Deploying CSR1000v with Cisco SDWAN

I haven’t seen a whole lot of information out there about the SDWAN CSR1Kv, so I thought I would take this opportunity and start with a guide on deploying CSR1000v with Cisco SDWAN. I debated for a while on where in the process to begin this guide, but decided to keep it focused on bringing up a CSR1Kv into a production SDWAN network. Since there are a variety of ways to host the CSR1KV VM, I will not be going through the installation of the VM its self here. This will also not cover building the controllers or creating device templates. In my case here, I have my own vmware esxi compute cluster where I deployed the CSR1Kv OVA. I will also be using a cisco hosted control plane (vmanage, vbond, vsmart). I will be going through adding a CSR1KV to your cisco smart account and getting the device connected to the control plane. For this post I am using vManage version 19.2 and CSR1Kv version 16.12.1e.

You will need to have a smart account to provision a CSR1Kv. Your company may already have a smart account that you could request access to, or if you own a domain you may try your luck at requesting your own smart account from cisco. The requirement to verify your account seems to be the ability to respond to an activation email directly from a unique domain email account. So me@mycompany.com may be valid, but using your gmail would not be. I have not done this myself as I have a smart account through my employer, so your mileage may very here.

To begin, go to software.cisco.com and log into your smart account. You wll want to create a virtual account within your smart account. On the first page you will see an administration section. Here you will want to go to “Manage Smart Account”.

sdwan csr1000v

Once here you want to go to the Virtual Accounts tab then click New Virtual Account. In the pop up, just fill out the information.

sdwan csr1000v
sdwan csr1000v

Once You have completed this, return to the main software.cisco.com page. Under the Network Plug and Play section, go to Plug and Play Connect.

sdwan csr1000v

On this page, in the top right, you will need to select the virtual account you created previously. You will need to set up a controller profile by going to the Controller Profiles tab and click add profile.

sdwan csr1000v

On the popup, select controller type VBOND. Fill out the information and click next until completion. The organization name needs to match what you have set up in vManage. Upload your Server Root CA if necessary.

sdwan csr1000v

Now, we can provision a CSR1Kv. Go to the Devices tab and click Add software devices.

sdwan csr1000v

Click Add Software Devices again. Fill our the popup, using CSR1KV as the PID, and select the controller profile you want to use. Click save.

sdwan csr1000v
sdwan csr1000v

Now click through the remaining screens until you can click “done”.

sdwan csr1000v

Now you should see the CSR1KV is in the pending publish state. You will need to wait until this turns into Provisioned. In my experience it only takes a couple minutes.

sdwan csr1000v
sdwan csr1000v

Now we can finally move over to vManage. The first we need to do in vManage is sync our smart account so that vManage will receive the information about the CSR1Kv we want to deploy. We will want to go to the Configuration tab and then to Devices.

sdwan csr1000v

Here you want to click sync smart account. In the popup window simply enter your smart account login. Make sure the organization name is the virtual account or it will not sync properly. This is changed in the Administration Settings section in vManage.

sdwan csr1000v
sdwan csr1000v

Once the sync is complete, back on the Configuration>Devices screen you should now see the CSR1Kv from your smart account.

sdwan csr1000v

You will now want to attach this CSR1Kv to a Device Template in vManage. Creating the template is out of scope for this post. In vManage go to Configuration then Templates.

sdwan csr1000v

Choose your template and click Attach Devices.

sdwan csr1000v

You will see your device here and will be able to attach the CSR1Kv. I’m not covering the entire attachment process here, so proceed through the attachment process as usual.

sdwan csr1000v

The CSR1Kv will not be considered online at this point, however the template attachment will sit in a scheduled state until we complete the last few steps. Now we need to get on the CLI of the CSR1Kv. Depending on how you have deployed the VM, you can do this through something like VMWares web console or SSH to it if available. In my set up, I jump on the CLI through the vmware web console and configure it just enough to be able to SSH to it. When deploying the OVA in VMware it does present a page in which you supposedly can configure some parameters such as an IP on the management interface, default route, username etc. I have been unable to actually make this work, so I do the basics through the web console.

