cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1930
Views
14
Helpful
10
Replies

Changing VRF during PnP

Thomas Fritz
Level 1
Level 1

Hi!

I want to do PnP over the Internet for DMVPN spoke routers.

The pnp profile uses the global vrf. In the final configuration of the spoke router, the interface to the Internet will be set into a separated VRF for the Internet. I tried to apply that VRF change for the Internet facing interface by a EEM script executed after the copy of the configuration by PnP, like this:

event manager applet _CVD_DMVPN

event timer countdown time 2

action 1.0 cli command "enable"

action 1.1 cli command "config t"

action 2.0 cli command "interface GigabitEthernet8"

action 2.1 cli command "shutdown"

action 2.2 cli command "ip vrf forwarding INET"

action 2.3 cli command "ip address dhcp"

action 2.4 cli command "zone-member security INET"

action 2.5 cli command "ip nat outside"

action 2.6 cli command "ip policy route-map INTERNET-TRAFFIC"

action 2.7 cli command "no shutdown"

action 2.8 cli command "exit"

action 2.9 cli command "ip route vrf INET 0.0.0.0 0.0.0.0 dhcp"

action 3.0 cli command "ip route 0.0.0.0 0.0.0.0 GigabitEthernet8 dhcp"

action 5.0 cli command "pnp profile network-pnp"

action 5.1 cli command "transport https ipv4 x.x.x.x port 443 vrf INET"

action 5.9 cli command "exit"

action 9.1 cli command "no event manager applet _CVD_DMVPN"

action 9.2 cli command "end"

!

end

Unfortunately the result is not successful:

# sh php history

<-2- T:869528, Job 46:XML Certificate-Install Service, Elapsed:4 ms, Status: Success, PnPReqCorr: CiscoPnP-1.0-6-89-21F350F0-6

<-2- T:932928, Job 54:XML CLI-Exec Service, Elapsed:832 ms, Status: Success, PnPReqCorr: CiscoPnP-1.0-7-89-21F346A0-7

<-4- T:933260, Job 58:XML Work-Info Service, Elapsed:1 ms, Status: Success, PnPByeCorr: CiscoPnP-1.0-7-89-21F346A0-7

<-2- T:995540, Job 62:XML CLI-Exec Service, Elapsed:4 ms, Status: Success, PnPReqCorr: CiscoPnP-1.0-8-89-21F359E0-8

<-4- T:996132, Job 66:XML Work-Info Service, Elapsed:1 ms, Status: Success, PnPByeCorr: CiscoPnP-1.0-8-89-21F359E0-8

<-2- T:1058120, Job 70:XML Work-Backoff Service, Elapsed:1 ms, Status: Success, PnPReqCorr: CiscoPnP-1.0-9-89-21F356C8-9

<-4- T:1058612, Job 74:XML Work-Info Service, Elapsed:1 ms, Status: Success, PnPByeCorr: CiscoPnP-1.0-9-89-21F356C8-9

<-2- T:1120936, Job 77:XML Device-Info Service, Elapsed:1 ms, Status: Success, PnPReqCorr: CiscoPnP-1.0-10-89-21F33C50-10

-3-> T:1120936, Job 78:XML Response Service, Elapsed:1 ms, Status: Success, PnPRespCorr: CiscoPnP-1.0-10-89-21F33C50-10

<-2- T:1247192, Job 92:XML CLI-Config Service, Elapsed:632 ms, Status: Success, PnPReqCorr: CiscoPnP-1.0-12-89-21F33830-12

<-4- T:1247784, Job 96:XML Work-Info Service, Elapsed:1 ms, Status: Success, PnPByeCorr: CiscoPnP-1.0-12-89-21F33830-12

-f1- T:1316492, Job 100:XML Config-Upgrade Service, Elapsed:6528 ms, Status: Failed, PnPReqCorr: CiscoPnP-1.0-13-89-21F33258-13

-3-> T:1321344, Job 101:XML Response Service, Elapsed:11380 ms, Status: Success, PnPRespCorr: CiscoPnP-1.0-13-89-21F33258-13

<-4- T:1321952, Job 104:XML Work-Info Service, Elapsed:1 ms, Status: Success, PnPByeCorr: CiscoPnP-1.0-13-89-21F33258-13

-1-> T:1328536, Job 105:XML Work-Req Service, Elapsed:1 ms, Status: Success, WorkReqCorr: CiscoPnP-1.0-14-452-29B6EB0-14

<-2- T:1391092, Job 112:XML Work-Backoff Service, Elapsed:1 ms, Status: Success, PnPReqCorr: CiscoPnP-1.0-14-452-29B6EB0-14

<-2- T:1453660, Jobk-Backoff Service, Elapsed:1 ms, Status: Success, PnPReqCorr: CiscoPnP-1.0-16-89-29B6E00-15

<-4- T:1541016, Job 130:XML Work-Info Service, Elapss: Success, PnPByeCorr: CiscoPnP-1.0-17-89-29B4D58-16

<-4- T:1603588, Job 138:XML Work-Info Service, Elapsed:1 ms, Status: Success, PnPByeCorr: CiscoPnP-1.0-18-89-29B4D00-17

(some lines deleted for readability)

And in the APIC-EM that device ends up in an error state:

Received response from pnp agent for message correlatorId: CiscoPnP-1.0-17-89-29B4D58-16 but with error code : ZTD_CMD_ERROR Response String: ERROR:PnP Service Error 1000:Copy to running config failed

service log:

%Error opening https://x.x.x.x:443/api/v1/file/onetimedownload/8308afcb-2f81-44ec-9ee7-1ea0ee6e790f (I/O error)

Does anyone know, how to deal with that setup?

