Install Cisco Crosswork Data Gateway
This procedure can be used for installing the first Cisco Crosswork Data Gateway or for adding additional Cisco Crosswork Data Gateway VMs.
Note |
If you are re-deploying Cisco Crosswork Data Gateway with Cisco Crosswork, delete the previous Cisco Crosswork entry for auto-enrollment to work. |
Cisco Crosswork Data Gateway Deployment and Set Up Workflow
To deploy and set up Crosswork Data Gateway VM for use with Cisco Crosswork, follows these steps:
-
Choose the deployment type for Cisco Crosswork Data Gateway i.e., Standard or Extended. See Cisco Crosswork Data Gateway Requirements.
-
Install Cisco Crosswork Data Gateway on your preferred platform:
VMware
Install Cisco Crosswork Data Gateway Using vCenter vSphere Client
Cisco CSP
-
Set timezone on Cisco Crosswork Data Gateway VM. See Configure Timezone of the Crosswork Data Gateway VM.
-
Verify Cisco Crosswork Data Gateway enrollment with Cisco Crosswork. See Cisco Crosswork Data Gateway Authentication and Enrollment.
After verifying that the Cisco Crosswork Data Gateway has successfully enrolled with Cisco Crosswork, create a Cisco Crosswork Data Gateway pool and add the Cisco Crosswork Data Gateway VMs to the pool.
Note |
If you are going to have multiple Cisco Crosswork Data Gateways due to load or scale and/or you wish to leverage Cisco Data Gateway High Availability, it is recommended that you install all the Cisco Crosswork Data Gateway VMs and then add them to a Data Gateway pool. |
Cisco Crosswork Data Gateway Parameters and Deployment Scenarios
Before you begin installing the Crosswork Data Gateway, go through this section to read about the deployment parameters and possible deployment scenarios.
Crosswork Data Gateway supports either IPv4 or IPv6 for all interfaces. Cisco Crosswork does not support dual stack configurations. Therefore, plan ALL addresses for the environment as either IPv4 or IPv6.
During installation, Cisco Crosswork Data Gateway creates two default user accounts:
-
Cisco Crosswork Data Gateway administrator, with the username, dg-admin and the password set during installation. The administrator uses this ID to log in and troubleshoot Cisco Crosswork Data Gateway.
-
Cisco Crosswork Data Gateway operator, with the username, dg-oper and the password set during installation. The dg-oper user has permissions to perform all ‘read’ operations and limited ‘action’ commands.
-
To know what operations an admin and operator can perform, see Section Supported User Roles in the Cisco Crosswork Infrastructure 4.1 and Applications Administration Guide.
The dg-admin and dg-oper user accounts are reserved usernames and cannot be changed. You can change the password from the console for both the accounts. See Section Change Passphrase Cisco Crosswork Infrastructure 4.1 and Applications Administration Guide. In case of lost or forgotten passwords, you have to create a new VM, destroy the current VM, and re-enroll the new VM with Cisco Crosswork.
In the following table:
* Denotes the mandatory parameters. Other parameters are optional. You can choose them based on deployment scenario you require. We have explained deployment scenarios wherever applicable in the Additional Information column.
** Denotes parameters that you can enter during install or address later using additional procedures.
Name |
Parameter |
Description |
Additional Information |
||
---|---|---|---|---|---|
Host Information |
|||||
Hostname* |
Hostname |
Name of the Cisco Crosswork Data Gateway VM specified as a fully qualified domain name (FQDN).
|
|||
Description* |
Description |
A detailed description of the Cisco Crosswork Data Gateway. |
|||
Label |
Label |
Label used by Cisco Crosswork to categorize and group multiple Cisco Crosswork Data Gateways. |
|||
Deployment |
Deployment |
Parameter that conveys the controller type. For On-premise installation , choose either |
This parameter is pre-defined for CSP installation. You will need to specify this value for OVF tool installation. |
||
Active vNICs* |
ActiveVnics |
Number of vNICs to use for sending traffic. |
You can choose to use either 1, 2, or 3 vNICs as per the following combinations:
|
||
AllowRFC8190 * |
AllowRFC8190 |
Automatically allow addresses in an RFC 8190 range. Options are |
|||
Private Key URI |
DGCertKey |
SCP URI to private key file for session key signing. You can retrieve this using SCP (user@host:path/to/file). |
Cisco Crosswork uses self-signed certificates for handshake with Cisco Crosswork Data Gateway. These certificates are generated at installation. However, if you want to use third-party or your own certificate files, then enter these three parameters. Certificate chains override any preset or generated certificates in the Cisco Crosswork Data Gateway VM and are given as an SCP URI (user:host:/path/to/file).
