Deploying Cisco SD-WAN Enterprise ZTP Server

By /

Overview

Cisco SD-WAN WAN Edge devices can be onboarded using one of the following onboarding options:

  • Automated (ZTP/PNP): The day-zero automated Plug-and-Play process provides a simple, secure procedure to discover, install and provision the Cisco SD-WAN Edge devices to join the SD-WAN overlay network. Automated deployment process is referred as Zero Touch Provisioning (ZTP) for vEdge devices and Plug-and-Play (PnP) for IOS XE SD-WAN devices.
  • Bootstrap: The bootstrap method helps onboard a factory-shipped WAN Edge device with the configuration needed to securely onboard and join the SD-WAN Network, when a customer is unable to leverage the automated discovery option.
  • Manual Configuration: Onboard SD-WAN Edge devices using manual configuration via the console port.
SD-WAN Edge onboarding options

Requirement of Enterprise ZTP Server

Since Cisco ZTP server is cloud hosted solution, Edge router would need Internet connection for Automated onboarding workflow. However, in case of air-gapped environments if this is not possible, then Cisco provides option of Enterprise ZTP deployment. This leverages customer to use Automated Edge onboarding in air-gapped environments.

Steps to Deploy Enterprise ZTP Server

  • Enterprise ZTP Server uses same image as vedge-cloud/vbond. Download it from Cisco Software download page and deploy on ESXi host. Here is my VM configuration for reference.
  • Initial Configuration of ZTP server.
system
 host-name               ztp-onprem
 system-ip               150.100.100.100
 organization-name       Controllers-150
 clock timezone Asia/Kolkata
 vbond 150.100.1.6 local ztp-server        << Specify ZTP server Transport IP and ztp-server
!
 ntp
  server 123.123.123.123
   version 4
 !
vpn 0
 interface ge0/0
  ip address 150.100.1.6/29
  no shutdown
 !
 ip route 0.0.0.0/0 150.100.1.1
!
vpn 512
 interface eth0
  ip address 192.168.50.107/24
  no shutdown
 !
 ip route 0.0.0.0/0 192.168.50.1
  • Copy and Install Root Certificate if using Enterprise Root Certificate.
ztp-onprem# request root-cert-chain install /home/admin/RootCA.pem
Uploading root-ca-cert-chain via VPN 0
Copying ... /home/admin/RootCA.pem via VPN 0
Updating the root certificate chain..
Successfully installed the root certificate chain
ztp-onprem# 

ztp-onprem# show certificate root-ca-cert | i Subject
        Subject: C=IN, ST=KA, L=KA, O=routingguru, OU=routingguru, CN=RC/emailAddress=admin@routing-guru.com
        Subject Public Key Info:
            X509v3 Subject Key Identifier: 
ztp-onprem#
  • Generated Certificate Signing Request.
ztp-onprem# request csr upload /home/admin/ztp.csr
Uploading CSR via VPN 0
Enter organization-unit name            : Controllers-150
Re-enter organization-unit name          : Controllers-150
Generating private/public pair and CSR for this "vbond" device          
Moving /tmp/vconfd/tmp.N7GpvmouW1 to /usr/share/viptela/tmp_csr/server.key via VPN 0
Generated CSR for vbond device
Copying /usr/share/viptela/server.csr to /home/admin/ztp.csr via VPN 0
send_install_csr_notification
CSR upload successful
CSR upload successful
ztp-onprem#
  • Take the CSR file to Root CA server and get it signed. Then install the signing request on ZTP server.
Installing certificate via VPN 0
Copying /home/admin/ztp.crt to /tmp/vconfd/server.crt.tmp via VPN 0
cp -f "/usr/share/viptela/tmp_csr/server.key" "/usr/share/viptela/server.key"
moving temp Cert "/tmp/vconfd/server.crt.tmp" to Cert "/usr/share/viptela/server.crt"

Moving /tmp/vconfd/server.crt.tmp to /usr/share/viptela/server.crt via VPN 0


Successfully installed the certificate 0
Certificate Install Successful
ztp-onprem# 

ztp-onprem# show certificate installed | i Issuer
        Issuer: C=IN, ST=KA, L=KA, O=routingguru, OU=routingguru, CN=RC/emailAddress=admin@routing-guru.com
ztp-onprem#
  • Login to Cisco PNP Portal and download Edges Serial file.
  • Install the Edges Serial File to ZTP server. You can check all serials via “show ztp entries” cli once installed.
ztp-onprem# request device-upload chassis-file /home/admin/serialFile.viptela
Uploading chassis numbers via VPN 0
Copying ... /home/admin/serialFile.viptela via VPN 0
file:  /tmp/tmp.Z7t8fFyWGH/viptela_serial_file
PnP
Verifying public key received from PnP against production root cert
is_public_key_ok against production root ca:  OK
Signature verified for viptela_serial_file
final file:  /tmp/tmp.Z7t8fFyWGH/viptela_serial_file
Signature verification Suceeded.
Success: Serial file is /tmp/tmp.Z7t8fFyWGH/viptela_serial_file
INFO: Input File specified was '/usr/share/viptela/chassis_numbers.tmp'
INFO: # of complete chassis entries written: 20
Json to CSV conversion succeeded!
Successfully loaded the chassis numbers file to the database.
ztp-onprem#

Congratulation, Now our Enterprise ZTP server is ready to Automate onboarding of Edge routers to SD-WAN overlay.

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top
Share via
Facebook
X (Twitter)
LinkedIn
Mix
Email
Print
Copy Link
Copy link
CopyCopied