Security
You can use the Security template for all Viptela devices. On vEdge Cloud and vEdge routers and on vBond orchestrators, use this template to configure IPsec for data plane security. On vManage NMSs and vSmart controllers, use this template to configure DTLS or TLS for control plane security.
To configure security using vManage templates:
- Create a Security feature template to configure data plane or control plane security, as described in this article.
- Create a device template that incorporates the Security feature template. See the Configuration ► Templates help topic.
Navigate to the Template Screen
- In vManage NMS, select the Configuration ► Templates screen.
- From the Templates title bar, select Feature.
- Click Add Template.
- In the left pane, select one or more. The right pane displays the available templates for the selected devices.
- Select the Security template.
The right pane displays the Security template form:
- The top of the form contains fields for naming the template.
- The bottom contains fields for defining parameters applicable to that template.
- A drop-down menu to the left of each parameter field defines the scope of the parameter. When you first open a feature template form, for each parameter that has a default value, the scope is set to Default. To edit a parameter field, change the scope to Global or Device Specific. Note that if a parameter's scope is Device Specific, you cannot enter a value for it in the feature template. Instead, you enter a value when you attach the template to a device.
- A plus sign (+) is displayed to the right when you can add multiple entries for the same parameter.
Configure Control Plane Security
The following parameters are required (unless otherwise indicated) to configure the control plane connection protocol on a vManage NMS or a vSmart controller:
Step | Parameter Name | Description |
1. | Template Name | Enter a name for the template. It can be up to 128 characters and can contain only alphanumeric characters. |
2. | Description (Template) | Enter a description for the template. It can be up to 2048 characters and can contain only alphanumeric characters. |
3. | Protocol | Select the protocol to use on control plane connections to a vSmart controller:
|
4. | Control TLS Port | Port number to use when using TLS. Range: 1025 through 65535 Default: 23456 |
5. | Save | Click Save to save the feature template. |
CLI equivalent:
security control protocol (dtls | tls) tls-port port-number
Configure Data Plane Security
The following parameters are required (unless otherwise indicated) to configure data plane security on a vBond controller or vEdge router:
Step | Parameter Name | Description |
1. | Template Name | Enter a name for the template. It can contain only alphanumeric characters. |
2. | Description (Template) | Enter a description for the template. It can contain only alphanumeric characters. |
3. | Authentication Type |
Select the authentication types from the Authentication List:
|
4. | Rekey Time (optional) | Specify how often a vEdge router changes the AES key used on its secure DTLS connection to the vSmart controller. If OMP graceful restart is enabled, the rekeying time must be at least twice the value of the OMP graceful restart timer. Range: 10 through 1209600 seconds (14 days) Default: 86400 seconds (24 hours) |
5. | Replay Window |
Specify the size of the sliding replay window. Values: 64, 128, 256, 512, 1024, 2048, 4096, 8192 packets |
6. | Save | Click Save to save the feature template. |
CLI equivalent:
security ipsec authentication-type type rekey seconds replay-window number
Release Information
Introduced in vManage NMS in Release 15.2.