Update 6-19-2020: Check out a new post I wrote regarding SDWAN CSR1000v – Automating Configuration

Once you have access to the CSR1Kv CLI, we will pull the entire config from vmanage and paste it in. This configuration can be found in vManage by going to Configuration>Devices. Find your device here and click the 3 dots at the far right and select Generate Bootstrap Configuration.

sdwan csr1000v

On the pop up choose cloud-init, click ok. Here will be the entire configuration according to your Device Template. This is the configuration you will need to place into the CSR1Kv.

sdwan csr1000v
sdwan csr1000v

A few things to note. The CSR1Kv will need its clock to match the clock of the control plane devices (vbond, vmanage). If the clock is too far off, the certificates will not properly install and the CSR1Kv will not be allowed to join the data plane. The simplest way to do this is to just configure an NTP server on the CSR1Kv, either manually or as part of your Device Template. You can also set the clock manually through the “clock set” command in privileged exec (enable) mode. Use show clock to ensure the clock is correct. Also, “config t” is not the correct command to use to enter configuration mode on the SDWAN version of IOS XE. In this version we use “config-transaction”. You must also use “commit” for the configuration to be put in place. One last thing to note, when you log into the CLI for the first time the default login is admin/admin. The router deletes this user upon first login. You must configure a new user before exiting or allowing the session to timeout or you will be locked out. You can allow your Device Template from above to account for this or configure it manually, using the same syntax you may already be used to within cisco IOS “username seth password goodpass123”

sdwan csr1000v

With that said, copy and paste the entire bootstrap configuration from above into the CSR1Kv. Some lines at the top will kick out, but thats no big deal. We will still get what we need. At this point, assuming your Device Template is correct, your CSR1Kv should have basic reachbility to the controller. However before control connections will come up we need to do one last thing, and that is to activate the CSR1Kv using the chassis number and token in vManage. These two values are found on the Configuration>Devices section. You may need to expand the columns to see the full chassis number and token.

sdwan csr1000v

The command to activate the device is “request platform software sdwan vedge_cloud activate chassis-number CSR-123C8B6-0665-2E1E-D4D1-F2C262419BD7 token eec63cc16617ee084d54308a68b1569d”. Enter this into privileged exec (enable) mode. Once this has been entered the router should begin to form control connections to your controllers and join the data plane if your configuration dictates that it do so.

sdwan csr1000v

Use the command “show sdwan control connections” to verify that the CSR has established connections to your controllers. The below screenshot is an example, depending on your network you could have more or less connections than I have. The important thing is that the CSR1Kv has a connection to vbond, vsmart, and vmanage.

sdwan csr1000v

Perhaps there are ways to simplify this, however with a lack of information out there this is what I have come up worth. Hopefully this will be helpful for you.

11 Replies to “Deploying CSR1000v with Cisco SDWAN”

  1. Hi,
    Thanks for your post. Unfortunately I am unable to copy and past the bootstrap config to csr 1000v as the commands are not supported. Is there a specific way to upload the config to the router?

    1. Are you able to get into configuration mode using “config-transaction”? If not, check to see if you used the correct image for the CSR. There is actually a different OVA/ISO for the SDWAN version of the CSR1000v. The SDWAN version doesn’t have the command “configure terminal”, so if you getting into configuration mode with that command then you probably have the wrong version of the CSR.

      Also ensure the “Device Model” for the device you generated the bootstrap configuration for is CSR1000v and not vEdge since the configuration syntax is different between the two.

      If neither of those are the case, could you show me which part of the configuration the CSR is kicking out?

  2. Hi , im trying your sdwan cEdge onBoarding, but the CSR doesnt get the fabric

    PEER PEER PEER SITE DOMAIN PEER PRIVATE PEER PUBLIC REPEAT
    INSTANCE TYPE PROTOCOL SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT REMOTE COLOR STATE LOCAL/REMOTE COUNT DOWNTIME
    ———————————————————————————————————————————————————————————————–
    0 unknown dtls – 0 0 :: 0 15.1.1.10 12366 default tear_down BIDNTVFD/NOERR

    Im following the steps as same as you, but is not working for me
    I already have Controllers and vEdge working

    1. Hello. Does the CSR form control plane connections at all? What does ‘show sdwan control connections’ look like on the CSR? What is the version of vManage and CSR that you have installed?

    1. You may be able to get one if you have your own domain with an email address you can send/receive from. But this seems hit or miss if you aren’t a business and potential customer of cisco. They definitely won’t give you an account with an @gmail @yahoo etc type email address.

  3. Hi I’m try to copy and paste the bootstrap but is not working this is my output Router#config-transaction

    admin connected from 127.0.0.1 using console on Router

    Router(config)# #cloud-config
    —————-^
    syntax error: unknown command
    Router(config)# vinitparam:
    —————-^
    syntax error: unknown command

    Any idea ? Thanks

    1. Some of the configuration at the top of the cloud-init bootstrap will kick out on the cisco routers and that should not be a problem. Down toward the system portion is where the config should begin to work. It doesn’t hurt to just copy and paste in the entire bootstrap configuration, just know that some lines at the top will kick out.

Leave a Reply