Solution Overview

This is a solution unique to Cisco that utilizes an integration between the Cisco IoT Control Center and the SD-WAN Manager to provide secure and automated carrier provisioning and activation at scale.

Today, when customers purchase cellular WAN devices, they must go through a time-consuming and resource-consuming process before the devices are fully set up with the designated carrier and plan at the site destination. In addition to purchasing the cellular WAN device from Cisco, the customer is responsible for acquiring SIM cards for specific carriers and specific plans for all their devices, and then working with the carrier to activate these SIMs.

With the introduction of the Managed Cellular Activation solution, Cisco cuts out the most time- and resource-intensive steps in this process to offer a new, much-simplified customer experience. When the customer purchases a cellular WAN device from Cisco and decides to opt into the Managed Cellular Activation solution, the device will ship with a physical eSIM card pre-loaded on that device. The supported carrier sets up an account for the customer in Control Center, details for this account are entered into SD-WAN Manager by the customer, and upon device boot-up, the device will automatically connect to the internet with a pre-loaded Cisco bootstrap carrier plan on that eSIM card before performing a switchover to the new designated carrier and plan selected by the customer.

Supported Devices

Platforms	First Supported Release	Module
Cisco Catalyst Wireless Gateway CG113-4GW6B	17.12.1a	N/A
Catalyst 8200 Series	17.12.1a	P-5GS6-GL
	17.13.1a	P-5GS6-R16SA-GL, P-LTEAP18-GL, P-LTEA-EA, P-LTEA7-NA
Catalyst 8300 Series	17.12.1a	P-5GS6-GL
	17.13.1a	P-5GS6-R16SA-GL, P-LTEAP18-GL, P-LTEA-EA, P-LTEA7-NA
ISR 1000 Series	17.12.2	P-5GS6-GL
	17.13.1a	P-5GS6-R16SA-GL, P-LTEAP18-GL, P-LTEA-EA, P-LTEA7-NA
Rugged Router IR 1101 Series	17.15.1a	P-5GS6-R16SA-GL, P-LTEAP18-GL, P-LTEA-EA, P-LTEA7-NA
Rugged Router IR 1800 Series	17.15.1a	P-5GS6-R16SA-GL, P-LTEAP18-GL, P-LTEA-EA, P-LTEA7-NA, P-LTE-MNA

Supported Carriers

• North America Arena – AT&T

Prerequisites for Managing Cisco Catalyst Wireless Gateway

• Ensure Cisco SD-WAN Manager has connectivity to the Cisco IoT Control Center. To verify Cisco SD-WAN Manager connectivity to the Cisco IoT Control Center, see Verify Cisco Catalyst SD-WAN Manager's Connectivity to the Cisco IoT Control Center.
• Ensure access to the SIM management platform Cisco IoT Control Center.
• Onboarding devices via Plug and Play, which requires a Cisco Smart Account.
• For the device to appear in the device list in Cisco SD-WAN Manager, it needs to be synchronized from SD-WAN Manager with the Smart Account.

Restrictions for the Managed Cellular Activation Solution

• Managed Cellular Activation supports only SIM 0.
• For more information about PIM, see Cellular Pluggable Interface Module Configuration Guide.
• The Cisco bootstrap account comes with an eSIM assist feature for a device bring up and contains a predefined data limit. This account is designed to facilitate the initial bring up process with a restricted data quota.
• The Cisco SD-WAN Manager supports only one Cisco IoT Control Center account per user.
• After you configure the eSIM to use your service provider account, you cannot change to a different SP account.
• Managed Cellular Activation supports only IPv4 addressing.

Day-0 Managed Cellular Activation User Workflow

Note: SD-WAN Manage (formally vManage) used in this guide is running the 20.12 version.

Enable Cisco eSIM on SD-WAN Manager

In this section we will enable Cisco eSIM functionalities on SD-WAN Manager.

•  Click on Hamburger Menu and navigate to Administration > Settings. Scroll all the way down to the eSIM parcel and click on Edit.

• Click on Enabled and then Save.

• You will be redirected to a Single Sign-On page with Okta for seamless authentication. Enter your credentials. This way we can launch integration between Cisco IoT Control Center and Cisco SD-WAN Manager for managed cellular activation with Cisco eSIM.

