Cisco SD-WAN. Edges licensing and onboarding.

21/06/2019
SD-WAN

In this post we will generate and install the necessary licenses for Edge equipment and we will finally connect them to the controllers. This is the second part from Cisco SDWAN Onboarding series on building a self hosted SDWAN lab. For first part click here.

At first we need to obtain the necessary licenses from the Cisco site. That’s why we need a Smart Account that includes a Virtual one. Go to software.cisco.com, from the Administration area select Manage Smart Account:

then, select Virtual Accounts

next, select New Virtual Account

fill the form with the name of the new Virtual Account and save.

Next step is to add a vBond profile. Go back to Software Central page and from the Network Plug and Play area, choose Plug and Play Connect.

From the top right dropdown menu select the virtual account created before.

Next, select Controller Profiles, then select Add Profile button.

For the controller type, VBOND must be selected.

In the next page, fill the required fields and pay attention to Organization Name (this defines the OU to match in the Certificate Auth Process and must be consistent accross the Viptela domain) and Primary Controller (this name/address will be used for vBond), then Submit.

To add Virtual edges (vEdge or cEdge) devices, from the Plug and Play Connect page, select Devices link.

then select Add Software Devices button

To add a vEdge, in the Identify Device window, enter VEDGE-CLOUD-DNA in the Base PID field.

For cEdge, the Base PID is CSR1KV and for ISRv is ISRV.

After finishing adding devices, click Next, then check Review and Submit, and Done

Now devices are added, for a few minutes they will be on Pending for publish state

Once the status become Provisioned, we can go to Controller Profiles and select the check box in front of Profile Name and then Provisioning File link, to download the provisioning file.

In the Download Provisioning File dialog, select Controller Versions 18.3 and newer and download the file.

Transfer the downloaded file to the docker node, if you don’t know how, look on EVE-NG Cookbook and in section 13.2 you will find how.

Navigate to Configuration > Devices and select Upload vEdge List to upload provisioning file downloaded from Cisco website. On the page are displayed several unused device licenses being successfully added to the system.

Onboarding Edge nodes

vEdge
First step in configuring vEdge is applying the following template:

system
 host-name vEdge
 system-ip <vEdge system IP>
 site-id 1
 organization-name "pocvlab sdwan"
 clock timezone Europe/Bucharest
 vbond <VPN0 VBOND IP>
!
vpn 0
 interface ge0/0
  ip address <VPN0 IP address/netmask>
  ipv6 dhcp-client
  tunnel-interface
   encapsulation ipsec
  no shutdown
 !
 ip route 0.0.0.0/0 <VPN0 gateway address>

Verify connection with vBond (10.10.0.3), vManage (10.10.0.2) and vSmart (10.10.0.4) using ping.

Now, we have to copy/paste CA certificate content from docker node to a file on vEdge. Open a terminal on Docker and cat CA.crt, select and copy content.

On vEdge go to linux shell using vshell command, type vim CA.crt to open a empty file in vim editor. Press i key to start inserting text and paste the previous copied content. Use <Esc>wq to write the file and quit. Type exit to go back in vEdge CLI. Now we can import root CA certificate:

vEdge# request root-cert-chain install /home/admin/CA.crt 
Uploading root-ca-cert-chain via VPN 0
Copying ... /home/admin/CA.crt via VPN 0
Updating the root certificate chain..
Successfully installed the root certificate chain

In vManage interface, navigate to Configuration > Devices and select unused vEdge entry, click on the three dots on the right side and select Generate bootstrap configuration. Accept the defaults and click OK. From the new window open we need UUID code and OTP. Go to vEdge console and insert UUID and OTP in the following command:

request vedge-cloud activate chassis <UUID> token <OTP>
example bellow:
request vedge-cloud activate chassis-number ebad1856-1b4a-c89c-d120-25ed7d6945b5 token 58b4fb93b34a13dbfdb8a0c2f29d4fad

in about a minute you can use show control local-properties to check certificate status on vEdge CLI, it should be Installed.

cEdge
Because we have to copy root certificate from Docker node to bootflash, at first we configure only basic system properties and IP address for Ge0/0 interface, using following template:

config-transaction
!
hostname cEdge
!
system
 system-ip <cEdge system IP> 
 site-id 2
 admin-tech-on-failure
 organization-name "pocvlab sdwan"
 vbond <VPN0 VBOND IP>
!
interface GigabitEthernet1
 no shutdown
 ip address <VPN0 IP address/netmask>
!
commit
end

on the Docker node, permit ssh root login and restart sshd service (not recommended in production environment). Next step is to copy CA root certificate file from Docker to cEdge bootflash, using next command:

cEdge#copy scp://root@10.10.0.1 bootflash:                 
Address or name of remote host [10.10.0.1]? 
Source username [root]? 
Source filename [root/CA.crt]? /root/CA.crt
Destination filename [CA.crt]? 
Password:

once file is copied, we can proceed to install certificate:

cEdge#request platform software sdwan root-cert-chain install bootflash:CA.crt
Uploading root-ca-cert-chain via VPN 0
Copying ... /bootflash/CA.crt via VPN 0
Updating the root certificate chain..
Successfully installed the root certificate chain

now we can go ahead and finish configuration for cEdge:

config-transaction
!
interface Tunnel0
 no shutdown
 ip unnumbered GigabitEthernet1
 tunnel source GigabitEthernet1
 tunnel mode sdwan
exit
sdwan
 interface GigabitEthernet1
  tunnel-interface
   encapsulation ipsec
   color default
  exit
 exit
!
commit
end

Activate cEdge manually, using chassis number and OTP from Bootstrap Configuration. This is generated from vManage web, Configuration > Devices, select unused CSR1000v line.

request platform software sdwan vedge_cloud activate chassis-number <UUID> token <OTP>
example bellow:
request platform software sdwan vedge_cloud activate chassis-number CSR-6170246D-E8C4-1D4A-A972-5EF144184AB9 token c448da2783609afcc3e9a7a7a17f1dfd

After one minute or so, Tunnel0 interface should go up and certificate installation done, you can check status of control connections on cEdge CLI with show sdwan control connections.

From vManage web interface Configuration > Device we can see the state of WAN Edges:

and in the main Dashboard status of all connected nodes:

Ok, here is the end of this long post. I hope it will be useful.

Lab Resources

EVE-NG Lab file Download

ViptelaNodesConfig Download

Links
Plug and Play Support Guide for Cisco SD-WAN Products

This Post Has 28 Comments

user
22 Jul 2019 Reply

Brilliant article, really detailed and helped me get my lab up and running in no time!
1. alin.iorguta
  29 Jul 2019 Reply
  
  I’m so glad to hear that.
Leonard
31 Jul 2019 Reply

Hello, I’m having some troubles to get the csr1000v-ucmk9.16.11.1a-serial.qcow2 to work.

I’m trying two things:

1. Convert it to Vmware VMDK but for some reason the VM keep’s reloading and just give me two option for boot – Package.conf and GOLDEN IMAGE.

2. I’m trying to run it in eve-ng but the .qcow2 don’t start, it’s like the image is not recognize.

Do you have any tip to bring this up?

Thanks a lot
1. alin.iorguta
  31 Jul 2019 Reply
  
  Hi Leonard, you don’t have to convert the image to any other format, it just have to be renamed and placed in a specific directory. Please follow next steps:
  Step 1. SSH to EVE and login as root, from cli create directory for CSRv:
  mkdir /opt/unetlab/addons/qemu/csr1000vng-universalk9.SDWAN.16.11.1a
  
  Step 2. Upload the downloaded csr1000v-ucmk9.16.11.1a-serial.qcow2 image to the /opt/unetlab/addons/qemu/csr1000vng-universalk9.SDWAN.16.11.1a using FileZilla or WinSCP.
  
  Step 3. Go to image location and rename uploaded image to virtioa.qcow2 (you can rename using FileZilla or WinSCP):
  cd /opt/unetlab/addons/qemu/csr1000vng-universalk9.SDWAN.16.11.1a
  mv csr1000v-ucmk9.16.11.1a-serial.qcow2 virtioa.qcow2
  
  Step 4. Fix EVE permissions:
  /opt/unetlab/wrappers/unl_wrapper -a fixpermissions
  
  After that you can add the vCSR (cEdge) to your topology using template named Cisco CSR 1000V (XE 16.x).
  
  Good Luck!
Ahmad Khwider
1 Aug 2019 Reply

Hi there !

It’s really great blog; thanks so much.

Just a quick question, under Plug and Play Connect (there is a message asking to accept Cisco Universal Cloud Agreement (UCA) for PnP Connect), is it safe to accept it? I’ve read about it, but couldn’t figure out what is it.

Thanks
1. alin.iorguta
  1 Aug 2019 Reply
  
  Hi, yes no problem with that. Thx.
NKK
13 Aug 2019 Reply

Hi,

I got error for this

vEdge# request root-cert-chain install /home/admin/CA.crt
Uploading root-ca-cert-chain via VPN 0
Copying … /home/admin/CA.crt via VPN 0
Error: Not a valid certificate
Failed to install the root certificate chain !!
vEdge#

What can cause it? need advice
1. alin.iorguta
  14 Aug 2019 Reply
  
  Check CA.crt from vEdge node, it has to be the same as CA.crt from Docker. You have to go in vshell and cat CA.crt, check if is the same like CA.crt that you generated on Docker node.
Rahul Singh
1 Sep 2019 Reply

