The location can be: Cisco vManageTo select an image stored on the local Cisco vManage. address to the WAN interface. If the device is not listed as an unclaimed WAN edge device, check whether the device can connect to the Cisco vBond Orchestrator and correct any connectivity issues. the information retrieved from the configuration file. Use the request platform software sdwan bootstrap-config save command to save a bootstrap file to the device bootflash. overlay network, from the Cisco vManage menu, choose Dashboard > Main Dashboard and click WAN Edge devices in the Summary Pane. The strings mips64 and x86_64 represent the underlying chip architecture. Attach the device to a device configuration template. Connect to the device using SSH. the uploaded vEdge list and send to controllers, WAN Edge After you have installed a signed imaged onto a Cisco SD-WAN device, you can no longer install an unsigned image onto the configures the device after the control connections are up. Enterprise Certificates. After a Cisco vEdge 5000 device is authenticated with Cisco vBond Orchestrator or Cisco vManage using OTP, do not reboot the device until the SHA2 enterprise certificate is installed and validated. If you are upgrading all devices in the overlay network, you must perform the upgrade in the following order: Upgrade one-half of the Cisco vSmart Controllers. Enter the following command to set the config-register value to 0x8000: Power the device down and then back up so that your update takes effect. Templates and create a template for the device. the controllers using the SHA2 Enterprise Certificate. reset. If templates are not configured on Cisco vManage, configure the required system configuration on the device. later) are installed and activated on a device, a 30-day timer is set for the removal of any old images that were previously reconnect to the controller in case the full configuration is ever lost or removed. Click OK to confirm the move to the invalid This feature enables you to generate a minimum bootstrap configuration file directly on a device, that enables a device to To perform the on-site bootstrap process for a device, follow these steps: Upload the Chassis ID and the serial number of the device to Cisco vManage. All standard Cisco SD-WAN software certificates, you must invalidate and remove the device from the overlay 16.12.2: After the device comes back up, configure a new admin password. controllers. See Add the IOS XE Router to the PnP Portal section The file is named in the format .cfg. The partition resizing will take some time to complete. reset, a configuration reset, or a factory reset, bootstrap the device at the system prompt: If your IOS Ex router is connected to a DHCPserver and you are not using PnP, or if your IOS XE router is not connected to hardware-installed-serial-number Download the software image for the downgrade. To do so, go to http://viptela.com/support/, log in to Cisco SD-WAN Support, and download the software packages for the new release. These revocation mechanisms protect from attacks if you attempt to install a previously signed To install software on a hardware vEdge router, nothing is required. The following crypto modules are requiredfor the ASR 1000 series routers: Before you deploy an IOS XE router in the overlay network, review the following: The controller devicesCisco vBond Orchestrators, Cisco vManage instances, and Cisco vSmart Controllersare running Cisco SD-WAN Software Release 18.3. If your Cisco IOS XE SD-WAN device is Cisco vManage authenticates the device using a certificate that is installed on the device as part of the generic bootstrap configuration. After the memory or vCPU is upgraded, you cannot downgrade. Cisco SD-AVC Cloud Connector is a necessary component for Cloud onRamp for SaaS to manage Office 365 traffic according to Ensure output of show sdwan software shows CONFIRMED state as user and no other value. Attach a configuration template to the device. Upload. was updated, and the URL. x.x.x represents the Cisco SD-WAN software release version. Templates and select the template attached to the device. To recover the default password for a device, follow these steps: In the local console of the device, enter ROMMON mode. The router reboots with the Cisco IOS XE SD-WAN image. Click Save. From the Cisco vManage menu, choose Configuration > Certificates > WAN Edge List. Learn more about how Cisco is using Inclusive Language. This is the configuration file for the on-site bootstrap process. The device starts in day zero configuration. used. (optional) After installation is complete, you can verify that Cisco vManage has the SD-AVC virtual service installed and operating correctly. Beginning with Cisco vManage Release 20.3.1/Cisco IOS XE Release 17.3.1a, the Cisco SD-AVC installation has changed. Click Edit and ensure that Enterprise Certificate (signed by Enterprise CA) is selected. For Cisco IOS XE SD-WAN 16.10 releases beginning with release 16.10.4 or for Cisco IOS XE SD-WAN 16.12 releases beginning For more details about cluster upgrade processes, refer to Cisco vManage Cluster Creation and Troubleshooting guide. the uploaded vEdge list and send to controllers and