PnP onboarding ISR1k cEdges completely on prem.

Flang3r · ‎09-17-2024

Hello everyone,

I'm setting up SD-WAN environment that will be totally on prem, where edge routers have no Internet access. Each ASR1k cEdge device will have two MPLS transport links to reach controllers and several 8300s as hubs. DHCP will be under my control as well.

Is it possible to automate zero-touch onboarding process via PnP, if cEdge is unable to reach devicehelper.cisco.com? Maybe a custom DHCP option is available that will point to the vBond directly? Also how are certificates managed and distributed in this case? MS ADCS is available on prem.

The documentation states only vBond is actually required to be publicly routable/accessible, but it's confusing as to how do devices connect to vSmart and vManage after they're validated? Does vBond provide some sort of reverse proxy tunneling for subsequent dTLS control connections over it, or is actual NAT port forwarding required for vSmart/vManage?

It is not that relevant for my current environment at this moment but it's good to be ready, if for some reason uplink types are to be changed to Internet.

Thanks!

Kanan Huseynli · ‎09-18-2024

Hi,

you can use local (on-prem) ZTP which is supported for IOS XE as well:

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/sdwan-xe-gs-book/hardware-and-software-installation.html#Cisco_Concept.dita_a8f8f4d0-8765-4786-93c3-562e6e592ad2

If you have any router with public IP address, all controllers should have unique public IP (either directly on interface or via 1:1 NAT). Otherwise, any remote router with public IP address can not connect vSmart and vManage (proxy tunnelling never happens).

If you use enterprise root CA, this must be shown in device serial list. ZTP server (also in case of PNP, PNP portal) sends root-ca information to routers to they can authenticate vBond.

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

Flang3r · ‎09-19-2024

I didn't know IOS-XE supports ZTP as well, thanks for pointing this out! All the routers will connect via redundant MPLS VPNs and have IP reachability to controllers' subnet so NAT won't be needed.

We have enterprise CA (MS ADCS), I guess our PKI will have to issue some sort of Intermediate CA certificate that will have the ability to sign or otherwise I don't quite understand how the propagation mechanism works for routers trying to onboard right out the box, which have only Cisco (or well known for that matter) roots trusted by default. I will sift the docs in the right direction now, thanks again.

Another thing I need to troubleshoot now is why vBond looses all control connections to other controllers (vSmart vManage), once I change "vbond vb_hostname local vbond-only" to vbond vb_hostname local ztp-server". Actually even "vbond vb_hostname local" doesn't work, unless vbond-only keyword is used.

Running suggested version 20.12.3.1

balaji.bandi · ‎09-19-2024

How is your network, is this Layer2 Links between cedge and Central office ?

Have you setup ip helper and DHCP option for the discovery ?

check PNP process :

https://www.cisco.com/c/en/us/support/docs/routers/sd-wan/220256-onboard-a-cedge-device-with-pnp-process.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Flang3r · ‎09-19-2024

There are two L3 routed links between cEdges and HQ. DHCP relay (helper-address) to our DHCP server IP is configured for our MPLS L3 termination interfaces by ISPs, so DHCP will be entirely under my control. That PNP guide requires cEdge to have Internet connection which won't be true in my case, it's an air gapped network environment.