07-10-2023 09:09 AM - edited 02-27-2024 02:38 PM
To successfully provision a ENCS5400 series, Catalyst 8200 uCPE, Catalyst 8300 uCPE device in remote site with internet connection.
Catalyst 8300 uCPE is the next generation of Cisco Enterprise Network Compute System (ENCS) 5400 Series. Highlights of upcoming C8300-UCPE platform:
The Cisco Catalyst 8300 Series Edge uCPE (Universal Customer Premises Equipment) is a purpose built x86 platform that is designed for branch network function virtualization deployments in branches, on-premises and colocation data centers. It enables device consolidation across network and security functions, improves operational flexibility and service agility, simplifies network operations and results in reducing deployment times and fewer truck rolls for delivery of add-on services.
•Device consolidation - run 3-6 VNFs from Cisco or other partners.
•4-cores for C8000V delivers:
•5 Gbps of SD-WAN IMIX IPsec
•2 Gbps of SD-WAN IMIX IQDF
•20-cores – Intel Xeon Ice Lake 2 Ghz processor.
•Powered by Cisco NFVIS hypervisor operating system for KVM-based virtualization.
•10Gbps WAN/LAN ports.
•Dual-power supply.
•Use as stand-alone device or centrally manage using Cisco vManage as orchestrator with the updated UX2.0 interface.
•Expandable further with NIM and PIM modules.
•5G-ready via PIM.
•< 18” depth form-factor ideal for tight spaces in branches.
•Supports CIMC software for device firmware management.
Highlights of UX2.0 NFV in vManage (Cisco Catalyst SDWAN Manager)
Minimum software release requirements on onboarding ENCS5400, C8200-UCPE platforms
-ENCS 5400 series or 8200-UCPE platform with NFVIS 4.14.1 release.
-Catalyst Manager 20.14.1 release
Minimum software release requirements on onboarding 8300-UCPE platform
-8300-UCPE platform with NFVIS 4.12.1 release.
-Catalyst Manager 20.12.1 release.
This document is expected to complement SD-Branch Design and Deployment Guide
Also reference
Getting started with ENCS 5400 Series
Typical virtual branch deployment requires authorized list of devices and image packages for the services to be deployed. Also, VNF service images must be made available in vmanage image repository.
Create the device list in Smart Account and make it available in Catalyst Manager
When the 8300uCPE devices are ordered with controller mode, Cisco Manufacturing will populate the devices in the smart account. Often, for demos/POC, the following manual approach is required.
1. Access the 8300uCPE through console, change the default password Admin123# to a secure password that meets the password policy requirement. Login to get the device's Serial Number and SUDI Certificate, used in the next step. To do so, follow the example below.login: admin
Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
admin@localhost's password:
Cisco Network Function Virtualization Infrastructure Software (NFVIS)
NFVIS Version: 4.12.1-EFT2
Copyright (c) 2015-2023 by Cisco Systems, Inc.
Cisco, Cisco Systems, and Cisco Systems logo are registered trademarks of Cisco
Systems, Inc. and/or its affiliates in the U.S. and certain other countries.
The copyrights to certain works contained in this software are owned by other
third parties and used and distributed under third party license agreements.
Certain components of this software are licensed under the GNU GPL 2.0, GPL 3.0,
LGPL 2.1, LGPL 3.0 and AGPL 3.0.
admin connected from ::1 using ssh on nfvis
nfvis# support show chassis
Product Name : C8300-UCPE-1N20
Chassis Serial Num : FGL2722LF0B
Certificate Serial Num : 6650522988207529A1B
nfvis#
1. Navigate to software.cisco.com
2. Scroll down to the Smart Licensing section.
3. Under Network Plug and Play, click on Manage devices.
6. Click on Identify Device.
7. Enter Serial Number, select Base PID (ENCS) from the drop-down menu and add Controller Profile (VIPTELA-CLOUD-HOSTED-PROFILE) from the drop-down menu. Click Save and advance to the next step by clicking Next.
8. Verify the entered information and click Next. Advance to the next step by clicking Submit.
9. If the device is added correctly, you should see a success message. Click on Done to add the device.
10. You will be redirected to the initial PnP Connect Devices page. You should be able to see the newly added device listed with the Pending (Redirection) status.
1. Log in to vManage.
2. Navigate to the Hamburger Menu, go to Configuration > Devices.
3. Click on Sync Smart Account. When prompted, enter CEC Credentials.
4. Refresh the Smart Account Device Sync Service page to see the status of the sync. The Success message will appear in the Status box.
5. After the device has been successfully added to vManage, you should see the C8300-uCPE in the Devices list.
Note: If you still don't see the C8300-uCPE in the Devices list, try syncing the smart account one more time.