click (Optional) After pushing the update to the device, you can check the status of SD-AVC on the device with one of the following to controllers. Select the checkbox for Enable SD-AVC. Upgrade the remainder of the Cisco vSmart Controllers. These maximum numbers assume that Cisco vManage is idle and only upgrade and reboot operations are being carried out. All unsupported modules areremoved from the router before installing the XE SD-WAN software. If the upgrade does not complete successfully within 60 minutes, it times out. When you boot a device with the generic bootstrap configuration, the device is listed on Cisco vManage as an unclaimed WAN edge device. When the Cisco vEdge 5000 device boots, it uses the In the Select a Product page, from the right-most pane, choose XE SD-WAN Routers. Log in to the device with the user name and the password as admin. WAN interface used. During the process of creating the VM, you install vManage.ova file. from the OTP field, decrypts the digest using the device private key and controllers. Click Send to Controllers to send the chassis and serial number of the invalidated device to the controllers in the network. For the selected device, click and choose Generate Bootstrap Configuration. If you have an existing Cisco IOS XE SD-WAN device, follow these steps to install the Cisco IOS XE SD-WAN software. From the Cisco vManage menu, choose Administration > Settings > Hardware WAN Edge Certificate Authorization. Install the SD-AVC package as described below. Stop PnP and allow the Cisco IOS XE SD-WAN packages to install: Configure the upgrade on Cisco IOS XE SD-WAN device using request platform software sdwan software upgarde-confirm. device and the bootstrapping process is complete, if you perform a software Cisco vEdge 5000 serial number file to upload. For information on the bootstrap process using SHA1 certificates, see On-Site All new Cisco IOS XE SD-WAN devices ships with the Cisco IOS XE SD-WAN software already installed. or click Select a File to upload the install and activate Release 19.2.2, a 30-day timer starts on the previously installed Release 18.4.4 image, but not on Release drive. ciscosdwan.cfg. Have the upgraded vEdge routers run for at least one day (24 hours) to ensure that the Cisco SD-WAN devices and the overlay network are stable and running as expected. This article describes how to install software on all Cisco vEdge devicesCisco vManage instances, Cisco vSmart Controllers, Cisco vBond Orchestrators, and vEdge routersand how to upgrade the software on devices already running the Cisco SD-WAN software. the serial.viptela file. The device reads the .cfg file from the USB drive. In the dialog box, choose Cloud-init and click OK. If a Cisco vEdge 5000 device is connected to the overlay network using SHA1 List, show orchestrator valid-vedges To register SD-AVC, follow the steps below: Name of your application: Use any descriptive name. due to a bug or a security flaw. Beginning with the 18.4 release, SD-WAN can optionally incorporate Cisco Software-Defined Application Visibility and Control Send the certificate to a third-party signing authority and have them sign Check if One Touch Provisioning is Cisco SD-AVC uses Cisco NBAR2 and other components that operate on devices in the network to provide: Recognition of network application traffic for visibility, analytics, application-aware routing, and application-based policies, Up on the LCD display), insert the USB drive with The device serial number file and OTP information are sent to The device connects to Cisco vSmart Controllers and is added to the overlay network. From the Cisco vManage menu, choose Configuration > Devices. Add the localized policy created in an earlier step of this procedure. Enter the version number of the software image. Specify the interface name based on the model you wish to onboard. When the Cisco vEdge 5000 device is Up (indicated by a status of System: loads from a bootable USB drive. For organizations located in Europe, Copy the generic bootstrap configuration file onto the device bootflash and The Cisco vEdge 5000 device is added to the WAN Edge On the Cisco IOS XE SD-WAN device, establish connectivity to Cisco vManage, by configuring the following: Cisco vBond Orchestrator IP address and port number, Tunnel with encapsulation configured as either GRE or IPSEC. For a list of compatible versions on Controllers and vEdge routers, see Release Notes. Add the router's serial number to Plug and Play (PnP) Connect portal. In the Install Certificate screen, paste the Click Browse to select the software images or Drag and Drop the software image for vEdge routers, Cisco vSmart Controllerss, or Cisco vManage. bootable USB drive. Enabled and click (Note that if you do not select the Activate and Reboot check box, the new software image is still installed but the device continues to use the existing software image. From the device SSH terminal, shut down the Bootstrap Process for Cisco SD-WAN Devices. to use PnP, it is helpful to have a saved bootstrap configuration that can connect the device to the controller. box, select Cloud-Init(Encrypted OTP) and If the Public Key is not available, add the The USB drive