Configure Control Plane Security Parameters
By default, the control plane uses DTLS as the protocol that provides privacy on all its tunnels. DTLS runs over UDP.
You can change the control plane security protocol to TLS, which runs over TCP. The primary reason to use TLS is that, if you consider the Cisco SD-WAN Controller to be a server, firewalls protect TCP servers better than UDP servers.
You configure the control plane tunnel protocol on a Cisco SD-WAN Controller:
vSmart(config)# security control protocol tls
With this change, all control plane tunnels between the Cisco SD-WAN Controller and the routers and between the Cisco SD-WAN Controller and Cisco SD-WAN Manager use TLS. Control plane tunnels to Cisco Catalyst SD-WAN Validator always use DTLS, because these connections must be handled by UDP.
In a domain with multiple Cisco SD-WAN Controllers, when you configure TLS on one of the Cisco SD-WAN Controllers, all control plane tunnels from that controller to the other controllers use TLS. Said another way, TLS always takes precedence over DTLS. However, from the perspective of the other Cisco SD-WAN Controllers, if you have not configured TLS on them, they use TLS on the control plane tunnel only to that one Cisco SD-WAN Controller, and they use DTLS tunnels to all the other Cisco SD-WAN Controllers and to all their connected routers. To have all Cisco SD-WAN Controllers use TLS, configure it on all of them.
By default, the Cisco SD-WAN Controller listens on port 23456 for TLS requests. To change this:
vSmart(config)# security control tls-port number
The port can be a number from 1025 through 65535.
To display control plane security information, use the show control connections command on the Cisco SD-WAN Controller. For example:
vSmart-2# show control connections
PEER PEER
PEER PEER PEER SITE DOMAIN PEER PRIVATE PEER PUBLIC
TYPE PROTOCOL SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT REMOTE COLOR STATE UPTIME
--------------------------------------------------------------------------------------------------------------------------
vedge dtls 172.16.255.11 100 1 10.0.5.11 12346 10.0.5.11 12346 lte up 0:07:48:58
vedge dtls 172.16.255.21 100 1 10.0.5.21 12346 10.0.5.21 12346 lte up 0:07:48:51
vedge dtls 172.16.255.14 400 1 10.1.14.14 12360 10.1.14.14 12360 lte up 0:07:49:02
vedge dtls 172.16.255.15 500 1 10.1.15.15 12346 10.1.15.15 12346 default up 0:07:47:18
vedge dtls 172.16.255.16 600 1 10.1.16.16 12346 10.1.16.16 12346 default up 0:07:41:52
vsmart tls 172.16.255.19 100 1 10.0.5.19 12345 10.0.5.19 12345 default up 0:00:01:44
vbond dtls - 0 0 10.1.14.14 12346 10.1.14.14 12346 default up 0:07:49:08
vSmart-2# control connections
PEER PEER
PEER PEER PEER SITE DOMAIN PEER PRIVATE PEER PUBLIC
TYPE PROTOCOL SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT REMOTE COLOR STATE UPTIME
---------------------------------------------------------------------------------------------------------------------------
vedge tls 172.16.255.11 100 1 10.0.5.11 12345 10.0.5.11 12345 lte up 0:00:01:18
vedge tls 172.16.255.21 100 1 10.0.5.21 12345 10.0.5.21 12345 lte up 0:00:01:18
vedge tls 172.16.255.14 400 1 10.1.14.14 12345 10.1.14.14 12345 lte up 0:00:01:18
vedge tls 172.16.255.15 500 1 10.1.15.15 12345 10.1.15.15 12345 default up 0:00:01:18
vedge tls 172.16.255.16 600 1 10.1.16.16 12345 10.1.16.16 12345 default up 0:00:01:18
vsmart tls 172.16.255.20 200 1 10.0.12.20 23456 10.0.12.20 23456 default up 0:00:01:32
vbond dtls - 0 0 10.1.14.14 12346 10.1.14.14 12346 default up 0:00:01:33
Configure DTLS in Cisco SD-WAN Manager
If you configure the Cisco SD-WAN Manager to use TLS as the control plane security protocol, you must enable port forwarding on your NAT. If you are using DTLS as the control plane security protocol, you do not need to do anything.
The number of ports forwarded depends on the number of vdaemon processes running on the Cisco SD-WAN Manager. To display information about these processes and about and the number of ports that are being forwarded, use the show control summary command shows that four vdaemon processes are running:
vManage# show control summary
VBOND VMANAGE VSMART VEDGE
INSTANCE COUNTS COUNTS COUNTS COUNTS
------------------------------------------------
0 2 0 2 7
1 2 0 0 5
2 2 0 0 5
3 2 0 0 4
To see the listening ports, use the show control local-properties command:
vManage# show control local-properties
organization-name Cisco SD-WAN Inc Test
certificate-status Installed
root-ca-chain-status Installed
certificate-validity Valid
certificate-not-valid-before May 20 00:00:00 2015 GMT
certificate-not-valid-after May 20 23:59:59 2016 GMT
dns-name vbond.cisco.com
site-id 5000
domain-id 0
protocol dtls
tls-port 23456
...
