Deploying CSR 1000v with Cisco SDWAN

I haven’t seen a whole lot of information out there about the SDWAN CSR1Kv, so I thought I would take this opportunity and start with a guide on getting one up and running. I debated for a while on where in the process to begin this guide, but decided to keep it focused on bringing up a CSR1Kv into a production SDWAN network. Since there are a variety of ways to host the CSR1KV VM, I will not be going through the installation of the VM its self here. This will also not cover building the controllers or creating device templates. In my case here, I have my own vmware esxi compute cluster where I deployed the CSR1Kv OVA. I will also be using a cisco hosted control plane (vmanage, vbond, vsmart). I will be going through adding a CSR1KV to your cisco smart account and getting the device connected to the control plane. For this post I am using vManage version 19.2 and CSR1Kv version 16.12.1e.

You will need to have a smart account to provision a CSR1Kv. Your company may already have a smart account that you could request access to, or if you own a domain you may try your luck at requesting your own smart account from cisco. The requirement to verify your account seems to be the ability to respond to an activation email directly from a unique domain email account. So may be valid, but using your gmail would not be. I have not done this myself as I have a smart account through my employer, so your mileage may very here.

To begin, go to and log into your smart account. You wll want to create a virtual account within your smart account. On the first page you will see an administration section. Here you will want to go to “Manage Smart Account”.

Once here you want to go to the Virtual Accounts tab then click New Virtual Account. In the pop up, just fill out the information.

Once You have completed this, return to the main page. Under the Network Plug and Play section, go to Plug and Play Connect.

On this page, in the top right, you will need to select the virtual account you created previously. You will need to set up a controller profile by going to the Controller Profiles tab and click add profile.

On the popup, select controller type VBOND. Fill out the information and click next until completion. The organization name needs to match what you have set up in vManage. Upload your Server Root CA if necessary.

Now, we can provision a CSR1Kv. Go to the Devices tab and click Add software devices.

Click Add Software Devices again. Fill our the popup, using CSR1KV as the PID, and select the controller profile you want to use. Click save.

Now click through the remaining screens until you can click “done”.

Now you should see the CSR1KV is in the pending publish state. You will need to wait until this turns into Provisioned. In my experience it only takes a couple minutes.

Now we can finally move over to vManage. The first we need to do in vManage is sync our smart account so that vManage will receive the information about the CSR1Kv we want to deploy. We will want to go to the Configuration tab and then to Devices.

Here you want to click sync smart account. In the popup window simply enter your smart account login. Make sure the organization name is the virtual account or it will not sync properly. This is changed in the Administration Settings section in vManage.

Once the sync is complete, back on the Configuration>Devices screen you should now see the CSR1Kv from your smart account.

You will now want to attach this CSR1Kv to a Device Template in vManage. Creating the template is out of scope for this post. In vManage go to Configuration then Templates.

Choose your template and click Attach Devices.

You will see your device here and will be able to attach the CSR1Kv. I’m not covering the entire attachment process here, so proceed through the attachment process as usual.

The CSR1Kv will not be considered online at this point, however the template attachment will sit in a scheduled state until we complete the last few steps. Now we need to get on the CLI of the CSR1Kv. Depending on how you have deployed the VM, you can do this through something like VMWares web console or SSH to it if available. In my set up, I jump on the CLI through the vmware web console and configure it just enough to be able to SSH to it. When deploying the OVA in VMware it does present a page in which you supposedly can configure some parameters such as an IP on the management interface, default route, username etc. I have been unable to actually make this work, so I do the basics through the web console.

Once you have access to the CSR1Kv CLI, we will pull the entire config from vmanage and paste it in. This configuration can be found in vManage by going to Configuration>Devices. Find your device here and click the 3 dots at the far right and select Generate Bootstrap Configuration.

On the pop up choose cloud-init, click ok. Here will be the entire configuration according to your Device Template. This is the configuration you will need to place into the CSR1Kv.

A few things to note. The CSR1Kv will need its clock to match the clock of the control plane devices (vbond, vmanage). If the clock is too far off, the certificates will not properly install and the CSR1Kv will not be allowed to join the data plane. The simplest way to do this is to just configure an NTP server on the CSR1Kv, either manually or as part of your Device Template. You can also set the clock manually through the “clock set” command in privileged exec (enable) mode. Use show clock to ensure the clock is correct. Also, “config t” is not the correct command to use to enter configuration mode on the SDWAN version of IOS XE. In this version we use “config-transaction”. You must also use “commit” for the configuration to be put in place. One last thing to note, when you log into the CLI for the first time the default login is admin/admin. The router deletes this user upon first login. You must configure a new user before exiting or allowing the session to timeout or you will be locked out. You can allow your Device Template from above to account for this or configure it manually, using the same syntax you may already be used to within cisco IOS “username seth password goodpass123”

With that said, copy and paste the entire bootstrap configuration from above into the CSR1Kv. Some lines at the top will kick out, but thats no big deal. We will still get what we need. At this point, assuming your Device Template is correct, your CSR1Kv should have basic reachbility to the controller. However before control connections will come up we need to do one last thing, and that is to activate the CSR1Kv using the chassis number and token in vManage. These two values are found on the Configuration>Devices section. You may need to expand the columns to see the full chassis number and token.

The command to activate the device is “request platform software sdwan vedge_cloud activate chassis-number CSR-123C8B6-0665-2E1E-D4D1-F2C262419BD7 token eec63cc16617ee084d54308a68b1569d”. Enter this into privileged exec (enable) mode. Once this has been entered the router should begin to form control connections to your controllers and join the data plane if your configuration dictates that it do so.

Use the command “show sdwan control connections” to verify that the CSR has established connections to your controllers. The below screenshot is an example, depending on your network you could have more or less connections than I have. The important thing is that the CSR1Kv has a connection to vbond, vsmart, and vmanage.

Perhaps there are ways to simplify this, however with a lack of information out there this is what I have come up worth. Hopefully this will be helpful for you.

2 Replies to “Deploying CSR 1000v with Cisco SDWAN”

  1. Hi,
    Thanks for your post. Unfortunately I am unable to copy and past the bootstrap config to csr 1000v as the commands are not supported. Is there a specific way to upload the config to the router?

    1. Are you able to get into configuration mode using “config-transaction”? If not, check to see if you used the correct image for the CSR. There is actually a different OVA/ISO for the SDWAN version of the CSR1000v. The SDWAN version doesn’t have the command “configure terminal”, so if you getting into configuration mode with that command then you probably have the wrong version of the CSR.

      Also ensure the “Device Model” for the device you generated the bootstrap configuration for is CSR1000v and not vEdge since the configuration syntax is different between the two.

      If neither of those are the case, could you show me which part of the configuration the CSR is kicking out?

Leave a Reply