must be of the FAT-32 format for Cisco In most situations, this minimum bootstrap configuration (MBC) can From Cisco vManage, you can upgrade the software image running on a Cisco vEdge device in the overlay network and reboot it with the new software. You can install up to two Cisco SD-WAN images on the same router. file on the bootflash. Remove all existing configurations from the router. Downgrading to fresh install of old image versions is not supported. local-properties, show orchestrator valid-vedges hardware-installed-serial-number 12399910, request platform software sdwan bootstrap-config save, Claim Key, Validate Upgrade the software from Cisco vManage rather than from the CLI. If prompted to enter the initial configuration dialog, enter No. drive or the bootflash and applies the configuration. (Optional) Verify the WAN Edge List on controllers using the command before the 30-day timer expires, the timer is reset. DHCP server in the network. By authenticating the device using an OTP and a Public Configuration template is scheduled for the device. interface. For software devices (CSR and ISRv), hosting Cisco vManage. is interrupted or terminated before the password is changed and saved, subsequent login attempts fail. All rights reserved. If you select Remote Server, the Location of Software on Remote Server dialog box opens. Remote Server (preferred) To select an image stored on a remote file server. the CLI: Device# request platform software sdwan config a One Time Password (OTP) and a Public Key, and install an SHA2 enterprise By authenticating the device using an OTP and a Public When the device boots, it uses the information in the configuration The virtual machine in which Cisco vManage operates must have the following resources available to dedicate to the SD-AVC network service: Ensure that the downloaded SD-WAN image is compatible with your version of Cisco vManage. For information regarding Cisco IOS XE Release 17.2 and later, see Install and Upgrade Cisco IOS XE Release 17.2 and Later. Before you begin, download the software from the Cisco SD-WAN Support site. ways: Perform a reset. Upload the Cisco IOS XE SD-WAN software image from the file server to the bootflash of the device. To restore login access provision process must be restarted. 18.4.5. device. These steps are provided here for convenience, Select whether the software image is available on Cisco vManage or on the Remote Server. The configuration file is saved to this location: One Touch Provisioning: Onboard Cisco IOS XE SD-WAN Devices Using Generic Bootstrap Configuration. This resets the device, deleting any existing configuration. The default password for a Cisco IOS XE SD-WAN device is admin. Ensure that the Public Key entry for the device is available on the PNP server before generating the serial.viptela file. If you do not have out-of-band management access to the router, transfer the ROMmon file by using Cisco vManage CLI, as shown in the following example: Take either of these actions to verify that the ROMmon file that you loaded or transferred appears in the directory output: If you loaded the ROMmon file into the device bootflash, enter the following command: If you transferred the ROMmon file by using the Cisco vManage CLI, enter the following command: Enter the following command to set config-register to 0x2102: Upgrade (or downgrade) the ROMmon file on your device by using the upgrade command as shown in the following examples: Example upgrade command if you loaded the ROMmon file into the device bootflash: Example upgrade command if you transferred the ROMmon file by using Cisco vManage CLI: After a series of messages pertaining to the upgrade display and the router prompt displays, enter the following command to The Cisco vEdge 5000 device is added to the overlay network and connected to From the Cisco vManage menu, choose Administration > Cluster Management. template. For the desired template, click and choose Attach Devices. Enter the public key in the text box, or click Browse to upload a file containing the public key. For information about restoring the password, see Recover the Default Password. connecting the device to the overlay network, you can authenticate the device using USB drive. functional state. Cisco vManage pushes the initial configuration into the device. Cisco vManage pushes the SHA2 enterprise certificate for the device and installs the certificate on the device. The device is physically connected to the WAN through one of its interfaces. vEdge 5000 device to recognize and auto-mount the Click Browse to select the software images or Drag and Drop the images for vEdge routers, Cisco vSmart Controllers, or Cisco vManage. installed. Click Edit in the WAN Edge Cloud Certificate Authorization row. Save the generic bootstrap configuration file. Instead, the configuration enables a DHCP client on Use of SHA1 certificates is disabled. such as QoS and application-based firewall policy. You also can configure the hostname by using the system host-name Edges, WAN Edge Connect using the required Smart and Virtual Accounts viptela-x.x.x-edge-genericx86-64.ova (for ESXi Hypervisor), viptela-edge-genericx86-64.qcow2 (for KVM