Configure Crosswork Data Gateways

Manage Crosswork Data Gateways

Cisco Crosswork Data Gateway(s) collect information from managed devices and send it to Crosswork Cloud. You must first install Crosswork Data Gateway (Data Gateway) before you can use Trust Insights or Traffic Analysis. A Data Gateway is initially deployed as a VM called Base VM that contains only enough software to enroll itself with Crosswork Cloud. Once the Data Gateway is registered with Crosswork Cloud, Crosswork Cloud pushes the collection job configuration down to the Data Gateway, enabling it to gather the data it needs from the network devices.

To view, edit, or add a Data Gateway, go to Crosswork Cloud Traffic Analysis icon or Crosswork Cloud Trust Insights > Configure > Data Gateways.

This page lists the current status and details of all Data Gateways registered in Crosswork Cloud.

Table 1. Manage Data Gateways
Task

Notes

To add a new Data Gateway, click Add Data Gateway.

Add Crosswork Data Gateway Information

For a high-level summary of steps on how to register Crosswork Data Gateway to Traffic Analysis or Trust Insights, see one of the following topics:

To delete a Data Gateway, check the check box next to the Data Gateway you want to delete, then click Remove.

This task removes the Data Gateway completely. Data Gateway information is not retained.

To disable a Data Gateway from sending network data to Crosswork Cloud, click on the Data Gateway name, then click Disable.

When a Data Gateway is disabled, the Data Gateway information is retained.

To modify a Data Gateway, click on the Data Gateway name, then click Edit.

You can update the name, description, ASN, or register the Data Gateway to another application (Trust Insights or Traffic Analysis).

Note

 

Prior to registering the Data Gateway to another application, you must unlink all devices from the currently registered application.

To check the status of collection and the next upcoming collection interval, click on the Data Gateway name, then click the Overview tab.

To add, link, or unlink devices from the Data Gateway, click on the Data Gateway name, then click the Linked Trust / Traffic Devices tab.

To view pending Data Gateway tokens, click the Pending Enrollment tab.

After a Data Gateway is created with a valid enrollment token, it will appear here in pending state. To continue, click Allow under the Action column for the Data Gateway you wish to add.

Note

 

This step is also part of registering a Data Gateway to Crosswork Cloud. For more information, see Add Crosswork Data Gateway Information.

To manage Data Gateway tokens, click the Manage Tokens tab.

This page displays enrollment token details. From this page you can create a new enrollment token or select an existing token to view the enrollment token passcode, or revoke the token.

Note

 

This step is also part of registering a Data Gateway to Crosswork Cloud. For more information, see Add Crosswork Data Gateway Information.

Workflow: Add a Crosswork Data Gateway to Crosswork Cloud Traffic Analysis

The following is a high-level summary of steps that must be performed when adding Crosswork Data Gateway to Crosswork Cloud Traffic Analysis.


Note

To help confirm your environment is set up, you can also use the Crosswork Cloud Traffic Analysis Setup Checklist (Crosswork Cloud Traffic Analysis icon > Setup Checklist)

Table 2. Add Crosswork Data Gateway to Crosswork Cloud Traffic Analysis Workflow

Step

Action

Crosswork Cloud Navigation and Notes

1

Confirm Crosswork Data Gateway requirements.

Installation Requirements

2

Gather information needed during Crosswork Data Gateway installation. Make sure you have the following:

  • A network where Crosswork Data Gateway can connect to Crosswork Cloud (Management Interface)

  • A network where Crosswork Data Gateway can connect to the devices (optional Southbound Interface)

  • IP address information for each interface

  • A proxy, if it is required to connect to the internet

Deployment Parameters and Scenarios

3

  • For Crosswork Data Gateway 6.0.1 or later:

    Create and copy an enrollment token (.json registration file) to use during Crosswork Data Gateway installation. The .json registration file contains unique digital certificates that are used to enroll Crosswork Data Gateway into Crosswork Cloud.

  • For Crosswork Data Gateway versions earlier than 6.0.1, follow the steps described in Manually Add Crosswork Data Gateway Information, then go to Step 6.

