cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3248
Views
11
Helpful
9
Replies

APIC-EM PNP deployment on Cisco 892FSP with 200+ MPLS sites

lap
Level 2
Level 2

Hi Everyone,

I am curently trying to deploy 200+ remote MPLS L3 VPN sites for a customer with APIC-EM PNP based on Cisco 892FSP.

APIC-EM is running 1.4 and is configured with templates and everything looks fine. Each 200+ sites will have the following topology:

APIC-EM-TOPOLOGY.jpg

VLAN 3001 is used for management and the ISP CPE has an helper address on this VLAN pointing to the customer DHCP configured with option 43 in order for the customer CPE to be able to communicate with the APIC-EM controller.

On the customer CPE, the trunk is configured with L3 subinterfaces. All Cisco 892FSP are running on 15.5(3)M4a software version which should support PNP when I look at the APIC-EM PNP compatibility matrix. The router has been reset to factory default following APIC-EM PNP configuration guide.

The issue already starts when I boot a 892FSP which stops on the initial configuration dialog, where user has to choose yes or no:

892FSP-ConfigDialog.jpg

It looks like I am hitting the following bug: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuu93989/?referring_site=bugquickviewredir

As anyone succesfully deployed APIC-EM PNP on ISR G2 routers or seen this issue before?

Best regards,

Laurent

1 Accepted Solution

Accepted Solutions

aradford
Cisco Employee
Cisco Employee

I think the issue is that when you boot router, it gets an IP address via DHCP on int Gig8.

When you push the profile, it also tries to assign an IP address out of the same range in as the DHCP address.  As you know you cannot have the same network assigned on two different router interfaces.

I suspect if you were to include the following

int g8

no ip address

You would be successful.  That would remove the DHCP associated address, and allow you to use the manually assigned IP address in the template.

Adam

View solution in original post

9 Replies 9

aradford
Cisco Employee
Cisco Employee

Hi Laurent,

sorry for the delay, been on long haul flight.

A couple of things:

1) The message you see is normal, it does not mean PnP is not working.  The process happens under the covers

2) In order to do what you need, you will need dynamic trunking on the uplink port.... but routers do not support DTP.

3) You will also need CDP to negotiate the startup vlan on the 892.  but it would need to create the sub interface, not just a vlan.

I took a look at this and did some testing.  I can get a connection to come up using DTP on the switch and native vlan == management vlan on the switch.  The challenge is that if you push a config that contains sub interfaces, there is no way to advertise trunking support from the router.  This is important as you need to use DTP to signal to the switch to move to trunking mode.

I think the best solution is to use a USB key with a small bootstrap config (i.e. just the dot1.q of the management interface).   You can even leave on DHCP and the PnP process would do the rest.

Adam

I did find another possible solution, without using USB, but not sure you will like it.

If I force the switch to trunk and make the management vlan the native vlan, then the router will be able to communicate to the PnP server (and use DHCP).

You can then push a config down to the router to configure the management interface as management.  you can also move to a static IP at the same time.  you will need to do a "no ip address on the router WAN interface".

On switch: (NOTE vlan 14 is my management vlan)

3850-core#show run int g1/0/7

Building configuration...

Current configuration : 126 bytes

!

interface GigabitEthernet1/0/7

description link to ZTD router

switchport trunk native vlan 14

switchport mode trunk

end

Then push the following config to the router via PnP

interface GigabitEthernet0/0

no ip address

interface GigabitEthernet0/0.14

encapsulation dot1Q 14 native

ip address 10.10.14.100 255.255.255.0

end

The IP address could be DHCP (it would get another IP address as different MAC), or statically defined.

The only challenge is you need to have the management vlan as the native vlan.

Adam

Hi Aadm,

Thank you very much for your response.

You are right, the PNP process is now happening. I think my issue was that the 892 wasn´t getting an IP address from the DHCP.

The ISP CPE router is configured as follows ( I use another 800 for test purpose). I have to note that I haven´t configured the pnp startup-vlan command on the ISP CPE as I couldn´t see any difference.

!

interface FastEthernet5

description #PNP-AGENT#

switchport trunk native vlan 3000

switchport mode trunk

!

interface Vlan3000

description # MGT #

ip address 10.250.148.1 255.255.255.252

ip helper-address 10.9.100.70

end

!

