Articles in this section

See more

Need suggestion for PnP solution

Avatar
DevNet Support
Updated
Follow

suggestions for PnP solution. Got branch offices.

  •  At Branch office it is a simple topology Router Gi0/1 ---> Gi0/49 Switch.
  • Router is connected to HQ through MPLS network. DHCP server is in the HQ.
  • Planning to start PnP solution using Apic-EM for all network hardware in branch office.

 Scenario:

 First part:

Empty router is connected to  ISP CPE router. CPE router is relaying DHCP requests from router to central DHCP. Router getting  DHCP configuration. After that it is connecting to APIC-EM using url pnpserver.domain.com and getting all config.

 Second part:

After router succesfully provisioned it become "router-on-stick". It have several subinterfaces with tagged traffic (Management, Users and Phones)

 And here we have a problem:

Empty switch which is connected to router by default is trying to get DHCP to Vlan1 but router doesn't have untagged vlan on its link anymore.

came up with one solution:

  created additional network (and new DHCP scope) for switch deployment. On Branch router on Gi0/1 configured  IP address  and ip helper to our DHCP for untagged traffic. So switch can get ip and other config from newly created deployment DHCP scope and then it connects to pnpserver.

 In total we are using additional subnet and configuration on router and DHCP server.

 

After provisioning completed seeing many messages in router :

 Jul 12 09:47:08.305 CEST: %XML-UPDOWN: pnp-zero-touch XML Interface(101) UP. PID=218

Jul 12 09:47:08.306 CEST: %XML-UPDOWN: pnp-zero-touch XML Interface(101) DOWN(502).

 What should be done to remove these messages ..

Have you tired configuring the command 'pnp startup vlan X' on the router. In your case X will represent your management VLAN ID. Obviously your router needs to support the Open Plug-n-Play agent for this to work:

 Cisco Open Plug-n-Play Agent Configuration Guide, Cisco IOS XE Release 3E - Cisco

"pnp startup-vlan" should work, unless it is not supported.

 In terms of the messages, do you have pnp debug enabled.

What is the dhcp string you are using for option 43.

You have two options,

1) turn off pnp debug, probably by changing option 43, depending on what you put in it.

2) turn off pnp agent.  You can do put "no pnp profile XXX" where XXX= the pnp profile name

 using Microsoft DHCP and DNS method.

These are the messages in console log while deployment config:

 .Jul 13 07:58:48.881 CEST: %XML-SRVC: urn:cisco:pnp:config-upgrade XML Service(212) FAILURE(712). PID=609

Jul 13 08:54:32.598 CEST: %XML-UPDOWN: pnp-zero-touch XML Interface(101) DOWN(502).

Jul 13 08:55:32.598 CEST: %XML-UPDOWN: pnp-zero-touch XML Interface(101) UP. PID=609

 

 And Config deployment process stuck till time out.

 It is happened only on router ISR4321 with IOS-XE 03.16.05.

That looks like an issue with the configuration file you are pushing?

 Jul 13 07:58:48.881 CEST: %XML-SRVC: urn:cisco:pnp:config-upgrade XML Service(212) FAILURE(712). PID=609

If you click on the serial number in the PnP app, what does the logging history show.

 

 

 Apic-EM after time out shows me

 ERROR_HEALTH_CHECK_TIMER_EXPIRED

 Failed health check since device is stuck in non-terminal state PROVISIONING_CONFIG for more than threshold time: 0 hours, 10 minutes, 0 seconds

 APIC-EM Version 1.4.1.1159.

Check if you have "aaa authorisation" commands in the configuration.

If it is addressed, you need IOS-XE 16.3.2 (or later)

 You can also address it with an EEM script work around  it is  documented Network Automation with Plug and Play (PnP) – Part 7

  • Providers CPE router have ip helper on it interface with untagged vlan to which our router is connected. Also there is tagged vlan on CPE interface.
  •  So when empty router is connected to CPE it is getting dhcp configuration using untagged interface, let's say 192.168.1.2 255.255.255.0 GW 192.168.1.1 and etc.
  •  But router production config is removing ip address dhcp from Gi0/0 and creating subinterface Gi0/0.99 with static address, let's say 10.0.0.2 255.255.255.0 GW 10.0.0.1 an etc.
  •  As I understand after APIC-EM applied this configurations it is loosing connection with 192.168.1.2 because router doesn't have this IP anymore and config deployment process get stuck.

The new IP address router can't communicate with APIC-EM. After configuration it will have several VRF's. One VRF will be management and from this vrf router will be able to communicate to APIC-EM

 

for deployment to succeed you will need to have some sort of IP connectivity post the config push.  This is used as a sanity check to make sure the provisioning succeeded.

Check wether the management vrf being provisioned by APIC-EM.

If so, you need to update the pnp-profile to use the vrf.   Follow the steps below how to do this...

You need the following commands:

 ! change the PnP profile to use the management VRF

pnp profile network-pnp

transport https ipv4 x.x.x.x port 443 vrf MGMT

! change HTTP request to come from from management interface

ip http client source-interface <interface-name>

You need to set the source interface as well for the HTTP request initiating from the router.  Remember, all PnP connections are initiated from the router.

--If it is not working then--

 

Remove

pnp profile pnp-zero-touch

transport https ipv4 x.x.x.x port 443

pnp startup-vlan 99

Apic-em is creating pnp profile - pnp-zero-touch.  So i just add

 backup transport https host XXX.XXX.XXX.XXX port 443 vrf VRF-NAME  

to the profile.

 

 

Comments

0 comments

Please sign in to leave a comment.