Security

Last updated
Save as PDF

You can use the Security template for all Viptela devices. On vEdge Cloud and vEdge routers and on vBond orchestrators, use this template to configure IPsec for data plane security. On vManage NMSs and vSmart controllers, use this template to configure DTLS or TLS for control plane security.

To configure security using vManage templates:

Create a Security feature template to configure data plane or control plane security, as described in this article.
Create a device template that incorporates the Security feature template. See the Configuration ► Templates help topic.

Navigate to the Template Screen

In vManage NMS, select the Configuration ► Templates screen.
From the Templates title bar, select Feature.
Click Add Template.
In the left pane, select one or more. The right pane displays the available templates for the selected devices.
Select the Security template.

The right pane displays the Security template form:

The top of the form contains fields for naming the template.
The bottom contains fields for defining parameters applicable to that template.
A drop-down menu to the left of each parameter field defines the scope of the parameter. When you first open a feature template form, for each parameter that has a default value, the scope is set to Default. To edit a parameter field, change the scope to Global or Device Specific. Note that if a parameter's scope is Device Specific, you cannot enter a value for it in the feature template. Instead, you enter a value when you attach the template to a device.
A plus sign (+) is displayed to the right when you can add multiple entries for the same parameter.

Configure Control Plane Security

The following parameters are required (unless otherwise indicated) to configure the control plane connection protocol on a vManage NMS or a vSmart controller:

Step	Parameter Name	Description
1.	Template Name	Enter a name for the template. It can be up to 128 characters and can contain only alphanumeric characters.
2.	Description (Template)	Enter a description for the template. It can be up to 2048 characters and can contain only alphanumeric characters.
3.	Protocol	Select the protocol to use on control plane connections to a vSmart controller: DTLS (Datagram Transport Layer Security). This is the default. TLS (Transport Layer Security)
4.	Control TLS Port	Port number to use when using TLS. Range: 1025 through 65535 Default: 23456
5.	Save	Click Save to save the feature template.

CLI equivalent:

security 
  control
    protocol (dtls | tls)
    tls-port port-number

Configure Data Plane Security

The following parameters are required (unless otherwise indicated) to configure data plane security on a vBond controller or vEdge router:

Step	Parameter Name	Description
1.	Template Name	Enter a name for the template. It can contain only alphanumeric characters.
2.	Description (Template)	Enter a description for the template. It can contain only alphanumeric characters.
3.	Authentication Type	Select the authentication types from the Authentication List: ah-sha1-hmac—Enable AH-SHA1 HMAC and ESP HMAC-SHA1. ah-no-id—Enable a modified version of AH-SHA1 HMAC and ESP HMAC-SHA1 that ignores the ID field in the packet's outer IP header. none—Select no authentication. sha1-hmac—Enable ESP HMAC-SHA1.
4.	Rekey Time (optional)	Specify how often a vEdge router changes the AES key used on its secure DTLS connection to the vSmart controller. If OMP graceful restart is enabled, the rekeying time must be at least twice the value of the OMP graceful restart timer. Range: 10 through 1209600 seconds (14 days) Default: 86400 seconds (24 hours)
5.	Replay Window	Specify the size of the sliding replay window. Values: 64, 128, 256, 512, 1024, 2048, 4096, 8192 packets Default: 512 packets
6.	Save	Click Save to save the feature template.

CLI equivalent:

security
  ipsec
    authentication-type type
    rekey seconds
    replay-window number

Release Information

Introduced in vManage NMS in Release 15.2.