Cisco SD-WAN – cEdge Onboarding using bootstrap method

Agenda

In this article, we will onboard cEdge router – ISR4321 to existing Cisco SD-WAN overlay using bootstrap config.

Pre requisite

1. cEdge router should be already added/whitelisted on SD-WAN overlay.
2. cEdge router should have software version either equal or lower than SD-WAN Controllers.
3. This cEdge router should have attached template attached.

Steps

Generate bootstrap config

• Login to vManage GUI.
• Navigate to Configuration > Devices. Select WAN Edge List Tab and search for intended router. This will show Template name but device status will be Sync Pending as Device is Offline.

• Click Actions options and select Generate Bootstrap Configuration.

• A new dialog box will open. Select cloud-init option and Include Default Root Certificate option checked. We will need RootCert chain on new cEdge router if we are using Enterprise RootCA.

• Now Bootstrap configuration will be displayed and with option to Download it. You can manually copy the content or Download it. This Bootstrap configuration will have RootCert Chains and configuration based on attached template.

Copy the bootstrap config to router

• You can either copy this bootstrap config using USB or SCP etc. I did it using SCP. Note, you would need to rename this file as ciscosdwan.cfg on router as router search for this name during initial boot to onboard the router.

rakesh@jumpserver:~/Downloads$ scp ISR4321_K9-FDO22263JH0.cfg admin@192.168.50.16:/ciscosdwan.cfg
The authenticity of host '192.168.50.16 (192.168.50.16)' can't be established.
RSA key fingerprint is SHA256:ZrAFHVIyGsugoVEWiww3GOrtaJmTO7t0slvgxxpP46U.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.50.16' (RSA) to the list of known hosts.
(admin@192.168.50.16) Password: 
ISR4321_K9-FDO22263JH0.cfg                                                                                                                                                                  100%   32KB 868.1KB/s   00:00    
rakesh@jumpserver:~/Downloads$


Router#show version 
Cisco IOS XE Software, Version 17.03.04a
Cisco IOS Software [Amsterdam], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 17.3.4a, RELEASE SOFTWARE (fc3)

cisco ISR4321/K9 (1RU) processor with 1714752K/3071K bytes of memory.
Processor board ID FDO2227A16T
Router operating mode: Autonomous            <<<<<<<<

Router#dir bootflash: | i cfg
16      -rw-            32987  Mar 19 2024 16:28:58 +00:00  ciscosdwan.cfg          <<<<< Bootstrap config copied.
Router#

• My router is initially running in Autonomous mode. So, I simply changed the mode to Controller. If your router is already in Controller mode, then do a software reset using “request platform software sdwan software reset”.

Router#controller-mode enable
Enabling controller mode will erase the nvram filesystem, remove all configuration files, and reload the box! 
Ensure the BOOT variable points to a valid image 
Continue? [confirm]
%% Warning: Detected device with smaller bootflash and may require an additional reload after the device comes up in order to install additional images.
Continue? [confirm]

*Mar 19 16:42:10.048: %SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram
 Mode change success

• Now router will bootup in Controller mode, search and load bootstrap configuration along with RootCA Cert chain. Here are some logs snippets of bootup process.

cisco ISR4321/K9 (1RU) processor with 1714752K/3071K bytes of memory.
Processor board ID FDO2227A16T
Router operating mode: Controller-Managed

*Mar 19 16:47:13.610: %PNP-6-PNP_DISCOVERY_STOPPED: PnP Discovery stopped (Startup Config Present)

*Mar 19 16:47:44.727: %IOSXE-5-PLATFORM: R0/0: vip-bootstrap: Loading day-0 user bootstrap config
*Mar 19 16:47:45.695: %IOSXE-5-PLATFORM: R0/0: vip-bootstrap: Successfully extracted config from /bootflash/ciscosdwan.cfg

*Mar 19 16:48:07.456: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Mar 19 16:48:07.466: %DHCP-6-ADDRESS_ASSIGN: Interface GigabitEthernet0/0/0 assigned DHCP address 199.60.2.2, mask 255.255.255.252, hostname ISR4321-T25

*Mar 19 16:48:44.394: %Cisco-SDWAN-ISR4321-T25-OMPD-3-ERRO-400002: R0/0: OMPD: vSmart peer 150.1.1.4 state changed to Init
*Mar 19 16:48:46.514: %Cisco-SDWAN-ISR4321-T25-OMPD-6-INFO-400002: R0/0: OMPD: vSmart peer 150.1.1.4 state changed to Handshake
*Mar 19 16:48:46.516: %Cisco-SDWAN-ISR4321-T25-OMPD-5-NTCE-400002: R0/0: OMPD: vSmart peer 150.1.1.4 state changed to Up
*Mar 19 16:48:46.517: %Cisco-SDWAN-ISR4321-T25-OMPD-6-INFO-400005: R0/0: OMPD: Number of vSmarts connected : 1

• As seen from above logs, router has already formed Control connections. Now login to router using Credentials supplied in AAA Feature Template and check control connections etc.

ISR4321-T25#show ip int br
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0/0   199.60.2.2      YES DHCP   up                    up      
GigabitEthernet0/0/1   unassigned      YES other  down                  down    
GigabitEthernet0/1/0   unassigned      YES other  up                    up      
GigabitEthernet0/2/0   unassigned      YES unset  up                    up      
GigabitEthernet0/2/1   unassigned      YES unset  down                  down    
GigabitEthernet0/2/2   unassigned      YES unset  down                  down    
GigabitEthernet0/2/3   unassigned      YES unset  down                  down    
GigabitEthernet0/2/4   unassigned      YES unset  down                  down    
GigabitEthernet0/2/5   unassigned      YES unset  down                  down    
GigabitEthernet0/2/6   unassigned      YES unset  down                  down    
GigabitEthernet0/2/7   unassigned      YES unset  down                  down    
GigabitEthernet0       192.168.50.16   YES other  up                    up      
Sdwan-system-intf      104.1.1.1       YES unset  up                    up      
Loopback65528          192.168.1.1     YES other  up                    up      
NVI0                   unassigned      YES unset  up                    up      
Tunnel0                199.60.2.2      YES TFTP   up                    up      
Vlan1                  unassigned      YES unset  up                    up 

ISR4321-T25#show sdwan control connections
                                                                                       PEER                                          PEER                                          CONTROLLER 
PEER    PEER PEER            SITE       DOMAIN PEER                                    PRIV  PEER                                    PUB                                           GROUP      
TYPE    PROT SYSTEM IP       ID         ID     PRIVATE IP                              PORT  PUBLIC IP                               PORT  LOCAL COLOR     PROXY STATE UPTIME      ID         
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
vsmart  dtls 150.1.1.4       1          1      150.100.1.4                             12446 150.100.1.4                             12446 biz-internet    No    up     0:00:02:04  0           
vbond   dtls 0.0.0.0         0          0      150.100.1.3                             12346 150.100.1.3                             12346 biz-internet    -     up     0:00:02:07  0           
vmanage dtls 150.1.1.2       1          0      150.100.1.2                             12446 150.100.1.2                             12446 biz-internet    No    up     0:00:02:00  0           

• Check on vManage GUI and it shows this router onboarded.

This completes onboarding process of cEdge router using Bootstrap Configuration.