...
...
number-active-wan-interfaces 1
PUBLIC PUBLIC PRIVATE PRIVATE ADMIN OPERATION LAST
INDEX INTERFACE IP PORT IP PORT VSMARTS VMANAGES COLOR CARRIER STATE STATE CONNECTION
------------------------------------------------------------------------------------------------------------------------
0 eth0 72.28.108.37 12361 172.16.98.150 12361 2 0 silver default up up 0:00:00:08
This output shows that the listening TCP port is 23456. If you are running Cisco SD-WAN Manager behind a NAT, you should open the following ports on the NAT device:
-
23456 (base - instance 0 port)
-
23456 + 100 (base + 100)
-
23456 + 200 (base + 200)
-
23456 + 300 (base + 300)
Note that the number of instances is the same as the number of cores you have assigned for the Cisco SD-WAN Manager, up to a maximum of 8.
Configure Security Parameters Using the Security Feature Template
Use the Security feature template for all Cisco vEdge devices. On the edge routers and on Cisco SD-WAN Validator, use this template to configure IPsec for data plane security. On Cisco SD-WAN Manager and Cisco SD-WAN Controller, use the Security feature template to configure DTLS or TLS for control plane security.
Configure Security Parameters
-
From the Cisco SD-WAN Manager menu, choose .
-
Click Feature Templates and then click Add Template.
Note
In Cisco vManage Release 20.7.1 and earlier releases, Feature Templates is called Feature.
-
From the Devices list in the left pane, choose a device.
The templates applicable to the selected device appear in the right pane. -
Click Security to open the template.
-
In the Template Name field, enter a name for the template. The name can be up to 128 characters and can contain only alphanumeric characters.
-
In the Template Description field, enter a description of the template. The description can be up to 2048 characters and can contain only alphanumeric characters.
When you first open a feature template, for each parameter that has a default value, the scope is set to Default (indicated by a check mark), and the default setting or value is shown. To change the default or to enter a value, click the scope drop-down menu to the left of the parameter field and choose one of the following:
Parameter Scope |
Scope Description |
---|---|
Device Specific (indicated by a host icon) |
Use a device-specific value for the parameter. For device-specific parameters, you cannot enter a value in the feature template. You enter the value when you attach a Viptela device to a device template . When you click Device Specific, the Enter Key box opens. This box displays a key, which is a unique string that identifies the parameter in a CSV file that you create. This file is an Excel spreadsheet that contains one column for each key. The header row contains the key names (one key per column), and each row after that corresponds to a device and defines the values of the keys for that device. You upload the CSV file when you attach a Viptela device to a device template. For more information, see Create a Template Variables Spreadsheet . To change the default key, type a new string and move the cursor out of the Enter Key box. Examples of device-specific parameters are system IP address, hostname, GPS location, and site ID. |
Global (indicated by a globe icon) |
Enter a value for the parameter, and apply that value to all devices. Examples of parameters that you might apply globally to a group of devices are DNS server, syslog server, and interface MTUs. |
Configure Control Plane Security
Note |
The Configure Control Plane Security section is applicable to Cisco SD-WAN Manager and Cisco SD-WAN Controller only. |
To configure the control plane connection protocol on a Cisco SD-WAN Manager instance or a Cisco SD-WAN Controller, choose the Basic Configuration area and configure the following parameters:
Parameter Name |
Description |
---|---|
Protocol |
Choose the protocol to use on control plane connections to a Cisco SD-WAN Controller:
|
Control TLS Port |
If you selected TLS, configure the port number to use:Range: 1025 through 65535Default: 23456 |
Click Save
Configure Data Plane Security
To configure data plane security on a Cisco SD-WAN Validator or a Cisco vEdge router, choose the Basic Configuration and Authentication Type tabs, and configure the following parameters:
Parameter Name |
Description |
||
---|---|---|---|
Rekey Time |
Specify how often a Cisco vEdge router changes the AES key used on its secure DTLS connection to the Cisco SD-WAN Controller. If OMP graceful restart is enabled, the rekeying time must be at least twice the value of the OMP graceful restart timer.Range: 10 through 1209600 seconds (14 days)Default: 86400 seconds (24 hours) |
||
Replay Window |
Specify the size of the sliding replay window. Values: 64, 128, 256, 512, 1024, 2048, 4096, 8192 packetsDefault: 512 packets |
||
IPsec pairwise-keying |
This is turned off by default. Click On to turn it on. |
||
Authentication Type |
Select the authentication types from the Authentication List, and click the arrow pointing right to move the authentication types to the Selected List column. Authentication types supported from Cisco SD-WAN Release 20.6.1:
Authentication types supported in Cisco SD-WAN Release 20.5.1 and earlier:
|
Click Save.