Add Crosswork Data Gateway Information

For Crosswork Data Gateway 6.0.1 or later:

  1. Crosswork Cloud Traffic Analysis icon > Data Gateways > Use Enrollment Token

  2. Create or select an enrollment token.

  3. Copy the enrollment token somewhere so that it is readily available when you install Crosswork Data Gateway.

Note

 

After you copy the enrollment token, you will need to install Crosswork Data Gateway before you can continue in Crosswork Cloud Traffic Analysis.

4 Install Crosswork Data Gateway.

During Crosswork Data Gateway installation, you will need to paste the enrollment token in the following platforms:

  • VMware

    • vCenter vSphere Client—Paste the token text into the Auto Enrollment Package Transfer > Enrollment Token UI field

    • OVF Tool—Locate the script and under the ## Enrollment Token for Crosswork Cloud section, paste the token text after CloudEnrollmentToken=

  • OpenStack—Locate the config.txt file and under the ## Enrollment Token for Crosswork Cloud section, paste the token text after CloudEnrollmentToken=

  • Amazon EC2—Paste the token in the CloudFormation template or as part of the user data after CloudEnrollmentToken=

Install Crosswork Data Gateway
5

Authorize Crosswork Data Gateway access to Crosswork Cloud Traffic Analysis.

Note

 

Each Crosswork Data Gateway can be applied to one Crosswork Cloud Traffic Analysis application only. This means that you cannot use this instance of Crosswork Data Gateway for Crosswork Cloud Trust Insights.

  1. Crosswork Cloud Traffic Analysis icon > Data Gateways > Use Enrollment Token

  2. Click Next. The newly installed Crosswork Data Gateway should appear with then Enrollment State as Pending.

  3. Click Allow to authorize the Crosswork Data Gateway access.

6

Configure BGP, SNMP, and network flow monitoring protocols on devices for Crosswork Cloud Traffic Analysis.

Prerequisites for Adding Devices for Traffic Analysis

7

Add device credentials for BGP, SSH (optional), and SNMP to be used when adding devices.

Create Credentials

Crosswork Cloud Traffic Analysis icon > Configure > Credentials > Add Credential

8

Add devices.

Note

 

If devices have already been added in Crosswork Cloud, you can simply link them to Crosswork Cloud Traffic Analysis.

Crosswork Cloud Traffic Analysis icon > Data Gateways > data-gateway-name > Linked Traffic Devices tab

  • Add Devices

    Crosswork Cloud Traffic Analysis icon > Configure > Devices > Add Device

  • Confirm all connections are up.

    Crosswork Cloud Traffic Analysis icon > Configure > Devices > device_name > Status tab

9

Designate an external interface. Crosswork Cloud Traffic Analysis cannot display traffic data until you designate an external interface to connect to the internet.

Designate an External Interface

Crosswork Cloud Traffic Analysis icon > Configure > Devices > device_name > Traffic Analysis tab > Interfaces

Workflow: Add a Crosswork Data Gateway to Crosswork Cloud Trust Insights

The following is a high-level summary of steps that must be performed when adding Crosswork Data Gateway to Crosswork Cloud Trust Insights.

Table 3. Add a Crosswork Data Gateway to Crosswork Cloud Trust Insights Workflow

Step

Action

Crosswork Cloud Navigation and Notes

1

Confirm Crosswork Data Gateway requirements.

Installation Requirements

2

Gather information needed during Crosswork Data Gateway installation. Make sure you have the following:

  • A network where Crosswork Data Gateway can connect to Crosswork Cloud (Management Interface)

  • A network where Crosswork Data Gateway can connect to the devices (optional Southbound Interface)

  • IP address information for each interface

  • A proxy, if it is required to connect to the internet

Deployment Parameters and Scenarios

3

  • For Crosswork Data Gateway 6.0.1 or later:

    Create and copy an enrollment token (.json registration file) to use during Crosswork Data Gateway installation. The .json registration file contains unique digital certificates that are used to enroll Crosswork Data Gateway into Crosswork Cloud.

  • For Crosswork Data Gateway versions earlier than 6.0.1, follow the steps described in Manually Add Crosswork Data Gateway Information, then go to Step 6.

Add Crosswork Data Gateway Information

For Crosswork Data Gateway 6.0.1 or later:

  1. Crosswork Cloud Trust Insights > Data Gateways > Use Enrollment Token

  2. Create or select an enrollment token.

  3. Copy the enrollment token somewhere so that it is readily available when you install Crosswork Data Gateway.

Note

 

After you copy the enrollment token, you will need to install Crosswork Data Gateway before you can continue in Crosswork Cloud Trust Insights.

4 Install Crosswork Data Gateway.

During Crosswork Data Gateway installation, you will need to paste the enrollment token in the following platforms:

  • VMware

    • vCenter vSphere Client—Paste the token text into the Auto Enrollment Package Transfer > Enrollment Token UI field

    • OVF Tool—Locate the script and under the ## Enrollment Token for Crosswork Cloud section, paste the token text after CloudEnrollmentToken=

  • OpenStack—Locate the config.txt file and under the ## Enrollment Token for Crosswork Cloud section, paste the token text after CloudEnrollmentToken=

  • Amazon EC2—Paste the token in the CloudFormation template or as part of the user data after CloudEnrollmentToken=

Install Crosswork Data Gateway
5

Authorize Crosswork Data Gateway access to Crosswork Cloud Trust Insights.

Note

 

Each Crosswork Data Gateway can be applied to one Crosswork Cloud application only. This means that you cannot use this instance of Crosswork Data Gateway for Crosswork Cloud Traffic Analysis.

  1. Crosswork Cloud Trust Insights > Data Gateways > Use Enrollment Token.

  2. Click Next. The newly installed Crosswork Data Gateway should appear with then Enrollment State as Pending.

  3. Click Allow to authorize the Crosswork Data Gateway access.

6

Confirm you have all the Cisco IOS XR supported images, enrollment keys, certificates, and requirements needed for Crosswork Cloud Trust Insights.

7

Configure a user with limited access to devices for Crosswork Trust Insights to prevent unauthorized operational or configuration changes to your Cisco IOS XR routers.

Configure Limited Privilege User

8

Add device credential profiles to be used when adding devices.

Create Credentials

Crosswork Cloud Trust Insights > Configure > Credentials > Add Credential

9

Add devices.

Note

 

If devices have already been added in Crosswork Cloud, you can simply link them to Crosswork Cloud Trust Insights (Crosswork Cloud Trust Insights > Data Gateways > data-gateway-name > Linked Trust Devices tab).

  • Add Devices

    Crosswork Cloud Trust Insights Devices > Add Device

  • Confirm all connections are up.

    Devices > device_name > Status tab

Note

 

You must have the following information populated:

  • Name

  • Hostname

  • Device timezone

  • Data Gateway

  • Credential group (defined in previous step)

10

Give it some time to collect data, then verify that the device data collection was successful.

Crosswork Cloud Trust Insights > Monitor > Devices > device-name Trust Insights tab

11

(Optional) Initiate a dossier collection to get the latest device information

Collect Data for Trust Insights Device Dossier

Crosswork Cloud Trust Insights > Configure > Devices > device-name > Trust Insights > Collect Dossier

Add Crosswork Data Gateway Information

As part of the Data Gateway deployment process, an enrollment token (a unique registration file) must be created to enroll the Crosswork Data Gateway into Crosswork Cloud.

Starting with Crosswork Data Gateway 6.0.1, an enrollment token can be created in the Crosswork Cloud UI and then embedded during VM installation. The .json registration file contains unique digital certificates that are used to enroll the Crosswork Data Gateway into Crosswork Cloud. This method automatically enrolls a Crosswork Data Gateway in Crosswork Cloud and is less prone to potential problems than the older method.

For Crosswork Data Gateway versions earlier that 6.0.1, you must first install Crosswork Data Gateway, generate an enrollment token from the Crosswork Data Gateway interactive console, and then manually enter Crosswork Data Gateway information in Crosswork Cloud.