|
||
Certificate File URI |
DGCertChain |
SCP URI to PEM formatted signing certificate chain for this VM. You can retrieve this using SCP (user@host:path/to/file). |
|||
Certificate File and Key Passphrase |
DGCertChainPwd |
SCP user passphrase to retrieve the Cisco Crosswork Data Gateway PEM formatted certificate file and private key. |
|||
Data Disk Size |
DGAppdataDisk |
Size in GB of a second data disk. Default size is 5GB for Standard and 500GB for Extended. |
|||
Passphrase |
|||||
dg-admin Passphrase* |
dg-adminPassword |
The password you have chosen for the dg-admin user. Password must be 8-64 characters. |
|||
dg-oper Passphrase* |
dg-operPassword |
The password you have chosen for the dg-oper user. Password must be 8-64 characters. |
|||
Interfaces
|
|||||
vNICx IPv4 Address (VNIC0, VNIC1, and VNIC2 based on the number of interfaces you choose to use) |
|||||
vNICx IPv4 Method* For example, the parameter name for vNIC0 is vNIC0 IPv4 Method. |
VnicxIPv4Method For example, the parameter name for vNIC0 is |
Method by which the vNICx interface gets its IPv4 address. |
The default value for Method is None. If you choose to use IPv4 address, select Method as Static and enter information in Address, Netmask, Skip Gateway, and Gateway fields. |
||
vNICx IPv4 Address |
VnicxIPv4Address |
IPv4 address of the vNICx interface. |
|||
vNICx IPv4 Netmask |
VnicxIPv4Netmask |
IPv4 netmask of the vNICx interface in dotted quad format. |
|||
vNICx IPv4 Skip Gateway |
VnicxIPv4SkipGateway |
Options are Selecting |
|||
vNICx IPv4 Gateway |
VnicxIPv4Gateway |
IPv4 address of the vNICx gateway. |
|||
vNICx IPv6 Address (VNIC0, VNIC1, and VNIC2 based on the number of interfaces you choose to use) |
|||||
vNICx IPv6 Method* For example, the parameter for vNIC0 is vNIC0 IPv6 Method. |
VnicxIPv6Method For example, the parameter for vNIC0 is |
Method by which the vNICx interface gets its IPv6 address. |
The default value for Method is None. If you choose to use IPv6 address, select Method as Static and enter information in Address, Netmask, Skip Gateway, and Gateway fields. |
||
vNICx IPv6 Address |
VnicxIPv6Address |
IPv6 address of the vNICx interface. |
|||
vNICx IPv6 Netmask |
VnicxIPv6Netmask |
IPv6 prefix of the vNICx interface. |
|||
vNICx IPv6 Skip Gateway |
VnicxIPv6SkipGateway |
Options are Selecting |
|||
vNICx IPv6 Gateway |
VnicxIPv6Gateway |
IPv6 address of the vNICx gateway. |
|||
DNS Servers |
|||||
DNS Address* |
DNS |
Space-delimited list of IPv4/IPv6 addresses of the DNS server accessible from the management interface. |
|||
DNS Search Domain* |
Domain |
DNS search domain |
|||
DNS Security Extensions * |
DNSSEC |
Options are False, True, Allow-Downgrade. The default value is False. Select True to use DNS security extensions. |
|||
DNS over TLS* |
DNSTLS |
Options are False, True, and Opportunistic. The default value is False. Select True to use DNS over TLS. |
|||
Multicast DNS* |
mDNS |
Options are False, True and Resolve. The default value is False. Select True to use multicast DNS. |
If you choose Resolve, only resolution support is enabled. Responding is disabled. |
||
Link-Local Multicast Name Resolution* |
LLMNR |
Options are False, True, Opportunistic and Resolve. By default, this is set to False. Select True to use link-local multicast name resolution. |
If you choose Resolve, only resolution support is enabled. Responding is disabled. |
||
NTPv4 Servers |
|||||
NTPv4 Servers* |
NTP |
NTPv4 server list. Enter space-delimited list of IPv4/IPv6 addresses or hostnames of the NTPv4 servers accessible from the management interface. |
You must enter a value here, such as pool.ntp.org. NTP server is critical for time synchronization between Crosswork Data Gateway VM, Crosswork, and devices. Using a non-functional or dummy address may cause issues when Cisco Crosswork and Crosswork Data Gateway try to communicate with each other. If you are not using an NTP server, ensure that time gap between Crosswork Data Gateway and Crosswork is not more than 10 minutes. Else, Crosswork Data Gateway fails to connect. |
||
Use NTPv4 Authentication |
NTPAuth |
Select Yes to use NTPv4 authentication. |
|||
NTPv4 Keys |
NTPKey |
Key IDs to map to the server list. Enter space-delimited list of Key IDs. |
|||
NTPv4 Key File URI |
NTPKeyFile |
SCP URI to the chrony key file. |
|||
NTPv4 Key File Passphrase |
NTPKeyFilePwd |
Password of SCP URI to the chrony key file. |
|||
Remote Syslog Server |
|||||
Use Remote Syslog Server* | UseRemoteSyslog |
Select Yes to send syslog messages to a remote host. |
Configuring an external syslog server sends service events (CLI/MDT/SNMP/gNMI) to the external syslog server. Otherwise, they are logged only to the Cisco Crosswork Data Gateway VM. If you want to use an external syslog server, specify these seven settings.