Hi

Not able to use #Conf t …. giving command not supported on CSR1000v, although loved the image and …. asked for user is Pswd admin/admin …… but not able to get in global configuration mode to install the Evaluation License
Rahul Singh
1 Sep 2019 Reply

Loaded image ….. router booted with user is and pswd…… but not able to enter global configuration mode ……#conf t ….. command not supported

Pls help to sort out
alin.iorguta
2 Sep 2019 Reply

Rahul,
you have to use config-transaction to enter in configuration mode and don’t forget to use commit when you finish entering your commands.
BB
10 Sep 2019 Reply

Thank for your posting.
In my lab, Vsmart/Vbond/CSR1KV have already added to Vmanage. But in dashboard VManage, only Vsmart and Vbond are up. CSR1KV (WAN Edge) is down (although I can ping CSR1KV and Vmanage together).
Let me know if you have any advice. Thanks!
1. Alin Iorguta
  12 Sep 2019 Reply
  
  BB, go in vManage Configuration>Certificates>WAN Edge List and check if the State is green (Certificate installed) for your CSR1K.
NKK
10 Sep 2019 Reply

i did until this step, wait for sometime but license didn’t show install. :/

request vedge-cloud activate chassis-number xxx token xxx

Do i need to do anything else?
1. Alin Iorguta
  12 Sep 2019 Reply
  
  Probably you have a problem with vEdge certificate. Check vManage Configuration>Certificates.
  1. NKK
    18 Sep 2019 Reply
    
    You are right, i not yet valid the certificate, once i click valid it, it work, i can see vEdge in the dashboard, but the system IP is showing unreachable.
    1. Alin Iorguta
      18 Sep 2019 Reply
      
      @NKK Probably is better to start from scratch again.
MSF
21 Sep 2019 Reply

Hi,
I am getting a real hard time in copying CA certificate content from docker node to a file on vEdge.

Can you guide as to how to copy from notepad to VIM? Have tried a tonne of methods. thanks
1. Alin Iorguta
  22 Sep 2019 Reply
  
  Look in Docker GUI>Accessories is a text editor called Pluma, it will help you dealing with text files.
Faisal
22 Sep 2019 Reply

Excellent blog
Going good. I am stuck at the last step. When I do show control local-properties
on vedge, the certificate status keep on showing not-installed.

any pointers?
1. Alin Iorguta
  22 Sep 2019 Reply
  
  Go in vManage Configuration>Certificates>WAN Edge List and check if the State is green (Certificate installed) for your vEdge node.
  1. Faisal
    23 Sep 2019 Reply
    
    I had to do ‘Send to controllers’ to get it up. once again, thanks for your wonderful blog.
    
    From here onwards, what do you recommend to further work on SD-WAN? If you can refer some resources, will be great.
    
    Regards
    1. Alin Iorguta
      23 Sep 2019 Reply
      
      I am glad that you found useful stuff here. You can look at Cisco SD-WAN course on labminutes.com, but i think sdwan-docs.cisco.com is the most comprehensive.
Taha
27 Sep 2019 Reply

I dont have the plug and play option or the .viptela file to upload, is there any other manual way of adding the vedges ?
1. Alin Iorguta
  27 Sep 2019 Reply
  
  I’m not sure at which step you’re stuck. Please give more details,
  1. Taha
    27 Sep 2019 Reply
    
    I’m stuck on the “WAN Edge” part..
    “From vManage web interface Configuration > Device we can see the state of WAN Edges:”
    
    I dont have a cisco smart account so that is why couldn’t continue.
    
    Is there any other way besides uploading the .viptela file to add the vedges to our WAN Edge list?
    1. Alin Iorguta
      27 Sep 2019 Reply
      
      As far i know this is the only way you can do this. Try to contact you Cisco local representative, i hope they can help you.
Adrian
28 Sep 2019 Reply

I have a problem.
If the certificate status is not installed, can you tell why?
vEdge# show control local-properties
personality vedge
sp-organization-name poc
organization-name poc
root-ca-chain-status Installed

certificate-status Not-Installed
certificate-validity Not Applicable
certificate-not-valid-before Not Applicable
certificate-not-valid-after Not Applicable

dns-name 10.10.0.3
site-id 1
domain-id 1
protocol dtls
tls-port 0
system-ip 10.100.100.11
chassis-num/unique-id 9097ccbb-df32-d80c-4349-43743dff47c7
serial-num No certificate installed
token e271707c10885c2110f6920af7e1e655
keygen-interval 1:00:00:00
retry-interval 0:00:00:19
no-activity-exp-interval 0:00:00:20
dns-cache-ttl 0:00:02:00
port-hopped FALSE
time-since-last-port-hop 0:00:00:00
embargo-check success
number-vbond-peers 1