6. The device will reach out to the Plug and Play Connect portal to receive the controller information. Do not interrupt the PnP boot-up process or the redirection to controllers will fail.
7. Select your device from the Available Devices window and move it to the Selected Devices section. Click on Attach.
Pre-requisite : Create a ftp, scp or http server and upload the VNF disk images or VNF packages.
vManage uses the remote repository to source the vnf-disk-image, bootstrap files and auto-generate the other environment files required by nfvis.
Alternately, VNF tar package with vnf-disk-image, bootstrap files and environment files can be used.
1.1.2 Add VNF image entries vnf image reference in remote server
This chapter is to describe how to get the VNF packages for vBranch and modify/re-package if needed and then upload into vManage.
Currently the legacy VNF package posted in CCO links cannot be used due to format incompatible.
Please find Cisco supported VNF package at https://software.cisco.com/download/home/286308649/type/286327969/release/17.03.03
For third party VNF, please download the scaffold packages at https://software.cisco.com/download/home/286308693/type/286327978/release/4.4.1
CCO golden vBranch VNF packages for SDWAN routers such as C8000v, ISRv and vEdge have day0 configuration with the following network mapping which match to vBranch pre-defined 5 topologies in Network Design.
Below is the pre-defined default network mapping for SDWAN routers.
If want to change day0 configuration in cloudinit bootstrap file, users can follow the steps below to repackage.
The Quick Connect workflow in Cisco Catalyst Manager creates a basic day-0 configuration profile, which is applicable to all Cisco IOS XE SD-WAN devices and NFV devices. This workflow establishes control plane and data plane access in your WAN.
The behavior of the Quick Connect workflow depends on how you upload devices to Cisco vManage. You can upload your devices in one of the following ways, either as part of the Quick Connect workflow or independently.
Using the auto sync option, where your Smart Account is synced with Cisco vManage. This option requires Cisco vManage to be able to connect with the Cisco Plug n Play (PnP) portal
Using the manual upload method, where you download the authorized serial number file of devices from the Cisco PnP portal and upload it to Cisco vManagePrep for basic connectivity to device.
Configuration group provides a simple, reusable, and structured approach for the configurations in Cisco SD-WAN and NFV. You can create a configuration group, that is, a logical grouping of features or configurations that can be applied to one or more devices in the network. You can also create profiles based on features that are required, recommended, or uniquely used, and then combine the profiles to complete a device configuration.
The configuration group workflow in Cisco vManage provides a guided method to create configuration groups and feature profiles.
Define : Site Type, Site settings, WAN Profile
Define VNF Services : Resources, Bootstrap, WAN Interface connectivity, LAN Interface connectivity
Select the service chain design of interest.
For C8000v in SDWAN mode, start with "Router" or "Router-Firewall".
For C8000v in Routing mode, start with "Custom" option.
ASAv bootstrap file (sample)
Note: When importing/copy-n-paste of bootstrap files with pre-defined variables, please ensure that the following syntax is used. If the $ or { is incorrectly used, variable/value will not be accepted during deployment time.
Variables are represented within “{{“ “}}”. Example: {{SAMPLE_VARIABLE}}
Passwords are represented within “$${“ and “}”. Example : $${SAMPLE_PASSWORD}
Variables to be ignored are represented within “${“ and “}”. Example: ${NICID_0}
!
username {{SSH_USERNAME}} password $${SSH_PASSWORD}
enable password $${ENABLE_PASSWORD}
!
interface management0/0
description Management Network for mgmt-net
nameif management
security-level 100
ip address {{MGMT_IP_ADDRESS}} {{MGMT_NETMASK}}
no shutdown
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address {{SERVICE_IP_ADDRESS}} {{SERVICE_NETMASK}}
no shutdown
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address {{LAN_IP_ADDRESS}} {{LAN_NETMASK}}
no shutdown
!
http server enable
http 0.0.0.0 0.0.0.0 management
aaa authentication http console LOCAL
!
ssh version 2
crypto key generate rsa modulus 2048
ssh 0.0.0.0 0.0.0.0 management
aaa authentication ssh console LOCAL
!
aaa authorization exec LOCAL auto-enable
!
route outside 0.0.0.0 0.0.0.0 {{SERVICE_GATEWAY}} 1
route management 0.0.0.0 0.0.0.0 {{MGMT_GATEWAY}} 2
!
ssh key-exchange group dh-group14-sha1Define Firewall VNF properties
Review Summary of Configuration Group and Modify as required
Following procedure is also used for adding configuration options not available in the workflow above.