The Customer CE is connected towards the ISP CE on a routed port (G8). The PNP configuration we want to push from APIC-EM is the following on this port:

!

interface GigabitEthernet8

description # WAN #

media-type rj45

no shut

!

ip route 0.0.0.0 0.0.0.0 10.250.${WAN-LOKATION_ID}.1 name APIC-EM-PNP

!

interface g8.3000

description # MGT #

encapsulation dot1Q 3000 native

ip address 10.250.${WAN-LOKATION_ID}.2 255.255.255.252

no shut

!

interface g8.3001

description # ADM #

encapsulation dot1Q 3001

vrf forwarding ADM

ip address 10.250.${WAN-LOKATION_ID}.6 255.255.255.252

no shut

!

etc... Until 3008

!

When booting, the Customer CE router gets the APIC-EM info from DHCP and also contact the APIC-EM controller.

It looks like everything goes well on the APIC-EM controller as it goes from "pending" to "deploying config" but then it goes stuck in this state and after a couple of minutes and then it changes to "error" state.

APIC-EM-1.jpg

APIC-EM-2.jpg

APIC-EM-3.jpg

APIC-EM-4.jpg

If I Iog into the customer CE router, it looks like all the configuration has been applied by APIC-EM. The only thing which is missing is the IP address on the g8.3000 subinterface and now threre is "ip address dhcp" on the g8 interface which shouldn´t be there. Otherwise all the config has been applied successfully.

!

ip route 0.0.0.0 0.0.0.0 10.250.148.1 name APIC-EM-PNP

!

interface GigabitEthernet8

description # WAN #

ip address dhcp

duplex auto

speed auto

media-type rj45

!

interface GigabitEthernet8.3000

description # MGT #

encapsulation dot1Q 3000 native

!

interface GigabitEthernet8.3001

description # ADM #

encapsulation dot1Q 3001

vrf forwarding ADM

ip address 10.250.148.6 255.255.255.252

!

etc...3008

!

Is that because PNP IOS agent is not supported on routed subinterface ? How can we solve this issue ?

Regards,

Laurent

aradford
Cisco Employee
Cisco Employee

I think the issue is that when you boot router, it gets an IP address via DHCP on int Gig8.

When you push the profile, it also tries to assign an IP address out of the same range in as the DHCP address.  As you know you cannot have the same network assigned on two different router interfaces.

I suspect if you were to include the following

int g8

no ip address

You would be successful.  That would remove the DHCP associated address, and allow you to use the manually assigned IP address in the template.

Adam

Hi Adam,

Thanks for your quick reply. I will try later today and let you know.

Regards,

Laurent

Hi Adam,

You are then man!

After I have configured the following in the template the router gets provisioned successfully:

int g8

no ip address

This solution is great. The customer has 180 ISR 892FSP and around 20 ASR920 so we hope that the ASR920 will be supported soon in APIC-EM so we don´t have to manually provision it, do you know maybe when ASR920 will be supported in APIC-EM PNP?

I have another question regarding the provisioning. We are using a project and then a template to provision the router. So the customer as to add the 200 devices under the project and fill in the different parameters in the configuration template. The template as 7 variables as you see here:

2017-04-03 10_38_52-Network Plug and Play - APIC - Enterprise Module.jpg

I would like to know if there is a more efficient way to do this process (scripting or bulk import). So my question is, will it be possible to use an excel sheet as bulk import including the above variables, the project name, the configuration for each location and so everything can get created from the excel sheet automatically? Maybe you know a better way to do it by scripting to automate this process better?

Thank you very much for your help so far.

Regards,

Laurent

aradford
Cisco Employee
Cisco Employee

great news, and thanks for letting us know.  Great the community is able to help you.

For the 920, try the "I wish this page would" on the bottom left hand corner.  That will send an email to the product owners.

The bulk import of template variables is in the next release i think. 

It is possible to script this as well via the REST API.  My blog post contains the API calls to do this.  APIC-EM 1.3 Update – Part 1 - PnP Templates

I might put together a little python script.

Adam

Thank you very much for your help Adam. Our customer is really happy and I am also

I have sent "I wish this page would" to APIC-EM team regarding support for ASR920.

I will look at your blog regarding REST API.

Would be great with a python script if you have time

Regards,

Laurent

aradford
Cisco Employee
Cisco Employee

BTW, there is no point using startup-vlan in this scenario.

Adam

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:


This community is intended for developer topics around Data Center technology and products. If you are looking for a non-developer topic about Data Center, you might find additional information in the Data Center and Cloud community