, select the type of device for which you are creating the template.
  5. To create a custom template for Security, select the Factory_Default_Security_Template and click Create Template. The Security template form is displayed. The top of the form contains fields for naming the template, and the bottom contains fields for defining Security parameters.
  6. In the Template Name field, enter a name for the template. The name can be up to 128 characters and can contain only alphanumeric characters.
  7. In the Template Description field, enter a description of the template. The description can be up to 2048 characters and can contain only alphanumeric characters.

When you first open a feature template, for each parameter that has a default value, the scope is set to Default (indicated by a check mark), and the default setting or value is shown. To change the default or to enter a value, click the scope drop-down to the left of the parameter field and select one of the following:

Parameter Scope

Scope Description

Device Specific (indicated by a host icon)

Use a device-specific value for the parameter. For device-specific parameters, you cannot enter a value in the feature template. You enter the value when you attach a Viptela device to a device template.

When you click Device Specific, the Enter Key box opens. This box displays a key, which is a unique string that identifies the parameter in a CSV file that you create. This file is an Excel spreadsheet that contains one column for each key. The header row contains the key names (one key per column), and each row after that corresponds to a device and defines the values of the keys for that device. You upload the CSV file when you attach a Viptela device to a device template. For more information, see Create a Template Variables Spreadsheet.

To change the default key, type a new string and move the cursor out of the Enter Key box.

Examples of device-specific parameters are system IP address, hostname, GPS location, and site ID.

Global (indicated by a globe icon)

Enter a value for the parameter, and apply that value to all devices.

Examples of parameters that you might apply globally to a group of devices are DNS server, syslog server, and interface MTUs.

Configure Control Plane Security

To configure the control plane connection protocol on a vManage NMS or a vSmart controller, select the Basic Configuration tab and configure the following parameters:

Parameter Name Description
Protocol

Select the protocol to use on control plane connections to a vSmart controller:

  • DTLS (Datagram Transport Layer Security). This is the default.
  • TLS (Transport Layer Security)
Control TLS Port If you selected TLS, configure the port number to use:
Range: 1025 through 65535
Default: 23456

To save the feature template, click Save

CLI equivalent:

security 
  control
    protocol (dtls | tls)
    tls-port port-number

Configure Data Plane Security

To configure data plane security on a vBond controller or vEdge router, select the Basic Configuration and Authentication Type tabs, and configure the following parameters:

Parameter Name Description
Rekey Time Specify how often a vEdge router changes the AES key used on its secure DTLS connection to the vSmart controller. If OMP graceful restart is enabled, the rekeying time must be at least twice the value of the OMP graceful restart timer.
Range: 10 through 1209600 seconds (14 days)
Default: 86400 seconds (24 hours)
Replay Window

Specify the size of the sliding replay window.

Values: 64, 128, 256, 512, 1024, 2048, 4096, 8192 packets
Default: 512 packets

Authentication Type

Select the authentication types from the Authentication List, and click the arrow to move them to the Selected List:

  • ah-no-id—Enable a modified version of AH-SHA1 HMAC and ESP HMAC-SHA1 that ignores the ID field in the packet's outer IP header.
  • ah-sha1-hmac—Enable AH-SHA1 HMAC and ESP HMAC-SHA1.
  • none—Select no authentication.
  • sha1-hmac—Enable ESP HMAC-SHA1.

To save the feature template, click Save.

CLI equivalent:

security
  ipsec
    authentication-type type  
    rekey seconds    
    replay-window number

Release Information

Introduced in vManage NMS in Release 15.2.

  • Was this article helpful?