Basic Settings for Cisco vManage
The System template is used to configure system-level Cisco vManage workflows.
Use the Settings screen to view the current settings and configure the setting for Cisco vManage parameters, including the organization name, vBond orchestrator's DNS name or IP address, certificate settings, and statistics collection.
The current setting for each item is displayed in the bar for each item, immediately following the name.
Configure Organization Name
Before you can generate a Certificate Signing Request (CSR), you must configure the name of your organization. The organization name is included in the CSR.
In public key infrastructure (PKI) systems, a CSR is sent to a certificate authority to apply for a digital identity certificate.
To configure the organization name:
-
Click the Edit button to the right of the Organization Name bar.
-
In the Organization Name field, enter the name of your organization. The organization name must be identical to the name that is configured on the vBond orchestrator.
-
In the Confirm Organization Name field, re-enter and confirm your organization name.
-
Click Save.
Note that once the control connections are up and running, the organization name bar is no longer editable.
Configure Cisco vBond DNS Name or IP Address
-
Click the Edit button to the right of the vBond bar.
-
In the vBond DNS/IP Address: Port field, enter the DNS name that points to the vBond orchestrator or the IP address of the Cisco vBond orchestrator and the port number to use to connect to it.
-
Click Save.
Configure Controller Certificate Authorization Settings
Signed certificates are used to authenticate devices in the overlay network. Once authenticated, devices can establish secure sessions between each other. It is from the Cisco vManage that you generate these certificates and install them on the controller devices—Cisco vBond orchestrators,Cisco vManage, and Cisco vSmart controllers. You can use certificates signed by Symantec, or you can use enterprise root certificates.
The controller certification authorization settings establish how the certification generation for all controller devices will be done. They do not generate the certificates.
You need to select the certificate-generation method only once. The method you select is automatically used each time you add a device to the overlay network.
To have the Symantec signing server automatically generate, sign, and install certificates on each controller device:
-
Click the Edit button to the right of the Controller Certificate Authorization bar.
-
Click Symantec Automated (Recommended). This is the recommended method for handling controller signed certificates.
-
In the Confirm Certificate Authorization Change popup, click Proceed to confirm that you wish to have the Symantec signing server automatically generate, sign, and install certificates on each controller device.
-
Enter the first and last name of the requestor of the certificate.
-
Enter the email address of the requestor of the certificate. This address is required because the signed certificate and a confirmation email are sent to the requestor via email; they are also made available though the customer portal.
-
Specify the validity period for the certificate. It can be 1, 2, or 3 years.
-
Enter a challenge phrase.The challenge phrase is your certificate password and is required when you renew or revoke a certificate.
-
Confirm your challenge phrase.
-
In the Certificate Retrieve Interval field, specify how often the Cisco vManage server checks if the Symantec signing server has sent the certificate.
-
Click Save.
To manually install certificates that the Symantec signing server has generated and signed:
-
Click the Edit button to the right of the Controller Certificate Authorization bar.
-
Click Symantec Manual.
-
In the Confirm Certificate Authorization Change popup, click Proceed to manually install certificates that the Symantec signing server has generated and signed.
-
Click Save.
To use enterprise root certificates:
-
Click the Edit button to the right of the Controller Certificate Authorization bar.
-
Click Enterprise Root Certificate.
-
In the Confirm Certificate Authorization Change popup, click Proceed to confirm that you wish to use enterprise root certificates.
-
In the Certificate box, either paste the certificate, or click Select a file and upload a file that contains the enterprise root certificate.
-
By default, the enterprise root certificate has the following properties: To view this information, issue the show certificate signing-request decoded command on a controller device, and check the output in the Subject line. For example:
-
Country: United States
-
State: California
-
City: San Jose
-
Organizational unit: ENB
-
Organization: CISCO
-
Domain Name: cisco.com
-
Email: cisco-cloudops-sdwan@cisco.com
vSmart# show certificate signing-request decoded ... Subject: C=US, ST=California, L=San Jose, OU=ENB, O=CISCO, CN=vsmart-uuid .cisco.com/emailAddress=cisco-cloudops-sdwan@cisco.com ...
-
Click Set CSR Properties.
-
Enter the domain name to include in the CSR. This domain name is appended to the certificate number (CN).
-
Enter the organizational unit (OU) to include in the CSR.
-
Enter the organization (O) to include in the CSR.
-
Enter the city (L), state (ST), and two-letter country code (C) to include in the CSR.
-
Enter the email address (emailAddress) of the certificate requestor.
-
Specify the validity period for the certificate. It can be 1, 2, or 3 years.
-
-
Click Import & Save.
Enforce Software Version on Devices
If you are using the Cisco SD-WAN hosted service, you can enforce a version of the Cisco SD-WAN software to run on a router when it first joins the overlay network. To do so:
-
Ensure that the software image for the desired device software version is present in the vManage software image repository:
-
In Cisco vManage, select the
screen.The Software Repository screen opens and displays a table of software images. If the desired software image is present in the repository, continue with Step 2.
-
If you need to add a software image, click Add New Software.
-
Select the location from which to download the software images, either Cisco vManage, Remote Server, or Remote Server - vManage.
-
Select an x86-based or a MIPS-based software image.
-
Click Add to play the image in the repository.
-
-
In the Edit button to the right of the Enforce Software Version (ZTP) bar.
screen, click the -
In the Enforce Software Version field, click Enabled.
-
From the Version drop-down, select the version of the software to enforce on the device when they join the network.
-
Click Save.
If you enable this feature on the Cisco vManage, any device joining the network is configured with the version of the software specified in the Enforce Software Version field regardless of whether the device was running a higher or lower version of Cisco SD-WAN software.
Banner
Use the Banner template for Cisco vBond Orchestrators, Cisco vManages, Cisco vSmart Controllers, s, and Cisco IOS XE SD-WAN devices.
-
To configure the banner text for login screens using Cisco vManage templates, create a Banner feature template to configure PIM parameters, as described in this topic.
-
To configure a login banner for the Cisco vManage system, go to .
Configure a Banner
-
In Cisco vManage, select the screen.
-
In the Device tab, click Create Template.
-
From the Create Template drop-down, select From Feature Template.
-
From the Device Model drop-down, select the type of device for which you are creating the template.
-
Click the Additional Templates tab located directly beneath the Description field, or scroll to the Additional Templates section.
-
From the Banner drop-down, click Create Template. The Banner template form is displayed. The top of the form contains fields for naming the template, and the bottom contains fields for defining Banner parameters.
-
In the Template Name field, enter a name for the template. The name can be up to 128 characters and can contain only alphanumeric characters.
-
In the Template Description field, enter a description of the template. The description can be up to 2048 characters and can contain only alphanumeric characters.
When you first open a feature template, for each parameter that has a default value, the scope is set to Default (indicated by a check mark), and the default setting or value is shown. To change the default or to enter a value, click the Scope drop-down to the left of the parameter field.
-
To set a banner, configure the following parameters:
Table 1. Parameters to be configured while setting a banner: Parameter Name
Description
MOTD Banner
On a Cisco IOS XE SD-WAN device enter message-of-the-day text to display prior to the login banner. The string can be up to 2048 characters long. To insert a line break, type \n.
Login Banner
Enter text to display before the login prompt. The string can be up to 2048 characters long. To insert a line break, type \n.
-
To save the feature template, click Save.
CLI equivalent:
banner{login login-string | motd motd-string}
Create a Custom Banner
To create a custom banner that is displayed after you log in to the Cisco vManage:
-
Click the Edit button to the right of the Banner bar.
-
In the Enable Banner field, click Enabled.
-
In the Banner Info text box, enter the text string for the login banner or click Select a File to download a file that contains the text string.
-
Click Save.
Collect Device Statistics
To enable or disable the collection of statistics for devices in the overlay network:
-
Click the Edit button to the right of the Statistics Settings bar. By default, all statistics collection settings are enabled for all Cisco SD-WAN devices.
-
To set statistics collection parameters for all devices in the network, click Disable All for the parameter you wish to disable statistics collection for. To return to the saved settings during an edit operation, click Reset. To return the saved settings to the factory-default settings, click Restore Factory Default
-
To set statistics collection parameters for individual devices in the network, click Custom to select devices on which to enable or disable statistics collection. The Select Devices popup screen opens listing the hostname and device IP of all devices in the network. Select one or more devices from the Enabled Devices column on the left and click the arrow pointing right to move the device to the Disabled Devices column on the right. To move devices from the Disabled Devices to the Enabled Devices column, select one or more devices and click the arrow pointing left. To select all devices in the Select Devices popup screen, click the Select All checkbox in either window. Click Done when all selections are made.
-
Click Save.
Configure or Cancel vManage Server Maintenance Window
You can set or cancel the start and end times and the duration of the maintenance window for the vManage server.
-
In vManage NMS, select the
screen. -
Click the Edit button to the right of the Maintenance Window bar.
To cancel the maintenance window, click Cancel.
-
Click the Start date and time drop-down, and select the date and time when the maintenance window will start.
-
Click the End date and time drop-down, and select the date and time when the maintenance window will end.
-
Click Save. The start and end times and the duration of the maintenance window are displayed in the Maintenance Window bar.
Two days before the start of the window, the vManage Dashboard displays a maintenance window alert notification.