Hypervisor), viptela-edge-genericx86-64.ova (for ESXi Hypervisor), viptela-smart-genericx86-64.ova (for ESXi Hypervisor), viptela-smart-genericx86-64.qcow2 (for KVM Hypervisor), viptela-vmanage-genericx86-64.ova (for ESXi Hypervisor), viptela-vmanage-genericx86-64.qcow2 (for KVM Hypervisor). To install the certificate on the device, perform the following steps: From the Cisco vManage menu, choose Configuration > Certificates > Controllers. of the Cisco SD-WAN software. However, if you had a 16.10.3 image Cisco vManage displays the Push WAN Edge List screen showing the status of the push operation. In Service Configuration, in Cisco vManage row of the table, verify that the SD-AVC shows a green checkmark. For the desired software version, click and select Delete to delete the software version added to the list. (ROMMON), as shown in the following table. the device is listed among the valid WAN edge devices on Cisco vManage and the Cisco vBond Orchestrator. You can also download the software The Cisco API Console page displays the Client ID and Client Secret details. On the Cisco API Console page, sign in using your Cisco credentials. To establish connectivity with the Cisco SD-WAN controller, a device requires a minimum configuration. A progress bar indicates the status of the software upgrade. a DHCP server on the WAN, configure the routermanually using the CLI as shown in the following steps. In the Edit vManage pop-up window, select the checkbox for Enable SD-AVC. of old image. If you did not include the reboot option in Step 2, activate the new software image and reboot the device: Confirm, within the configured upgrade confirmation time limit, that the software upgrade was successful: If you do not issue this command within this time limit, the device automatically reverts to the previous software image. Click OK to confirm. for more details.. From the Cisco vManage menu, choose Configuration > Devices. Every time you generate the Cloud-Init(Encrypted OTP) bootstrap The router's bootflash has a minimum of 1.5 GB space available for the XE SD-WAN image. in the CLI and it is used on various Cisco vManage screens to refer to the device. All controller devices of the same type must run the same software version. Save this name for a later step. If the new software images are in the image repository on Cisco vManage, ensure that the WAN in which Cisco vManage is located has sufficient capacity for concurrent file transfers. the WAN interface so that the interface can acquire an IP address from a DHCP server This change in tunnel number can cause the DRAM. client on the interface. For supported Hardware platforms and interface modules, see Release Notes. This file is generated by Cisco vManage and includes UUID, but does not include OTP. Signed images include a revocation mechanism so that Cisco SD-WAN can revoke an image if it is found to be dangerous, either hardware-installed-serial-number If you are using Cisco vManage certificate in a file. The software image name has the format router-model-ucmk9.release-number. This ensures that the router can obtain a configuration and establish full control connections when it comes up. For more information, see View or Add Public Key for a Cisco vEdge 5000 Device. To onboard a Cisco IOS XE SD-WAN device to the Cisco SD-WAN overlay network, you generate a bootstrap configuration on Cisco vManage and boot the device with this configuration. Have the upgraded Cisco vSmart Controllers run for at least one day (24 hours) to ensure that the Cisco vEdge devices and the overlay network are stable and running as expected. This feature extends the on-premise Plug and Play implementation Route Policy) until the Policy Overview screen. The SD-AVC network service operates as a container within Cisco vManage. Disabled, click of a device. After the reboot, Cisco vManage comes up automatically and displays progress on the SD-AVC activation. bootstrap configuration. If the device restarts It is recommended that the router have 8 GB of If you downloaded the MIME file, rename it to ciscosdwan.cfg (case sensitive). If text file with the name ciscosdwan.cfg (case sensitive), and then skip to Step 8. images are signed, while patch images are not. Attach and push a template containing the system IP and site ID to the The bootstrap configuration contains device-specific configuration settings, requiring you to generate a bootstrap configuration *old images= before releases 18.4.5, 19.2.2, and 20.1.1. In the Export Bootstrap Configuration dialog box, enter the VPN0 Interface name. If you deploy both IOS XE and vEdge routersin the same site, the vEdge routers are running Cisco SD-WAN Software Release 18.3. After the timer expires, the old images are deleted. On reset, the device is initialized with the generic For example, if you had installed 19.2.4 previously, and 20.3.2 is your current active image, then if you activate the 19.2.4 A template exists for the Cisco IOS XE SD-WAN device (example: Cisco ASR 1001-X, Cisco ISR 4321). To add a device to the Plug and Play portal: If the device can reach the PNP portal, see Cisco Plug and Play Support Guide for Device configuration templates are created and attached to the router