Cisco SDWAN: Deploying CSR1000v 17.3.1.a Code

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

if you're wondering about how to configure a csr1000v in the sd-wan fabric we're going to dive in and make it happen right now [Music] what you see right here is our graphical user environment and what i want to do is i'm going to go ahead and on board a sea edge now if we take a look at the topology we'll see that ch40 is sitting here and if i were to click on ch40 and access its console what we would find is that this device is starting from scratch and what i wanted to call your attention to is is that this if i do a show version we'll just do an en show version what we're going to find is this device is actually running the amsterdam version of the operating system so this is going to be 17.3.1a this is a very interesting operating system because it has two functional modes if i come in and say show run or show version and i say type include mode what we're going to find is that the device actually has a mode of autonomous mode well autonomous mode translates to the fact that this is just a regular csr 1000v if i want to add this device to my sd-wan fabric i need to change its mode from autonomous mode to controller mode but before we do that what i want to do is i want to leverage some of the more interesting capabilities inside of the vmanage specifically what i want to do is i want to go through the process of how we're going to onboard this device as an sd-wan resource without a a pnp server without using something like the ztp host that we looked at previously what i really want to do is i want to go ahead and get this device on board and i want to take the path of least resistance once we've done this i'll actually show you another way that you can do this that's going to be very similar to what we did with the v edges now the way this is actually going to work is i need to make certain that this box can actually reach the other resources to do so what i'm going to do is i'm going to come in here and i'm going to go config t i'm going to go to interface gigabit ethernet 2 and i'm going to give it an ip address the ip address for this box is going to be 100.100.100.40 255.255.2550 i'm going to say no shut and then i'm going to give it a default route i'm going to say i appear out to quad zero send it to 100.100.100.1 which is the gateway of last resort for this ethernet segment that we're working with called internet so now what i'm going to do is i want to see can i ping my gateway 10.100.100.1 and i can can i ping my vmanage dot 2 and i can can i ping dot 3 which is my v bond can i ping at least one v smart we'll take four so we've got all the reachability that we need to allow this device to communicate to our controllers and simultaneously allow the controllers to communicate to it it is just not in an operational state that's going to be ready to receive config now what i want to do is i'm going to go into the v manage and what i want to do is i want to call your attention to the fact that i have created a template yes i kind of cheated i have created a feature template i know we haven't really spent a lot of time talking about templates i've only kind of alluded to them but what i wanted to do is i wanted to show you this process whereby i can use a template to onboard a device and make things happen much much faster for me as the administrator before i try to pitch you on the benefits of actually creating and learning to use templates we will have a entire video series devoted just to the idea of the different types flavors and functions of templates all i want you guys to understand is that to do what i'm getting ready to do i need a template and using this template is going to allow me to facilitate deployment and onboarding of devices like my c edges that include csr 1000vs isrvs and other resources that we're going to have in our infrastructure like say for instance the catalyst 8000 v with that being said what i want to do is i want to go ahead and apply this template to a c edge device in a very similar fashion to what we did with the v edges so to do this what i'm going to do is i'm going to go to c edge 40 and what i'm going to do is i'm going to hit the three dots to the side here and i'm going to go ahead and attach a device and what i'm going to be presented with is a list of nondescript csr chassis numbers aka serial numbers i'm going to go ahead and pick the very first one in the list i'm going to say i want to associate this template with that device and i'm going to go ahead and say attach and it's going to ask me to provide some of the basic information i'm going to hit the three dots here i'm going to edit the template and i'm going to tell it that it's going to have a system ip of 255 255.40 it's going to have a side id of site 40 and it's going to have a host name of c edge 40. now what i'm going to do is i'm going to say update and what the system is going to do when i hit next and configure devices it's actually going to associate that specific chassis number with this specific template we see here if i hit the down arrow the association has taken place now we're not done yet what i want to do now is i'm going to go back into devices and from devices what i want to do is i want to find that resource i'm going to go ahead and hit device model until i reorganize everything into blocks of devices so csr 1000 views notice this guy right here is v managed this is the csr that i just associated with or attached to that template so what i'm gonna do is i'm gonna hit the three dots here and from here i'm gonna say i wanna generate a bootstrap configuration now i'm gonna specifically tell it to use cloud init config encoded string would be as an example if i was doing something inside of red hat enterprise linux cloud init is going to be for aws for microsoft azure for vmware i'm going to uncheck the include default certificate and what i'm going to do is i'm going to say ok and it's going to give me the option to download a configuration file i'm going to go ahead and say that i want to download it and that's going to save it to my local disk now what i want to do next is i want to actually leverage this file so that i could use it now in the real world if i had a physical device not like a asr or an isr what i would do is i would actually put this file on a usb thumb drive and i would give this file a very specific name because it's going to be the name that name that the device that is going to be on board is going to look for when it brings itself up and that's going to be the name that i'm going to assign this particular file and what we're going to do is we're going to move this file down towards the csr 1000v so to make that happen i'm going to go into the command line i'm going to type ls and what i'm going to do is i'm going to find that configuration file now this configuration file can be named in a number of ways i'm just going to go ahead and rename it here so i'm going to say i want to move csr that long name as far as the config and what i want to do is i'm going to go ahead and call this cisco sd-wan underscore cloud underscore init dot c f g and what this is the name that the router is going to look for when it boots up in other words it's going to look to see if that configuration file exists and if it does it's actually going to add that configuration to its operational parameters now what i want to do now is i need to get this file as well as my sd-wan pim file installed in the boot flash of my c edge 40 router now to do that what i'm going to do is i'm going to say copy scp to boot flash the ip address of my server is 100.100.10.254. the username is user the source file is going to be located in home slash user slash downloads and it's going to be cisco sd-wan underscore cloud underscore init dot c f g i'm going to go ahead and hit enter the name of it will match what i said and the password is going to be test123 with a capital t so capital t lowercase est123 and that should transfer that file the next thing i'm going to do is i'm going to transfer the sd-wan.pin file so to the same host user and in this instance it's going to be home user downloads sdwan dot pim password test123 with a capital t so now if i type directory for my boot flash what i'm going to see is i'm going to see the sd-wan pen file and i'm going to see the cisco sd-wan underscore cloud init file now this process that i'm getting ready to go through is going to take a little bit of time so i kind of want to stage it before i actually run it so what i'm going to do is i'm going to bring up the graphical user environment so that we can see both the gui the graphical user as well as the cli screen that we see here of this specific device and then what we're going to do is we're going to simply change the operational mode so the way i'm going to do that is i'm going to come over here and i'm going to go into the graphical user environment i'm going to just double click on this and what we see here this is the guy that we're trying to onboard the next portion of this is where i'm going to come in here and i'm going to say control er mode enable hit enter i'll go ahead and say confirm and what we're going to do now is we're going to wait to see what happens now it'll take a little bit of time for this to actually come up so what i'm going to do is i'm going to break the video up as it progresses but we can see here that the router itself is moving into controller mode in other words it's going to need to reboot it's going to load back up run its operating system do everything that it would do as if it was just a normal turn up but bear in mind we're switching operating systems what we're doing is we're moving from ios xe for csr to ios xe sd-wan as an operating system the configuration file will already be on the device the device will read it and the device will actually add that configuration to its running config and then what will end up happening is it'll communicate to the v bond authentication will take place it'll determine whether or not if it's been white listed or not if it has been white listed what we'll do is we'll see this little icon right here change from what we see here which is that little cloud it's going to change to a csr for the certificate signature request and then ultimately it should transition all the way out to the little green success ribbon that we've all come to expect so let's go ahead and just let this thing do its magic system booted in controller mode all right it's been about a minute and we can see that the device is coming up startup config is present trust points are being brought in ssh and we see the yang infra is coming up as it's trying to communicate with the controllers and the communicator the controllers will be communicating with it next thing we should start seeing is some omp daemons fire notice my tunnels have come up there is my omp daemon we see that we have brought up our configuration to the database infrastructure the controllers now should have access to this device notice the device knows about its identity c edge 40. we should see some additional output regarding omp shortly omp just came up as far as its operational state here very soon we should see a transition in the graphical user environment that moves to csr it'll be a green circle with right let white letters inside of it the device is receiving its configuration actually it's accepting its configuration the install csr message just left just fired shortly over here we should see a transition to csr once the certificate is signed and the device takes its full configuration accepts his system ip the graphical user environment will ultimately refresh until such time that we see the green ribbon that tells us the device has been successfully onboarded so this is a very predictable and orchestrated mechanism that we can actually verify organically as it takes place in the background by just simply looking at the devices being onboarded when it's a sea edge when it's a v edge it's not quite as easy to ascertain what's taking place in the infrastructure but ultimately this device will add itself to the fabric will verify the configuration as far as the number of omp peers that have formed as well as taking a look at the control connections about a minute has passed and we can see that the csr has actually been signed it has been registered it should now be part of my infrastructure so now if i say admin admin to log into this device it has its name and if i do a config dash or space t we'll notice that that command is not supported why because this device is