Articles in this section

See more

Changing VRF during PnP

Avatar
DevNet Support
Updated
Follow

Want to do PnP over the Internet for DMVPN spoke routers.

The pnp profile uses the global vrf. In the final configuration of the spoke router, the interface to the Internet will be set into a separated VRF for the Internet. Tried to apply that VRF change for the Internet facing interface by a EEM script executed after the copy of the configuration by PnP, like this:

event manager applet _CVD_DMVPN

event timer countdown time 2

action 1.0 cli command "enable"

action 1.1 cli command "config t"

action 2.0 cli command "interface GigabitEthernet8"

action 2.1 cli command "shutdown"

action 2.2 cli command "ip vrf forwarding INET"

action 2.3 cli command "ip address dhcp"

action 2.4 cli command "zone-member security INET"

action 2.5 cli command "ip nat outside"

action 2.6 cli command "ip policy route-map INTERNET-TRAFFIC"

action 2.7 cli command "no shutdown"

action 2.8 cli command "exit"

action 2.9 cli command "ip route vrf INET 0.0.0.0 0.0.0.0 dhcp"

action 3.0 cli command "ip route 0.0.0.0 0.0.0.0 GigabitEthernet8 dhcp"

action 5.0 cli command "pnp profile network-pnp"

action 5.1 cli command "transport https ipv4 x.x.x.x port 443 vrf INET"

action 5.9 cli command "exit"

action 9.1 cli command "no event manager applet _CVD_DMVPN"

action 9.2 cli command "end"

!

end

 Unfortunately the result is not successful:

 # sh php history

<-2- T:869528, Job 46:XML Certificate-Install Service, Elapsed:4 ms, Status: Success, PnPReqCorr: CiscoPnP-1.0-6-89-21F350F0-6

<-2- T:932928, Job 54:XML CLI-Exec Service, Elapsed:832 ms, Status: Success, PnPReqCorr: CiscoPnP-1.0-7-89-21F346A0-7

 

And in the APIC-EM that device ends up in an error state:

 Received response from pnp agent for message correlatorId: CiscoPnP-1.0-17-89-29B4D58-16 but with error code : ZTD_CMD_ERROR Response String: ERROR:PnP Service Error 1000:Copy to running config failed

service log:

%Error opening https://x.x.x.x:443/api/v1/file/onetimedownload/8308afcb-2f81-44ec-9ee7-1ea0ee6e790f (I/O error)

What can be the reason for the Config-Upgrade Service to fail, although the configuration was copied to the device

This issue seems to be - the config file download has failed

 a couple of things to try.

1) can you increase the timeout on the script just incase it is triggering to early.   (normally use 20sec)

2) can you download the normal config without the EEM script to see if the base config is ok.

Change the PnP profile to use the INET vrf. It used the global vrf during the start of the PnP process.And because the Internet facing interface is changed from global vrf to the INET vrf by that EEM script, it seemed appropriate to change the PnP profile right after that vrf change.

 This step is without using that EEM script..

 

run pnp and download your config, including the EEM script.

HOWEVER, would make the EEM script run 30sec after the pnp process has completed and just put the vrf/routing information in the EEM script.  This way the PnP process will complete and you can then change the routing POST-PnP.

You would need to re-save the config to make sure it persists.

PnP is working over the global route, not need to make it work again over the vrf.

 

 

Change the vrf in the pnp profile, and so the PnP process even succeeds to the final state!

 event manager applet _CVD_DMVPN

event timer countdown time 30

action 1.0 cli command "enable"

action 1.1 cli command "config t"

action 2.0 cli command "interface GigabitEthernet8"

action 2.1 cli command "shutdown"

action 2.2 cli command "ip vrf forwarding INET"

action 2.3 cli command "ip address dhcp"

action 2.4 cli command "ip nat outside

action 2.5 cli command "zone-member security INET"

action 2.6 cli command "ip policy route-map INTERNET-TRAFFIC"

action 2.7 cli command "no shutdown"

action 2.8 cli command "exit"

action 3.0 cli command "ip route vrf INET 0.0.0.0 0.0.0.0 dhcp

action 3.1 cli command "ip route 0.0.0.0 0.0.0.0 GigabitEthernet8 dhcp"

action 4.0 cli command "pnp profile network-pnp"

action 4.1 cli command "transport https ipv4 x.x.x.x port 443 vrf INET"

action 4.2 cli command "exit"

action 5.1 cli command "no event manager applet _CVD_DMVPN"

action 5.2 cli command "end"

action 5.3 cli command "exit"

  •  As we provision switches we do the image push if needed and then the config push but the final config basically kills the connectivity between the device and the controller as the provisioning network we use is pretty basic and uses the default vlan1.  Once the switches have their new configuration the APIC-EM eventually errors out because its lost connection.    What we then do is script out updates to our linux utility host, a router and the switch on the provisioning network to "mock up" the management vlan for the switches so we can then get to the device (with its final configuration) via other tools like Ansible while still in staging.  Lets us test a bit better before sending the devices to their final destinations. Like Will the REST API exposes the ability to update the static routes on the controller.  would like to see the controller report on the final state while the device is still on the provisioning network vs ERROR but that is not essential.  When the device is deployed it will be able to reach the APIC controller on the external interface.

A better solution is to use the "pnp startup-vlan x" command on the upstream switch.  This will cause vlan X to be configured on the PnP switch, and DHCP enabled on that interface.

 Check some documented  examples here: Network Automation with Plug and Play (PnP) – Part 4

You can also try it without the pnp profile. That should not be doing anything, as the pnp process will have completed by the time the EEM script runs. The only other thing you might want to do is put a "wr mem" in at the end of your EEM script.  That will make the changes persistent. 

If you do it after you delete the EEM script, that will make sure it is not saved.

 

 

Comments

0 comments

Please sign in to leave a comment.