using Cisco vManage control connections are up and the device is validated, enter the following command reset the device. See Install Cisco SD-AVC, Cisco vManage Release 20.3.1 and Later. information required to reach controllers. request software secure-boot list- Prints a list of all old images* that are installed. uses SHA1 certificates for authentication while connecting to the overlay network. Select the Cisco vEdge 5000 device for which to sign a image that has a known vulnerability. Click Activate to activate the new software. Edges and listed on WAN Edge After the device connects to Cisco vManage, Cisco vManage retrieves the Enterprise Certificate Signing Request (CSR). Enter the public key for the device on Plug and Play Connect and generate it is recommended to change the location to Europe, in accordance with EU General Data Protection Regulation (GDPR) regulations. To complete the onboarding, claim the device on Cisco vManage and attach a device template that configures the system IP address and site ID. If you uploaded the software image from a Remote Server, or if you did not select Activate and Reboot check box when uploading the software image from Cisco vManage, the new image is installed on the device but the device continues to use the existing software image. If you deploy both IOS XE and vEdge routers in the overlay network,the vEdge routers are running Release 17.2.1 or higher Save. The ISR 4000 series router has at least 4 gigabytes (GB) of DRAM installed. To activate the new The on-site bootstrap process involves generating a bootstrap configuration file that loads from a bootable USB drive or from The device obtains the System IP address and the site ID from Cisco vManage configuration templates. The ISRv router is running the minimum required version of the CIMC and NFVIS software, as shown in the following table: To download the Cisco IOS XE SD-WAN software from the Cisco site: Click Support & Downloads from the menu on the left side. information in the configuration file to connect to the overlay network. To list the currently installed software version and to see which software image is currently running, use the following command: To upgrade the software to a specific version, use the following command: To downgrade a Cisco vEdge Device to a previous software image using CLI: If necessary, remove an existing software image to provide space for loading a new software image. You can continue to activate an older image that is already installed, before the 30-day timer runs out. must be compatible with the version running on the vEdge routers. The default password can be used once and then must be changed. From the Cisco vManage menu, choose Configuration > Templates. These packages contain the virtual machines and the Cisco SD-WAN software. See Cisco SD-WAN Command Reference guide for more information. You can only downgrade to a previous existing version For multirouter sites, it is recommended that you upgrade only one router per site. (VM) hosting Cisco vManage. state. later enable other services using this method. Add a boot variable that points to the Cisco IOS XE SD-WAN image. After disabling the application server, you cannot hostname command. On the Cisco vBond Orchestrator, you can view the unclaimed WAN edge devices by using the command show orchestrator unclaimed-vedges . Choose the device you wish to claim and click Claim Sample syntax for FTP is given below: Ensure that the deviceis connected to a management console. For the desired host (the portal on which you are enabling SD-AVC), click and select Edit. be provided initially by plug-and-play (PnP). Click Upgrade and the Software Upgrade dialog box opens. To verify the ROMMON version running on the router, issue the show rom-monitor or show platform command at the system prompt. From the Cisco vManage menu, choose Configuration > Devices > Unclaimed WAN Edges. for authentication with controllers in the overlay network. On-Site Bootstrap Process for Cisco vEdge 5000 using SHA2 Upgrading from an earlier version of Cisco vManage to Cisco vManage 18.4. required to access the Cisco vEdge 5000 device. The file is saved to this location: The controller root certificate is installed on the Cisco IOS XE SD-WAN device, to authenticate the device. Click Install Certificate button located in the upper-right corner of the screen. image, the additional configurations from 20.3.2 will not be migrated to 19.2.4. Click Update. A device that you configure by using the on-site bootstrap process must meet these requirements: A supported SD-WAN image must be installed on the device, The device must be in in its factory state with no added configuration. Data is migrated from an existing Cisco SD-WAN image to a new Cisco SD-WAN image only during an upgrade. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. network before configuring the use of OTP, Public Key, and SHA2 enterprise From Cisco SD-WAN Release 20.3.1, while bootstrapping a Cisco vEdge 5000 device and This command is not available on the device CLI but it is available when using the CLI device VPN 0 WAN interface by using the following commands: Click WAN Edge List and choose the device to invalidate.