actually operating in the ios xe sd-wan mode and we can see that we just formed our peering to our 2v smarts remember we have three we'll form pairings with up to two by default i'll say show sd-wan omp piers and we can see that we should have peering with two v smarts v smart two and v smart 3 specifically and this basically tells me everything's good to go i'll finalize that by saying show sd-wan control connections and i want to make certain that this box does indeed have its configuration so control connections sorry and we should have peering with 2v smarts and the the manage so this illustrates one of the easiest ways i know of to onboard a c edge device it makes everything simple reduces the requirement to understand or to remember the configuration constraints as far as assigning ip addresses tunnels tunnel modes sd-wan configuration and all those things i'm going to be showing you shortly but just keep in mind that you know this is the way that it was intended to be done there are obviously other ways and a lot of instructors teach the long more protracted method that we have had long before or back back into the early days of 16 code of the ios back when there was a specific csr for ios xe and then a specific csr image for ios xe sd-wan now they've been combined since the latter portion of 16 code and to me it's something that i've really really come to rely on and trust because it does indeed make things much simpler to configure this is only one way to onboard a csr1000v but i think it's the coolest so what we'll do is we'll take a look at the manual method the longer method in the next portion of this video the following method is by far my least favorite method for deploying devices but it is the way that we used to have to do things in the earlier versions of cisco viptela sd-wan so what i want to do right now is i'm going to go ahead and dive in to onboarding ch 50. so the first thing i'm going to do is i'm going to open up a connection to ch50 and illustrate that i'm not in the proper version to deploy this device i'm going to say show version pipe include mode and we'll see that i'm in autonomous mode and we know that we need to be in controller mode in order for this to work controller enable mode for this to work so what i want to do right now before i change the state before i do anything i'm going to go ahead and make certain that i get my sdwan dot pim file installed on this device because after i put it in controller mode sometimes that can be problematic so let's go ahead and get that knocked out so the first thing i'm going to do is i'm going to say copy scp to boot flash and what i'm going to do is again i'm going to specify 10 100.100.100. user is the username the source file is going to be in home user downloads it's going to be sdwan dot pim the password is test123 with a capital t and i have moved it over sorry directory so here is the file and it actually has a size there's a documented problem with moving some of the files over sometimes it says it moved but there's no file size change so the next thing that i need to do is to change the mode of this device controller mode enable we have to wait for the device to reload and make itself available to us we can see the boxes come back up in controller mode we're just waiting for it to make its final post all right it's been about four minutes and the box is just now starting to come up to get into the position where i'm going to be able to make some config okay i'm going to try to log in now all right so the box is now asking me to enter a new password i'll pick admin admin again and now what we'll find is is config if i do in and i type config t it's not going to accept the command because now it is in controller enabled mode show version pipe include mode and we see it is in controller managed mode now what i've got to do is i've got to make the configurations necessary to allow this device to work in conjunction with the vmanage now to do that it's going to be config transaction is going to be the keyword i'm going to go to my system and just like i did my controllers and my the edges i need to tell it everything that needs to function in the system to begin with the system dash ip and that's going to be 172.255.255. i'm going to make this one 51 and the other one will be 52 so site 50 router 1 site 50 router 2. the other thing that i'm also going to need to do is specify my site id which is going to be 50. my organizational name is going to be sdwan advanced lab the v bond is going to be located at the bond dot micronics lab.com inside of the csrs i cannot use the host dash name function hostas name does not work it needs to be specified inside of the standard config and it's going to be hostname like it's always been so no dash so in this instance it's going to be hostname edge 50. note that nothing has appeared on the screen because now i have to use the commit in order to be able to deploy the configuration settings now what i've done is i've set up my system configuration but i've also now got to set up my interface configuration so what i'm going to do is i'm going to go to my one and only interface that i need to worry about right now which is going to be interface gigabit ethernet 2 and i'm going to go ahead and assign in an ip address and we'll say no shut ip address will be 100 100 100 50 255 255 2550 i am going to exit and i'm going to go ahead and provide the ip route of zero zero zero zero zero zero those will be 100 100 100.1 so that's my default route out in my primary vrf and i'm going to say my ipname server is going to be 172 16 100 100 and then i'll say commit here this should give me the basic functionality as far as reachability same as we've done in every lab so if i come over now and say ping my gateway 100 100 100.1 i've got reachability ping 100 100 100.2 that should be my v manage and i've got reachability to it so the next thing that i want to do is i want to go ahead and install the root ca so directory we i'm hoping that my sdw when dot pem file is intact and it is so what i'm going to do now is i'm going to say request platform software sd-wan root cert chain install and that's going to be boot flash called sd-wan dot pim let's see if we can get that to install okay it is installed let's verify that it's installed so to verify its installation