Thanks in advance,

Thomas

10 Replies 10

aradford
Cisco Employee
Cisco Employee

Hi Thomas,

it looks like the config file download has failed?

a couple of things to try.

1) can you increase the timeout on the script just incase it is triggering to early.  I normally use 20sec

2) can you download the normal config without the EEM script to see if the base config is ok.

Adam

Hi Adam!

No, the configuration of the spoke router looks fine.

In fact, the EEM script is at the end of the config file. So if that would not download properly, the script would not run.

I suspected, that that rewriting of the pnp configuration messes everything up.

So is that a proper way to do that?

What can be the reason for the Config-Upgrade Service to fail, although the configuration was copied to the device?

Gonna double check the whole PnP from within the corporate network.

A will also give it a try with the timeout increase.

Thanks so far,

Thomas

One other question.

Why are you defining the PnP profile in the eem script?

Sent from my iPhone

Well, I change the PnP profile to use the INET vrf. It used the global vrf during the start of the PnP process.

And because the Internet facing interface is changed from global vrf to the INET vrf by that EEM script, it seemed appropriate to me, to change the PnP profile right after that vrf change.

Would it be possible, to put all that right into the configuration file, without using that EEM script?

I would do this diferrently.

I would run pnp and download your config, including the EEM script.

HOWEVER, I would make the EEM script run 30sec after the pnp process has completed and just put the vrf/routing information in the EEM script.  This way the PnP process will complete and you can then change the routing POST-PnP

You would need to re-save the config to make sure it persists.

PnP is working over the global route, not need to make it work again over the vrf.

Does this make sense?

Adam

So I have a related question as I'm seeing the same behavior and I think it is expected.  As we provision switches we do the image push if needed and then the config push but the final config basically kills the connectivity between the device and the controller as the provisioning network we use is pretty basic and uses the default vlan1.  Once the switches have their new configuration the APIC-EM eventually errors out because its lost connection.    What we then do is script out updates to our linux utility host, a router and the switch on the provisioning network to "mock up" the management vlan for the switches so we can then get to the device (with its final configuration) via other tools like Ansible while still in staging.  Lets us test a bit better before sending the devices to their final destinations.  I was going to ask if the REST API exposes the ability to update the static routes on the controller?   I would like to see the controller report on the final state while the device is still on the provisioning network vs ERROR but that is not essential.  When the device is deployed it will be able to reach the APIC controller on the external interface.

Hi Claudia,

a better solution is to use the "pnp startup-vlan x" command on the upstream switch.  This will cause vlan X to be configured on the PnP switch, and DHCP enabled on that interface.

I have documented some examples here:

Network Automation with Plug and Play (PnP) – Part 4

Does this help, or have i misunderstood the question.

Adam

Hi Adam!

It is working now!

I do change the vrf in the pnp profile, and so the PnP process even succeeds to the final state!

event manager applet _CVD_DMVPN

event timer countdown time 30

action 1.0 cli command "enable"

action 1.1 cli command "config t"

action 2.0 cli command "interface GigabitEthernet8"

action 2.1 cli command "shutdown"

action 2.2 cli command "ip vrf forwarding INET"

action 2.3 cli command "ip address dhcp"

action 2.4 cli command "ip nat outside

action 2.5 cli command "zone-member security INET"

action 2.6 cli command "ip policy route-map INTERNET-TRAFFIC"

action 2.7 cli command "no shutdown"

action 2.8 cli command "exit"

action 3.0 cli command "ip route vrf INET 0.0.0.0 0.0.0.0 dhcp

action 3.1 cli command "ip route 0.0.0.0 0.0.0.0 GigabitEthernet8 dhcp"

action 4.0 cli command "pnp profile network-pnp"

action 4.1 cli command "transport https ipv4 x.x.x.x port 443 vrf INET"

action 4.2 cli command "exit"

action 5.1 cli command "no event manager applet _CVD_DMVPN"

action 5.2 cli command "end"

action 5.3 cli command "exit"

Thanks a lot for your help!

Thomas

Great news Thomas,

did you try it without the pnp profile?  That should not be doing anything, as the pnp process will have completed by the time the EEM script runs.

The only other thing you might want to do is put a "wr mem" in at the end of your EEM script.  That will make the changes persistent.

If you do it after you delete the EEM script, that will make sure it is not saved.

Adam

Hey Adam!

I tried it without changing the vrf in the pnp profile - but that did not work in the first shot. But I have to admit, that I did not troubleshoot that case at all, because the next attempt was with the vrf change, and that succeeded.

I will do some more testing in the next weeks - I gonna check that case then.

Will keep you updated.

Best regards,

Thomas

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:


This community is intended for developer topics around Data Center technology and products. If you are looking for a non-developer topic about Data Center, you might find additional information in the Data Center and Cloud community