|
||
Syslog Server Address |
|
IPv4 or IPv6 address of a syslog server accessible from the management interface.
|
|||
Syslog Server Port |
SyslogPort |
Port number of the syslog server. |
|||
Syslog Server Protocol |
SyslogProtocol |
Use UDP or TCP when sending syslog. Default value is UDP. |
|||
Use Syslog over TLS? |
SyslogTLS |
Select Yes to use TLS to encrypt syslog traffic. |
|||
Syslog TLS Peer Name |
SyslogPeerName |
Syslog server hostname exactly as entered in the server certificate SubjectAltName or subject common name. |
|||
Syslog Root Certificate File URI |
|
PEM formatted root cert of syslog server retrieved using SCP. |
|||
Syslog Certificate File Passphrase |
|
Password of SCP user to retrieve Syslog certificate chain. |
|||
Remote Auditd Server |
|||||
Use Remote Auditd Server* |
UseRemoteAuditd |
Select Yes to send Auditd message to a remote host |
If desired, you can configure an external remote auditd server to send Cisco Crosswork Data Gateway VM change audit notifications. Specify these three settings to use an external Auditd server. |
||
Auditd Server Address |
AuditdAddress |
Hostname, IPv4, or IPv6 address of an optional Auditd server |
|||
Auditd Server Port |
AuditdPort |
Port number of an optional Auditd server. |
|||
Controller and Proxy Settings |
|||||
Crosswork Controller IP* |
ControllerIP |
The Virtual IP address or the hostname of Cisco Crosswork Cluster.
|
This is required if you are providing a controller signing certificate file URI. |
||
Crosswork Controller Port* |
ControllerPort |
Port of the Cisco Crosswork controller. The default port is 30607 |
|||
Controller Signing Certificate File URI* |
ControllerSignCertChain |
PEM formatted root cert of Cisco Crosswork to validate signing certs retrived using SCP. Cisco Crosswork generates the PEM file and is available at the following location:
|
Crosswork Data Gateway requires the Controller Signing Certificate File to become functional. If you specify these parameters during the installation, the certificate file is imported once Crosswork Data Gateway boots up for the first time. If you do not specify these parameters during installation, then import the certificate file manually by following the procedure Import Controller Signing Certificate File. |
||
Controller SSL/TLS Certificate File URI |
ControllerTlsCertChain |
Cisco Crosswork Controller PEM formatted SSL/TLS certificate file retrieved using SCP. |
|||
Controller Certificate File Passphrase* |
ControllerCertChainPwd |
Password of SCP user (cw-admin) to retrieve Cisco Crosswork certificate chain. |
|||
Proxy Server URL |
|
URL of management network proxy server. |
Crosswork Data Gateway must connect to the Internet via TLS, and a proxy server may be required if it is not present in your environment. If you want to use a proxy server, specify these parameters. |
||
Proxy Server Bypass List |
ProxyBypass |
Space-delimited list of subnets and domains that should not be sent to the proxy server. |
|||
Authenticated Proxy Username |
ProxyUsername |
Username for authenticated proxy servers. |
|||
Authenticated Proxy Passphrase |
ProxyPassphrase |
Passphrase for authenticated proxy servers. |
|||
HTTPS Proxy SSL/TLS Certificate File URI |
ProxyCertChain |
HTTPS proxy PEM formatted SSL/TLS certificate file retrieved using SCP. |
|||
HTTPS Proxy SSL/TLS Certificate File Passphrase |
ProxyCertChainPwd |
Password of SCP user to retrieve proxy certificate chain. |
|||
Collector Listening Ports |
The default port values can be changed either during install or changed later from the Interactive Menu ( Change Current System Settings > c Configure Collector Server Port) of the Crosswork Data Gateway VM. |
||||
SNMP trap port** |
PortSNMPTrap |
SNMP trap port. The default port is 1062. |
|||
Syslog UDP port** |
PortSyslogUDP |
Syslog UDP port. The default port is 9514. |
|||
Syslog TCP port** |
PortSyslogTCP |
Syslog TCP port. The default port is 9898. |
|||
Syslog TLS port** |
PortSyslogTLS |
Syslog TLS port. The default port is 6514. |
Note |
If you are not using the default SCP port 22, you can specify the port as a part of the SCP command. For example,
Where 55 is a custom port. |
Install Cisco Crosswork Data Gateway Using vCenter vSphere Client
Note |
The example images shown are only of Cisco Crosswork Data Gateway On-Premise Standard deployment. |
Procedure
Step 1 |
Download the Cisco Crosswork Data Gateway 2.0 image file from cisco.com (*.ova).