Configuration group by design is platform agnostic. Configurations that are platform-family specific are also supported in a configuration group designed all UCPE platforms. During deployment, appropriate warning is generated to notify the user about unsupported configurations that are removed. For example : When a configuration group(with switch parcel) is used for deploying non-ENCS(ie. C8xxx UCPE).
Edit the sections in configuration group
Switch Parcel for ENCS5400
Switch port configuration for ENCS 5400
system settings default-gw {{bizInt-gw}}
system:system settings name-server {{nameserver-ip}}
system:system routes route 10.255.254.0 24 gateway {{mgmt-gw}}
!
vpn 0
interface int-mgmt-net-br
no shutdown
tunnel-interface
vmanage-connection-preference 8
color bronze
no allow-service bgp
allow-service dhcp
allow-service dns
allow-service icmp
no allow-service sshd
no allow-service netconf
no allow-service ntp
no allow-service ospf
no allow-service stun
allow-service https
encapsulation ipsec
!
!
single-ip-mode vm-name deployment-ROUTER.deployment-ROUTER
!
Below are the validated features for add-on CLI configuration.
Boot-up time |
vm_lifecycle tenants tenant admindeployments deployment deployment-ROUTER_1 vm_group deployment-ROUTER_1 bootup_time 600 |
PNIC tracking |
pnic GE0-0 track-state ROUTER_1 1 |
ACL |
system settings ip-receive-acl 0.0.0.0/0service [ scpd ]action acceptpriority 0 ! system settings ip-receive-acl 10.31.40.24/32service [ scpd ]action acceptpriority 5 ! |
Static route |
system routes route 102.0.0.0 24gateway 192.168.0.2
|
TACACS |
aaa authentication tacacstacacs-server host 172.19.156.179key 7encrypted-shared-secret cisco123admin-priv 15oper-priv 14 !
|
Banner |
banner-motd banner "Banner for vBranch" |
Message of the Day (MOTD) |
banner-motd motd "MOTD for vBranch" |
SNMP |
nfvis-snmp:snmp enable traps linkUp nfvis-snmp:snmp enable traps linkDown nfvis-snmp:snmp community test snmpcommunity-access readOnly ! nfvis-snmp:snmp group snmpgroupv1 snmp 1 noAuthNoPrivread testwrite testnotify test ! nfvis-snmp:snmp group snmpgroupv2 snmp 2 noAuthNoPrivread testwrite testnotify test ! nfvis-snmp:snmp group snmpgroupv3 snmp 3 authPrivread testwrite testnotify test ! nfvis-snmp:snmp user testerv1user-version 1user-group snmpgroupv1 ! nfvis-snmp:snmp user testerv2user-version 2user-group snmpgroupv2 ! nfvis-snmp:snmp user testerv3user-version 3user-group snmpgroupv3auth-protocol sha passphrase cisco123priv-protocol aes passphrase cisco123 ! nfvis-snmp:snmp host SNMP-SERVER-57host-port 161host-ip-address 172.19.149.57host-version 3host-security-level authPrivhost-user-name testerv3 ! nfvis-snmp:snmp host SNMP-SERVER-179host-port 161host-ip-address 172.19.156.179host-version 1host-security-level noAuthNoPrivhost-user-name testerv1 ! nfvis-snmp:snmp host SNMP-SERVER-229host-port 161host-ip-address 172.25.221.229host-version 2host-security-level noAuthNoPrivhost-user-name testerv2 !
|
Default gateway |
system settings default-gw 172.25.217.1 |
ENCS switch configurations: port-channel, track-state, speed, duplex and QoS |
switchinterface gigabitEthernet1/0track-state ISRv 3 ! interface gigabitEthernet1/1speed 100duplex full ! interface gigabitEthernet1/2channel-group 1 mode auto ! interface gigabitEthernet1/3channel-group 1 mode auto!interface gigabitEthernet1/4qos cos 3 ! interface port-channel1spanning-tree mst 1 cost 200000000spanning-tree mst 2 cost 200000000switchport mode trunkno switchport trunk allowedswitchport trunk allowed vlan vlan-range 100,126-128!qos port ports-trustedqos trust cos-dscpspanning-tree mode mstspanning-tree mst 2 priority 61440spanning-tree mst configurationname mst_LANinstance 1 vlan 996-998instance 2 vlan 100,126-128! |
Single IP Address Sharing between NFVIS and the Router VM |
single-ip-mode vm-name deployment-ROUTER_1. deployment-ROUTER_ |
Follow the steps to deploy selected configuration to one or two devices in the selected site.
Following are the 5 easy guided steps in the deploy workflow. The example below will create this C8Kv and ASAv topology.
C8000v SDWAN and ASAv Firewall
Deploy CG on uCPE Device
Manage and Monitor device
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: