Re: Cisco SD-WAN ZTP (PPP Authentication)

DanTheNetEng52 · ‎06-13-2022

Hi guys,

I hope you're well.

Hoping someone can help me or at least point me in the right direction to some useful articles that I can read to understand. Doing some studying on Cisco SD-WAN ZTP and from my understanding once the router is networked and powered-up it will connect to a ZTP Public Cloud Server whereby it will respond back with the vBond address allowing it to connect to our vBond and then our vSmart and vManage and obtain it's configuration via our configured templates.

However, say for example this device will be internet facing and will directly terminate to a fibre ONT that requires PPP authentication is this ZTP concept still valid or would I be required to configure the device with the necessary details first in order for it to authenticate and obtain internet access for it to then go through this ZTP process and obtain it's configuration?

Thanks in advance,

Dan.

Flavio Miranda · ‎06-13-2022

Hi @DanTheNetEng52

Looking at the doc

Process 1: Prerequisites for WAN Edge Onboarding
The below checklist showcases the prerequisites that are needed before proceeding with the WAN Edge onboarding process.
Procedure 1: Prerequisites for all Onboarding Options
Verify and validate the onboarding prerequisites that apply to all onboarding options.
• Make sure the WAN Edge device has reachability to the vBond orchestrator, vManage and vSmart controllers.

Then, as you can see, the doc does not focus on how are you going to provide this connectivity. So, my undestanding is that, the device will perform the ZTP process if and when, it has connectivity to the controllers, not necessary to the internet as many companies use on premise.

But, of course, if your controllers can be reacheable through the internet, then, the PPP process must come first the ZTP.

Just to add something more, I worked recently in a project for SDWAN and we used to configured the vBond as a host on the cEdge, instead wait for DNS. As the vBond is the first call, we have found interesting resolve it on the router directly.

DanTheNetEng52 · ‎06-13-2022

Hi Flavio.

Thanks for that info!

Understood, so prior to the ZTP process I would need to have my device setup for PPPoE so that when the device is connect to the ISP circuit it is authenticated and handed an IP address whereby the device will then talk out to the ZTP server and go through the ZTP process.

Thanks,

Dan.

svemulap@cisco.com · ‎06-13-2022

hi Dan,

ZTP works in the case of out-of-the-box. i.e., assumption is that, there are no config. changes. For this to work, by default ge0/0 (for ex.: vE1K) is
configured with DHCP interface and once the port is connected to internet, as vBond is pre-configured to point to ztp.viptela.com<> - it will go through
the process as you described.

If there is any configuration change, ZTP will fail. It is intended to bring the device up, so it has connectivity to controllers, so we can manage the device.

Hope this helps.

DanTheNetEng52 · ‎06-13-2022

Understood, I can understand from the perspective that the device we're installing is not an edge device and is connecting to another device that is terminating out ISP circuit. In this case, our device would receive a DHCP addresses and there would be no configuration required but if this device is to terminate our ISP circuit we would need to have the PPP configuration applied prior in order for the ZTP process to initiate?

svemulap@cisco.com · ‎06-13-2022

hi Dan -

What customers would do typically, is leave the leave the DHCP interface (ge0/0 in vE1K) as it is.
Use, say ge0/1 - for PPP encap., as in your case.
So, at the boot-up, let ZTP kick in and get the reachability to controllers etc
Once done, configure ge0/1 with PPP
Once all working, we can disconnect ge0/1 or shut the interface.

Hope this clarifies.

DanTheNetEng52 · ‎06-13-2022

Hi Svemulap,

Would I not need to configure PPP first in order for the ZTP process to begin, as if this is an edge device this would be required in order to authenticate with the ISP, obtain an public IP addresses and provide internet access which would be required to connect to the ZTP public server and begin the ZTP?

Regards,

Dan.

svemulap@cisco.com · ‎06-13-2022

hi Dan -

No. Let ZTP process kick in first. And then configure PPP.
If you configure anything, ZTP process will bail out, as it notices config. change.

HTH.

DanTheNetEng52 · ‎06-14-2022

Hi Svemulap,

Say for example I'm in a scenario whereby I am sending a router to a remote location but do not want an onsite engineer to conduct any configuration on the device, essentially it won't be true "zero-touch" as at some point I will need to configure PPP in order authenticate to the ISP circuit.

So I either pre-configure the device and ship this out pre-configured or if I wanted to use the "zero-touch" procedure I would still require someone onsite in order to configure the PPP once the ZTP process has intiated?

Regards,

Dan.

svemulap@cisco.com · ‎06-14-2022

hi Dan,

You can definitely pre-configure the device, so it can boot up and come on-line. It is just that it is not a "Zero-Touch."
We have several customers who do pre-configure at a staging location and verify connectivity and ship the device to the location.
ZTP is an option, that SD-WAN solution provides, in the case where local expertise is not there.

Hope it clarifies.