|
||
Step 2 |
Connect to vCenter vSphere Client. Then select Actions > Deploy OVF Template |
||
Step 3 |
The VMware Deploy OVF Template wizard appears and highlights the first step, 1 Select template. |
||
Step 4 |
Click Next to go to 2 Select name and location, as shown in the following figure. |
||
Step 5 |
Click Next to go to 3 Select a resource. Choose the VM’s host. |
||
Step 6 |
Click Next. The VMware vCenter Server validates the OVA. Network speed will determine how long validation takes. When the validation is complete, the wizard moves to 4 Review details. Review the OVA’s information and then click Next. Take a moment to review the OVF template you are deploying.
|
||
Step 7 |
Click Next to go to 5 accept license agreements. Review the End User License Agreement and click Accept. |
||
Step 8 |
Click Next to go to 6 Select configuration, as shown in the following figure. Select the type of configuration you want i.e., either Crosswork On-Premise Standard or Crosswork On-Premise Extended.
|
||
Step 9 |
Click Next to go to 7 Select storage, as shown in the following figure.
|
||
Step 10 |
Click Next to go to 8 Select networks, as shown in the following figure. In the dropdown table at the top of the page, choose the appropriate destination network for each source network, vNIC2, vNIC1, and vNIC0 respectively.
|
||
Step 11 |
Click Next to go to 9 Customize template, with the Host Information Settings already expanded. Enter the information for the parameters as explained in Table #id_125629__. |
||
Step 12 |
Click Next to go to 10 Ready to complete. Review your settings and then click Finish if you are ready to begin deployment. |
||
Step 13 |
Wait for the deployment to finish before continuing. To check the deployment status:
Wait for the deployment status to become 100%. You can now proceed to power on the VM. |
||
Step 14 |
Once the deployment status is 100%, power on the VM to complete the deployment process. Expand the host’s entry so you can click the VM and then choose Actions > Power > Power On, as shown in the following figure: Wait for at least 5 minutes for the VM to come up and then login via vCenter or SSH as explained below.
|
What to do next
Login to Cisco Crosswork Data Gateway VM Via vCenter:
-
Locate the VM in vCenter and then right click and select Open Console.
-
Enter username (
dg-admin
ordg-oper
as per the role assigned to you) and the corresponding password (the one that you created during installation process) and press Enter.
After you login, the Crossway Data Gateway should present you with the welcome screen and options menu indicating that the installation completed successfully. Log out and proceed with the post-installation tasks explained in the next section.
Install Cisco Crosswork Data Gateway Via OVF Tool
You can modify mandatory/optional parameters in the command/script as per your requirement and run the OVF Tool. Refer Table #id_125629__.
Below is a sample if you plan to run the OVF tool with a script:
#!/usr/bin/env bash
# robot.ova path
ROBOT_OVA_PATH="https://engci-maven.cisco.com/artifactory/cdg-group/build/2.0.0_dg200_7_2021-03-31_18-00-00/image/cw-na-dg-2.0.0-7-TESTONLY-20210331.ova"
VM_NAME="dg-32"
DM="thin"
Deployment="onpremise-standard"
ActiveVnics="3"
Hostname="dg-32.cisco.com"
Vnic0IPv4Address="172.23.213.32"
Vnic0IPv4Gateway="172.23.213.1"
Vnic0IPv4Netmask="255.255.255.0"
Vnic0IPv4Method="Static"
Vnic1IPv4Address="32.32.32.32"
Vnic1IPv4Gateway="32.32.32.1"
Vnic1IPv4Netmask="255.255.255.0"
Vnic1IPv4Method="Static"
DNS="171.70.168.183"
NTP="ntp.esl.cisco.com"
Domain="cisco.com"
ControllerIP="172.23.213.10"
ControllerPort="30607"
ControllerSignCertChain="cw-admin@172.23.213.10:/home/cw-admin/controller.pem"
ControllerCertChainPwd="Cwork123!"
Description="Description for Cisco Crosswork Data Gateway for 32"
Label="Label for Cisco Crosswork Data Gateway dg-32"
dg_adminPassword="cisco123"
dg_operPassword="cisco123"
ProxyUsername="cisco"
ProxyPassphrase="cisco123"
SyslogAddress="127.0.0.1"
SyslogPort=514
SyslogProtocol="UDP"
SyslogTLS=False
SyslogPeerName="combo-46.cisco.com"
SyslogCertChain="root@172.23.213.46:/root/stproxy/proxycert/CA.pem"
SyslogCertChainPwd="cisco123"
# Please replace this information according to your vcenter setup
VCENTER_LOGIN="administrator%40vsphere.local:Vtsisco%40123%21@172.23.213.21"
VCENTER_PATH="DC1/host/172.23.213.8"
DS="datastore1 (5)"
ovftool --acceptAllEulas --X:injectOvfEnv --skipManifestCheck --overwrite --noSSLVerify --powerOffTarget --powerOn \
--allowExtraConfig --extraConfig:firmware=efi --extraConfig:uefi.secureBoot.enabled=true \
--datastore="$DS" --diskMode="$DM" \
--name=$VM_NAME \
--net:"vNIC0=VM Network" \
--net:"vNIC1=DPortGroupVC-2" \
--net:"vNIC2=DPortGroupVC-1" \
--deploymentOption=$Deployment \
--prop:"ControllerIP=$ControllerIP" \
--prop:"ControllerPort=$ControllerPort" \
--prop:"ControllerSignCertChain=$ControllerSignCertChain" \
--prop:"ControllerCertChainPwd=$ControllerCertChainPwd" \
--prop:"Hostname=$Hostname" \
--prop:"Description=$Description" \
--prop:"Label=$Label" \
--prop:"ActiveVnics=$ActiveVnics" \
--prop:"Vnic0IPv4Address=$Vnic0IPv4Address" \
--prop:"Vnic0IPv4Gateway=$Vnic0IPv4Gateway" \
--prop:"Vnic0IPv4Netmask=$Vnic0IPv4Netmask" \
--prop:"Vnic0IPv4Method=$Vnic0IPv4Method" \
--prop:"Vnic1IPv4Address=$Vnic1IPv4Address" \
--prop:"Vnic1IPv4Gateway=$Vnic1IPv4Gateway" \
--prop:"Vnic1IPv4Netmask=$Vnic1IPv4Netmask" \
--prop:"Vnic1IPv4Method=$Vnic1IPv4Method" \
--prop:"DNS=$DNS" \
--prop:"NTP=$NTP" \
--prop:"dg-adminPassword=$dg_adminPassword" \
--prop:"dg-operPassword=$dg_operPassword" \
--prop:"Domain=$Domain" $ROBOT_OVA_PATH "vi://$VCENTER_LOGIN/$VCENTER_PATH"
Procedure
Step 1 |
Open a command prompt. |
Step 2 |
Navigate to the location where you installed the OVF Tool. |
Step 3 |
Run the OVF Tool in one of the following ways: |
Once the VM powers up, log into the VM. See Login into Crosswork Data Gateway VM. After you login, the Crossway Data Gateway should present you with the welcome screen and options menu indicating that the installation completed successfully. Log out and proceed with the post-installation tasks explained in the next section.
Install Cisco Crosswork Data Gateway on Cisco CSP
Follow the steps to install Cisco Crosswork Data Gateway on Cisco CSP:
Procedure
Step 1 |
Download the Cisco Crosswork Data Gateway |
Step 2 |
(optional) Verify the Cisco Crosswork Data Gateway |
Step 3 |
Prepare Cisco Crosswork Data Gateway Service Image for upload to Cisco CSP: |
Step 4 |
Upload Cisco Crosswork Data Gateway Service Image to Cisco CSP: |
Step 5 |
Create Crosswork Data Gateway VM: |
Step 6 |
Deploy Cisco Crosswork Data Gateway service: |