• Verify eSIM is enabled on SD-WAN Manager.

Retrieve API Key from IoT Control Center

In this section, we will go over the steps on where to retrieve the (AccountID, Username, API Key) information needed in the next section of this document. 

• Login to your AT&T IoT Control Center account. Note, every Service Provider will have their own URL.
• Navigate to Devices.

• Click on Admin > Users.
• Make sure you select an API Only user. 
• Make a note of the Account ID and Username. We will use these details in the Integration Management page of SD-WAN Manager. 

• Click on Show API Key and copy the API Key into a notepad. 

Add Service Provider Account to SD-WAN Manager

• From the Settings page click on Hamburger Menu and navigate to Administration > Integration Management.
• Select eSim Service Provider from the available tabs at the top.
• Click on Add Account Credentials.

• To add Service Provider account to SD-WAN Manager you will need to collect all the information from IoT Control Center (AccountID, Username, API Key) 
  • Select Carrier Name from a drop-down: AT&T Mobility
  • Enter AccountID corresponding to your IoT Control Center Account.
  • Enter Username corresponding to your IoT Control Center Account.
  • Enter API Key generated from your IoT Control Center Account.
  • Accept Terms and Conditions from AT&T.
  • Click Save

Carrier Name: AT&T Mobility

Account: 121683902

Username: username

API Key: ***********************************

Add default Communication and Rate plans

In this section we will add default communication and rate plans to the Service Provider Account. The baseline answer is that the communication plan tells you what a SIM card can do from a technical perspective. In IoT Control Center, the Communication plan defines the connectivity capabilities of a device (e.g. is SMS allowed to communication on 4G or 5G, which APN (access Points) are available). The Rate plans define how the consumed connectivity / data will be billed. e.g., based on individual or pooled consumption within a billing cycle.

• Click on the three dots on the far right and click on Edit.

• Check the Make as default checkbox. Select Communication Plan, Rate Plan, Access Point Name, Package Data Network Type, Authentication Method from the drop-downs assigned to you by a Service Provider.

• Click Save.

Configure cEdge devices

In this section we will create a cEdge configuration group using a config group workflow. It is assumed that the device is already onboarded to SD-WAN Manager using Quick Connect workflow for device onboarding. It is an alternative, guided method in Cisco SD-WAN Manager to onboard supported WAN edge devices into the Cisco SD-WAN overlay network. As part of the Quick Connect workflow, basic day-0 configuration profiles are created, which apply to all Cisco IOS XE SD-WAN devices, irrespective of the device model and device family. This workflow adds edge devices to the WAN transport and establishes data plane and control plane connections.

Please refer to this link for more details: https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/sdwan-xe-gs-book/m-quick-connect-workflow.html

• From the Cisco SD-WAN Manager menu, Click on Hamburger Menu and navigate to Workflows -> Workflow Library.

• To create a new configuration, click on Create Configuration Group.

• Give your cEdge Configuration Group a name and description of the configuration.
• (Optional) Expand WAN Interfaces parcel and remove or add new circuit.

• (Optional) Expand LAN & Service VPN Profile and remove or add dashlets if required.

• Click Next two times to proceed to the next step.
• Click on Create Configuration Group.
• When configuration group is successfully created, navigate to Configuration Groups.

Configure Cellular Tunnel Interface on cEdge

In numerous regions globally, an LTE SIM card comes with a data limit that restricts the amount of data that can be transmitted over the LTE connection each month. Once this data limit is used up, the speed of the connection might be significantly reduced, or extra fees could be incurred to access more data.

Hence, in practical scenarios where a remote location is linked to two (WAN) transport, including one utilizing LTE, the preferable approach would typically involve utilizing the LTE connection solely when the other transport becomes unavailable.

For the purpose of this guide, we will configure Cellular tunnel interface as primary WAN transport.

• Click on the three dots next to the just created template and click on Edit.

cEdge configuration group is designed to simplify user experience and quickly bring-up the SD-WAN sites. In the real-world deployment, you will have multiple sites configured, multiple Transport and Management Profiles enabled, and service profile (VPNs) configured. To use only Cellular link as Transport VPN, we will delete all WAN interfaces and will configure WWAN or Cellular Tunnel Interface.

• (Optional) Expand Transport & Management Profile Section and delete public-internet WAN Interface under VPN0 by clicking on the three dots. Please refer to the below screenshot.

• Now, we will create a new Cellular Interface under VPN0. Click on three dots next to VPN0 and select Add Sub-Feature.

• From the drop-down, select Cellular Interface.
• Add Name of the template.

• Under Basic Configuration fill out mandatory information
  1. Shutdown: By default, the interface is shutdown. Hover over the shutdown button and select Global to turn on the Cellular interface.
  2. Interface Name: Cellular0/x/0 (This configuration varies depending on the host platform)

VPN 0 —Transport VPN carries control traffic via the configured WAN transport interfaces. Initially, VPN 0 contains all device's interfaces except for the management interface, and all interfaces are disabled. At least one interface must be configured in VPN 0, and at least one interface must connect to a WAN transport network, such as the Internet or an MPLS or a metro Ethernet network. This WAN transport interface is referred to as a tunnel interface. At a minimum, for this interface, you must configure an IP address, enable the interface, and set it to be a tunnel interface.

• Navigate to the Tunnel Tab.
• Hover over the Tunnel Interface button, select Global and toggle the switch to enable Tunnel Interface.

A tunnel interface allows only DTLS, TLS, and, for Cisco cEdge devices, IPsec traffic to pass through the tunnel. To allow additional traffic to pass without having to create explicit policies or access lists, enable them by including one allow-service command for each service. You can also explicitly disallow services by including the no allow-service command. 

• Scroll down to the Allow Service Section and enable all services by changing the button to Global and then switching the toggle to enable.
• Click Save.

Congratulations, you just created your first Cellular Tunnel Interface!

Configure eSIM feature on cEdge

In this section, we will configure the eSIM profile and controller settings. In traditional routing and SD-WAN setups, these actions are distinct. First, we create a profile specifying the Access Point Name (APN) and Packet Data Network (PDN) for SIM connectivity. Then, we link this profile to a controller profile, ensuring alignment with the appropriate interface. Given our PIM's support for multiple packet data networks, accurate profile-to-interface association is crucial.

• Expand the Transport & Management Profile section and click on Add Feature.

• From the drop-down select Cisco eSim Flex Cellular Profile.
• Give your eSIM feature a Feature Name and Description of the configuration.
• Select preconfigured account credentials from the drop-down.

• Click Save.

• Click on Add Feature again and from the drop-down select Cisco eSim Flex Cellular Controller.

Give your eSIM Cellular Controller a Feature Name and Description of the configuration.

Configure Cellular ID, it depends on the slot configuration of each and individual device (ex. C8300, C8200, ISR1000). See configuration guide to understand the slot configuration.

• Scroll to the bottom of the controller configuration to choose a cellular profile and click Save.

Associate cEdge device with a Configuration Group

• Advance to the next page by clicking Next.
• Select the device or devices you wish to configure from a site.
• Click Next and Save to proceed to the next step.

• Click Provision Devices and Next to push the newly created configuration on the device.
• Select corresponding sites to deploy and click Next twice.
• Add and Review device configuration and click Next and Deploy.

• Click on View Deployment Status. It might take up to 15min to push configurations to the device and complete the ICCID swap.

• Click on the Logs icon in the Action column to get the latest status update of the swap. You should not see any error messages, if the swap is successful, you will see success message. If swap failed, please contact Cisco representative to resolve the issue.

Monitoring

• From the Cisco SD-WAN Manager menu, choose Monitor > Devices.

Observe the status of every deployed device. Notice Health and Reachability. If some devices are unreachable, it means that the device lost control connection with SD-WAN Manager (ex. Device is powered off)

• Select any healthy device from the device list.
• Navigate to the Cellular (eSIM) Tab and observe the data usage of the current ICCID.

Documentation

This configuration example is meant to be interpreted with the aid of the official documentation from the configuration guide located here: 

Managed Cellular Activation with Cisco eSIM Datasheet 

Managed Cellular Activation Configuration Guide