Note

  • While the procedure documented here describes the steps to use the newer method (if you are using Crosswork Data Gateway 6.0.1 or later), you have the option to use the older method (see Manually Add Crosswork Data Gateway Information).

  • If you use a firewall on your Data Gateway egress traffic, ensure that your firewall configuration allows cdg.crosswork.cisco.com and crosswork.cisco.com.

Procedure

Step 1

From the main window, navigate to Crosswork Cloud Traffic Analysis icon or Crosswork Cloud Trust Insights > Configure > Data Gateways and then click Add Data Gateway.

Step 2

Choose to do one of the following:

  • For Crosswork Data Gateway 6.0.1 and later, continue to Step 3.

  • For earlier Crosswork Data Gateway versions, click Registration File and go to Manually Add Crosswork Data Gateway Information.

  • If you need to download the latest supported Crosswork Data Gateway version, click Download CDG Image.

Step 3

Click Use Enrollment Token.

Step 4

You can create a new token or use an existing one. Do one of the following:

  • Create a new token

    1. Click Create Enrollment Token.

    2. Enter the following:

      • Token Name: Specify a unique name to the token that you are creating.

      • Description: Enter a detailed description of the token.

      • Number of Uses: Specify the permissible number of token uses. The maximum token usage limit is 50.

      • Valid Until: Specify the validity period for the token. The maximum duration is 366.

    3. Click Create.

  • Use an existing token

    1. Select the row corresponding to the token that you intend to use.

      When selecting an existing token, consider its expiration date. If the Data Gateway will not be installed and registered prior to the expiration date, Cisco recommends you avoid using that token.

      You can review the Valid Until column on the Add Crosswork Data Gateway page to determine the expiration information.

    2. Click View Enrollment Token.

      • Token Name: Specify a unique name to the token that you are creating.

      • Description: Enter a detailed description of the token.

      • Number of Uses: Specify the permissible number of token uses. The maximum token usage limit is 50.

      • Valid Until: Specify the validity period for the token. The maximum duration is 366.

    3. Click Create.

Step 5

Click Copy to copy the token. Paste the content in a local file. During Crosswork Data Gateway installation, you will need to paste the enrollment token in the following platforms:

  • VMware

    • vCenter vSphere Client—Paste the token text into the Auto Enrollment Package Transfer > Enrollment Token UI field

    • OVF Tool—Locate the script and under the ## Enrollment Token for Crosswork Cloud section, paste the token text after CloudEnrollmentToken=

  • OpenStack—Locate the config.txt file and under the ## Enrollment Token for Crosswork Cloud section, paste the token text after CloudEnrollmentToken=

  • Amazon EC2—Paste the token in the CloudFormation template or as part of the user data after CloudEnrollmentToken=

Step 6

Install Crosswork Data Gateway.

Step 7

After Crosswork Data Gateway is installed, navigate back to Crosswork Cloud Trust Insights > Data Gateways > Use Enrollment Token.

Step 8

Click Next. The newly installed Crosswork Data Gateway should appear with the Enrollment State as Pending.

Step 9

Click Allow to authorize the Crosswork Data Gateway access.

Step 10

Click Next after reviewing the Device information.

Step 11

Click Accept after reviewing the Network information.

Step 12

After a few minutes, verify that your Crosswork Data Gateway is successfully connected. Click Data Gateways, click on the name of the Crosswork Data Gateway, and verify the following values for the Crosswork Data Gateway you added:

  • Connectivity: Session Up

  • Admin State: Enabled

  • Container Image: Matched

You may need to refresh the page to see the changes.

Manually Add Crosswork Data Gateway Information


Note

If you use a firewall on your Crosswork Data Gateway egress traffic, ensure that your firewall configuration allows cdg.crosswork.cisco.com and crosswork.cisco.com.

Before you begin

For Crosswork Data Gateway versions earlier that 6.0.1, you must first install Crosswork Data Gateway, generate an enrollment token from the Crosswork Data Gateway interactive console, and then manually enter Crosswork Data Gateway information in Crosswork Cloud. For more information, see the following:

  1. Install Crosswork Data Gateway

  2. Obtain and Export Enrollment Package

Procedure

Step 1

From the main window, do one of the following:

  • For Crosswork Cloud Traffic Analysis, navigate to Crosswork Cloud Traffic Analysis icon > Configure > Data Gateways and then click Add Data Gateway.

  • For Crosswork Cloud Trust Insights, navigate to Crosswork Cloud Trust Insights > Configure > Data Gateways and then click Add Data Gateway.

Step 2

Click Registration File to upload the enrollment data file you downloaded from Crosswork Data Gateway, navigate to the location of the .json file, then click Next.

Step 3

Enter a name for the Crosswork Data Gateway.

Step 4

In the Application field, confirm that the applicable Crosswork Cloud application for which you're using this Crosswork Data Gateway instance is the correct one. Each Crosswork Data Gateway can be applied to one Crosswork Cloud application only.

Step 5

Complete the rest of the required fields, then click Next.

Step 6

(Optional) Type a tag name and click New Item (or select from existing tag names), which allows you to group Crosswork Data Gateways with the same tag, then click Next.

Step 7

If you have more than one NIC and you want a NIC to talk to southbound traffic, you would configure it in this window.

Step 8

Review the Crosswork Data Gateway information that you entered, then click Next.

Step 9

Click Accept to accept the security certificate.

A message appears to indicate the Crosswork Data Gateway was successfully added.

Step 10

After a few minutes, verify that your Crosswork Data Gateway is successfully connected. Click Data Gateways, click on the name of the Crosswork Data Gateway, and verify the following values for the Crosswork Data Gateway you added:

  • Connectivity: Session Up

  • Admin State: Enabled

  • Container Image: Matched

You may need to do a refresh to see the changes.

Install Crosswork Data Gateway

Crosswork Data Gateway is required for Crosswork Cloud Traffic Analysis and Crosswork Cloud Trust Insights only. It is not required for Crosswork Cloud Network Insights.

Prior to Crosswork Data Gateway installation, review the steps outlined in one of the following topics:


Note
For Crosswork Data Gateway 6.0.1 and later, you have the option to create an enrollment token within Crosswork Cloud and then install a Crosswork Data Gateway. For earlier Crosswork Data Gateway versions, you must install a Crosswork Data Gateway first and manually enter the Data Gateway information in Crosswork Cloud.

Procedure

Install a Crosswork Data Gateway as explained in the Cisco Crosswork Data Gateway Installation and Configuration Guide for Cloud Applications.

View Data Gateway Health

You can quickly view the health of your Crosswork Data Gateway instances. From the main window under Configure, click Data Gateways. Click on the Crosswork Data Gateway instance you want to view the health.

The Crosswork Data Gateway collection and health information are displayed. You can view connectivity status, when the application was downloaded, and when the last data collection occurred.

The Container Image field indicates the Docker image status using the following values:

  • Matched—The Data Gateway is running the latest published Docker image.

  • Mismatched—The Data Gateway is running an older Docker image.

  • Missing—A Docker image has not been downloaded.

You can also hover your mouse over the Container Image field to view the Docker image tag.

Figure 1. View Data Gateway Health

View Data Gateway Health

Link Devices to Crosswork Data Gateway

You can select a Crosswork Data Gateway instance to collect the dossier for each device you added. You must add a Data Gateway before performing this task.

Procedure

Step 1

From the main window, click Data Gateways.

Step 2

Click on the Data Gateway instance you want to link to a device.

Step 3

Click the Linked Trust / Traffic Devices tab.

A list of any devices that were previously linked to the Data Gateway is displayed.

Step 4

Select the devices to link to the Data Gateway, then click Link Traffic Devices.

After devices are linked to a Data Gateway, they are automatically scheduled for collection. To check the status of collection and the next upcoming collection interval, look at the Overview tab on the Data Gateway page.

Note

 

To unlink devices, check the box for one or more devices that you want to unlink, then click Unlink. The Data Gateway will no longer collect the dossier for the device you unlinked.

Troubleshoot Crosswork Data Gateway and Device Connectivity for Traffic Analysis

The following steps explain how to troubleshoot connectivity between Crosswork Data Gateway and your Crosswork Cloud Traffic Analysis devices.

Procedure

Step 1

In the main window, click Devices and then click the device for which you want to view connectivity to Crosswork Data Gateway.

Step 2

Click the Status tab.

Step 3

If all of the connections between the Crosswork Data Gateway and the device are red, indicating there is an error, ensure that if you have a firewall, it is configured to allow cdg.crosswork.cisco.com and crosswork.cisco.com.

Test and correct the connectivity between Crosswork Data Gateway and the device.

Step 4

Ensure the SNMP arrow between the Crosswork Data Gateway and the device is green, indicating that the connection is working.

If the SNMP arrow is red, Crosswork Data Gateway is not able to connect to the device. Correct the following errors:

  • Ensure the SNMP configuration on the router is correct. See SNMP configuration examples for more information.

  • Ensure that the credentials you entered in Crosswork Cloud Traffic Analysis match the credentials configured on the router. Hover your cursor over the SNMP link and click the blue hyperlink to go to the credentials for that device.

  • If you created an SNMP view, ensure you specified the correct SNMP object identifiers (OIDs). See SNMP object identifiers used by Crosswork Cloud Traffic Analysis.

  • Verify that you entered the correct SNMP IP address. Click Edit, then scroll to the Crosswork Cloud Traffic Analysis section and verify the SNMP Address field.

Step 5

Ensure the BGP arrow between the Crosswork Data Gateway and the device is green, indicating that the connection is working.

If the BGP arrow is red, correct the following errors:

  • Check that the IP address for the BGP peer is correct. Click Edit, then scroll to the Crosswork Cloud Traffic Analysis section and verify the BGP Router ID IP Address field.

  • If you’re using credentials for BGP, make sure the credentials you entered in Crosswork Cloud Traffic Analysis match the credentials configured on the router.

  • Ensure that your device configuration includes the IP address of the Crosswork Data Gateway and the ASN of the Crosswork Data Gateway (the default ASN is 65000) and that they are neighbors.

  • Ensure that the BGP session between the Crosswork Data Gateway and the device is an external BGP (e-BGP) session.

Note

 

The SSH connection between the Crosswork Data Gateway and the device is not required for Crosswork Cloud Traffic Analysis.

Step 6

Ensure the Traffic Data arrow between the Crosswork Data Gateway and the device is green, indicating that the connection is working.

If the Traffic Data arrow between the Crosswork Data Gateway and the device is red, check the NetFlow configuration on your router, specifically the port number (255) and the IP address from where the NetFlow data is being exported. Ensure the IP address you specified in the NetFlow Source Address field matches the IP address from where the NetFlow records are being exported.

Step 7

If all connections are green and you are not seeing traffic data, ensure you have correctly configured internal and external interfaces. See Designate an external interface for Crosswork Cloud Traffic Analysis.

Disable Crosswork Data Gateways

You can deactivate a Crosswork Data Gateway, which retains the Crosswork Data Gateway information, but disables the Crosswork Data Gateway from sending network data to Crosswork Cloud.

To delete a Crosswork Data Gateway and remove it and its data completely, see Delete Crosswork Data Gateways.

Procedure

Step 1

From the main window, click Data Gateways.

Step 2

Click on the Crosswork Data Gateway instance you want to deactivate, then click Disable.

Delete Crosswork Data Gateways

You can delete a Crosswork Data Gateway to remove it completely. You can also deactivate a Crosswork Data Gateway, which retains the Crosswork Data Gateway information, but disables the Crosswork Data Gateway from sending network data to Crosswork Cloud.

Procedure

Step 1

From the main window, click Data Gateways.

Step 2

Click on the Crosswork Data Gateway instance you want to delete.

Step 3

Click Remove. The Crosswork Data Gateway is removed.