i'm going to say show sd-wan certificate root ca ser pipe include sd-wan and let's see if we see the certificate file that we've implemented just like we did on the the edges and we see it it's here like i said to me this just seems so cumbersome compared to the other way of handling our implementation now the next part of this is that i need to create a tunnel so config transaction i'm going to create an interface tunnel this interface tunnel will say interface tunnel i'm going to call it tunnel 2 because it's going to be on gigabit ethernet 2 and what i'm going to do is i'm going to say no shut i'm going to say ipn numbered and what i'm going to do is i'm going to use the gigabit ethernet and this is very very case sensitive ethernet 2 say tunnel source gigabit ethernet 2. and i need to specify a tunnel mode and that tunnel mode is going to be sd-wan this is the way that we're going to be creating our tunnel operations so that'll be my ipsec tunnels as well as my dtls tunnels that we're going to be needing to get our infrastructure up and running now what i'm going to do now if i type commit let's see what happens so i'll say show run interface tunnel two there we go so i p unnumbered tunnel source tunnel mode sd-wan and if i do a show run interface gigabit ethernet 2 we see that we have the ip address now what i want to do is i want to go ahead and see if i can't configure the sd-wan portion so i'll say config transaction sd-wan and interface gigabit ethernet 2 and what i'm going to do here is i'm going to say tunnel interface encapsulation will be ipsec my color in this case will be business internet we'll talk about that when we get into the conversation about our design i'm going to say exit exit and now what i'm going to do is exit one more time and i'll say commit and i'm hoping that this is going to give me everything that i need and i should see my tunnel state come up we will say show ip interface brief and let's see what we have notice that i have a tunnel 2. notice it took its ip address from gigabit two and right now we should be able to go ahead and get this device onboarded now to onboard this device i need to go into the jump box and from the jump box perspective i'm going to select a device in my list so i'll just go ahead and take this one right here all of this copy what i'm going to do now is i will say ssh to admin at and i will say 100 100 150 let's see if it lets me in if it doesn't we know that we've got a problem with regard to the tunnel so i need to allow ssh damon so i'll go ahead and hit c here and let's get that in so i can do a copy paste real quick so we'll get rid of all of this i'll say config transaction sd-wan interface gigabit ethernet 2 tunnel interface allow service i'll just say all commit config transaction mine vty 0 to 4 transport input ssh but the commit should so now let me try my ssh so let's go ahead and see if we can't get this to work so i'll say regret request platform software sd-wan the edge cloud activate chassis number and then i need that chassis number and i need the token just like we did when we were working with the v edges so i'll just grab the token next copy let's go ahead and get that pasted in and let's hit enter and hopefully we'll be able to see some magic happen so what i'm going to do is i'm going to minimize this so that i can watch what's happening here and hopefully we'll see some progress csr went in you can see it right here next thing it should come back signed and then the device will be added to the fabric since we are logged in via vty via ssh i could do a terminal monitor and that'll actually start showing the output on the screen here until you do that you can see it by looking at the log file there it goes so certificate's been installed so that certificate has been signed control connections are not coming up vsmart's everything's going live now so i'll just hit tab hit enter and we should see now that at least we have the 2v smarts the v bond and the v manage as far as the way this goes we're connecting to v smart one and v smart three v manage 13 which is v v manage 3 and the v bomb that we're connecting to notice it's saying here used to be 100 100 101.3 so that's going to be the second v bond the one that is not part of site255 so this should come up so one last check i'll say show sd-wan omp piers and we should see that we have two adjacencies with our v smarts this is a good place to stop because in the next video what i'm going to do is i'm going to onboard an isr v and a cat 8000 v just to demonstrate the process and you're going to find it's going to mirror what we did with the csr in the first part of this lab understand what i just demonstrated is what i call the long way and it was the way that we used to have to do things and it was very very manual and it also required a lot of configuration balancing the tunnels typing stuff in i really have come to appreciate using the template to do the implementation because now that this device has been onboarded i still have to create a template for it if i want to be able to manage it the way that it would be managed in a actual real-world sd-wan environment so we're not gaining any ground or we're not minimizing our effort in fact we're actually increasing our effort by not going ahead and doing it the way that i illustrated it in the first part of this video but i wanted you to see both ways all right so i'm going to go ahead and in here and i'll see you guys in the next video when we're going to talk about some of the other siege devices and then i'm going to give you that conversation that lecture i've been describing about templates

Info

Channel: Terry Vinson CCIEx2

Views: 2,777

Rating: undefined out of 5

Keywords: ccie enterprise 2021, ccie enterprise infrastructure sdwan, ccie35347, ccnp enterprise 2021, cedge, cisco 300-415, cisco sd wan, cisco sdwan, cisco sdwan 2021, cisco sdwan controller onboarding, cisco sdwan controllers, cisco sdwan vmanage, cisco vbond, cisco vbond orchestrator, cisco vsmart, cisco vsmart controller, dtls tunnels, ensdwi, eveng, implementing cisco sd-wan solutions, sd wan, sdwan, sdwan redundancy, terry vinson, vbond, vedge, viptela, vmanage, vsmart, csr1kv, csr1000v

Id: JEIvrQ-mt8c

Channel Id: undefined

Length: 33min 10sec (1990 seconds)

Published: Wed Jan 27 2021