03-30-2017 11:26 PM - edited 03-01-2019 04:37 AM
Hi Everyone,
I am curently trying to deploy 200+ remote MPLS L3 VPN sites for a customer with APIC-EM PNP based on Cisco 892FSP.
APIC-EM is running 1.4 and is configured with templates and everything looks fine. Each 200+ sites will have the following topology:
VLAN 3001 is used for management and the ISP CPE has an helper address on this VLAN pointing to the customer DHCP configured with option 43 in order for the customer CPE to be able to communicate with the APIC-EM controller.
On the customer CPE, the trunk is configured with L3 subinterfaces. All Cisco 892FSP are running on 15.5(3)M4a software version which should support PNP when I look at the APIC-EM PNP compatibility matrix. The router has been reset to factory default following APIC-EM PNP configuration guide.
The issue already starts when I boot a 892FSP which stops on the initial configuration dialog, where user has to choose yes or no:
It looks like I am hitting the following bug: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuu93989/?referring_site=bugquickviewredir
As anyone succesfully deployed APIC-EM PNP on ISR G2 routers or seen this issue before?
Best regards,
Laurent
Solved! Go to Solution.
04-02-2017 12:17 AM
I think the issue is that when you boot router, it gets an IP address via DHCP on int Gig8.
When you push the profile, it also tries to assign an IP address out of the same range in as the DHCP address. As you know you cannot have the same network assigned on two different router interfaces.
I suspect if you were to include the following
int g8
no ip address
You would be successful. That would remove the DHCP associated address, and allow you to use the manually assigned IP address in the template.
Adam
04-01-2017 09:24 PM
Hi Laurent,
sorry for the delay, been on long haul flight.
A couple of things:
1) The message you see is normal, it does not mean PnP is not working. The process happens under the covers
2) In order to do what you need, you will need dynamic trunking on the uplink port.... but routers do not support DTP.
3) You will also need CDP to negotiate the startup vlan on the 892. but it would need to create the sub interface, not just a vlan.
I took a look at this and did some testing. I can get a connection to come up using DTP on the switch and native vlan == management vlan on the switch. The challenge is that if you push a config that contains sub interfaces, there is no way to advertise trunking support from the router. This is important as you need to use DTP to signal to the switch to move to trunking mode.
I think the best solution is to use a USB key with a small bootstrap config (i.e. just the dot1.q of the management interface). You can even leave on DHCP and the PnP process would do the rest.
Adam
04-02-2017 12:00 AM
I did find another possible solution, without using USB, but not sure you will like it.
If I force the switch to trunk and make the management vlan the native vlan, then the router will be able to communicate to the PnP server (and use DHCP).
You can then push a config down to the router to configure the management interface as management. you can also move to a static IP at the same time. you will need to do a "no ip address on the router WAN interface".
On switch: (NOTE vlan 14 is my management vlan)
3850-core#show run int g1/0/7
Building configuration...
Current configuration : 126 bytes
!
interface GigabitEthernet1/0/7
description link to ZTD router
switchport trunk native vlan 14
switchport mode trunk
end
Then push the following config to the router via PnP
interface GigabitEthernet0/0
no ip address
interface GigabitEthernet0/0.14
encapsulation dot1Q 14 native
ip address 10.10.14.100 255.255.255.0
end
The IP address could be DHCP (it would get another IP address as different MAC), or statically defined.
The only challenge is you need to have the management vlan as the native vlan.
Adam
04-02-2017 12:09 AM
Hi Aadm,
Thank you very much for your response.
You are right, the PNP process is now happening. I think my issue was that the 892 wasn´t getting an IP address from the DHCP.
The ISP CPE router is configured as follows ( I use another 800 for test purpose). I have to note that I haven´t configured the pnp startup-vlan command on the ISP CPE as I couldn´t see any difference.
!
interface FastEthernet5
description #PNP-AGENT#
switchport trunk native vlan 3000
switchport mode trunk
!
interface Vlan3000
description # MGT #
ip address 10.250.148.1 255.255.255.252
ip helper-address 10.9.100.70
end
!
The Customer CE is connected towards the ISP CE on a routed port (G8). The PNP configuration we want to push from APIC-EM is the following on this port:
!
interface GigabitEthernet8
description # WAN #
media-type rj45
no shut
!
ip route 0.0.0.0 0.0.0.0 10.250.${WAN-LOKATION_ID}.1 name APIC-EM-PNP
!
interface g8.3000
description # MGT #
encapsulation dot1Q 3000 native
ip address 10.250.${WAN-LOKATION_ID}.2 255.255.255.252
no shut
!
interface g8.3001
description # ADM #
encapsulation dot1Q 3001
vrf forwarding ADM
ip address 10.250.${WAN-LOKATION_ID}.6 255.255.255.252
no shut
!
etc... Until 3008
!
When booting, the Customer CE router gets the APIC-EM info from DHCP and also contact the APIC-EM controller.
It looks like everything goes well on the APIC-EM controller as it goes from "pending" to "deploying config" but then it goes stuck in this state and after a couple of minutes and then it changes to "error" state.
If I Iog into the customer CE router, it looks like all the configuration has been applied by APIC-EM. The only thing which is missing is the IP address on the g8.3000 subinterface and now threre is "ip address dhcp" on the g8 interface which shouldn´t be there. Otherwise all the config has been applied successfully.
!
ip route 0.0.0.0 0.0.0.0 10.250.148.1 name APIC-EM-PNP
!
interface GigabitEthernet8
description # WAN #
ip address dhcp
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet8.3000
description # MGT #
encapsulation dot1Q 3000 native
!
interface GigabitEthernet8.3001
description # ADM #
encapsulation dot1Q 3001
vrf forwarding ADM
ip address 10.250.148.6 255.255.255.252
!
etc...3008
!
Is that because PNP IOS agent is not supported on routed subinterface ? How can we solve this issue ?
Regards,
Laurent
04-02-2017 12:17 AM
I think the issue is that when you boot router, it gets an IP address via DHCP on int Gig8.
When you push the profile, it also tries to assign an IP address out of the same range in as the DHCP address. As you know you cannot have the same network assigned on two different router interfaces.
I suspect if you were to include the following
int g8
no ip address
You would be successful. That would remove the DHCP associated address, and allow you to use the manually assigned IP address in the template.
Adam
04-02-2017 01:57 AM
Hi Adam,
Thanks for your quick reply. I will try later today and let you know.
Regards,
Laurent
04-03-2017 01:56 AM
Hi Adam,
You are then man!
After I have configured the following in the template the router gets provisioned successfully:
int g8
no ip address
This solution is great. The customer has 180 ISR 892FSP and around 20 ASR920 so we hope that the ASR920 will be supported soon in APIC-EM so we don´t have to manually provision it, do you know maybe when ASR920 will be supported in APIC-EM PNP?
I have another question regarding the provisioning. We are using a project and then a template to provision the router. So the customer as to add the 200 devices under the project and fill in the different parameters in the configuration template. The template as 7 variables as you see here:
I would like to know if there is a more efficient way to do this process (scripting or bulk import). So my question is, will it be possible to use an excel sheet as bulk import including the above variables, the project name, the configuration for each location and so everything can get created from the excel sheet automatically? Maybe you know a better way to do it by scripting to automate this process better?
Thank you very much for your help so far.
Regards,
Laurent
04-03-2017 03:43 AM
great news, and thanks for letting us know. Great the community is able to help you.
For the 920, try the "I wish this page would" on the bottom left hand corner. That will send an email to the product owners.
The bulk import of template variables is in the next release i think.
It is possible to script this as well via the REST API. My blog post contains the API calls to do this. APIC-EM 1.3 Update – Part 1 - PnP Templates
I might put together a little python script.
Adam
04-03-2017 04:01 AM
Thank you very much for your help Adam. Our customer is really happy and I am also
I have sent "I wish this page would" to APIC-EM team regarding support for ASR920.
I will look at your blog regarding REST API.
Would be great with a python script if you have time
Regards,
Laurent
04-02-2017 12:19 AM
BTW, there is no point using startup-vlan in this scenario.
Adam
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide