Skip to main content
Cisco SD-WAN
Support
Product Documentation
Viptela Documentation

Software Installation and Upgrade for IOS XE Routers

This article describes how to install the IOS XE SD-WAN Software Release 16.9.1 on Cisco IOS XE routers.

Supported Hardware Platforms

You can install the XE SD-WAN software on the following Cisco IOS XE routers:

  • Cisco ASR 1000 series aggregation services routers
    • ASR 1001-HX and ASR 1001-X
    • ASR 1002-HX and ASR 1002-X
  • Cisco ISR 1000 series integrated services routers
    • C1111-8P, C1111-8P LTE EA, and C1111-8P LTE LA
    • C1117-4P LTE EA and C1117-4P LTE LA
  • Cisco 4000 series integrated services routers
    • ISR 4221
    • ISR 4321
    • ISR 4331
    • ISR 4351
  • ENCS 5412 with T1/E1 and 4G NIM modules
    • ISRv

Supported Interface Modules

The following modules are supported for the ISR 4000 series routers:

  • NIM-1GE-CU-SFP
  • NIM-2GE-CU-SFP
  • NIM-1MFT-T1/E1
  • NIM-2MFT-T1/E1
  • NIM-4MFT-T1/E1
  • NIM-8MFT-T1/E1
  • NIM-ES2-4
  • NIM-ES2-8
  • NIM-LTEA-EA
  • NIM-LTEA-LA
  • NIM-VAB-A
  • NIM-VAB-M
  • SM-X-4X1G-1X10G
  • SM-X-6X1G

Supported Crypto Modules

The following crypto modules are required for the ASR 1000 series routers:

  • ASR1001HX-IPSECHW, for the ASR 1001-HX
  • ASR1002HX-IPSECHW, for the ASR 1002-HX

Before You Begin

Before you deploy an IOS XE router in the overlay network, ensure that you have met the software and hardware requirements listed below.

Software Requirements

  • The controller devices—vBond orchestrators, vManage NMSs, and vSmart controllers—are running Cisco SD-WAN Software Release 18.3.
  • If you deploy both IOS XE and vEdge routers in the overlay network, the vEdge routers are running Release 17.2.1 or higher of the Viptela software. With these software versions, the vEdge and IOS XE software can interoperate, allowing BFD tunnels to be established between vEdge routers and IOS XE routers.
  • If you deploy both IOS XE and vEdge routers in the same site, the vEdge routers are running Cisco SD-WAN Software Release 18.3.
  • If using your enterprise root certificate to authenticate the router, the certificate is copied to the router's bootflash before installing the XE SD-WAN software.
  • The updated device list is uploaded to the vManage NMS and sent to the vBond orchestrator. To do so:
    1. Obtain the router's chassis and board ID serial number by issuing the show crypto pki certificates CISCO_IDEVID_SUDI command at the system prompt. If you are running Release 16.6.1 or earlier on an ASR series router, first upgrade to a release higher than Release 16.6.1 and then issue the show sdwan certificate serial command or migrate directly to the SD-WAN image and, after gaining console access, issue the show sdwan certificate serial command.
    2. Add the router's serial number to Plug and Play (PnP) Connect portal. See Add the IOS XE Router to the PnP Portal.
    3. In the vManage NMS Configuration ► Devices screen, click the Sync Smart Account button to download the updated device list to vManage NMS and send it to the vBond orchestrator.
  • Device configuration templates are created and attached to the router using the vManage NMS Configuration ► Templates screen. This ensures that the router can obtain a configuration and establish full control connections when it comes up.
  • If the router exceeds the unidirectional encrypted bandwidth of 250 Mbps and if the HSECK9 license is not already installed, the license file is copied to the router's bootflash and license installed on the router:
    ISR4K# license install file path
  • The ASR 1000 series, ISR 1000 series, and ISR 4000 series router is running the required version of the ROM monitor software (ROMMON), as shown in the table below. To verify the ROMMON version running on the router, issue the show rom-monitor or show platform command at the system prompt.
Hardware Platform Required ROM Monitor Software Version
ASR 1000 series 16.3 (2r)
ISR 1000 series 16.8 (1r)
ISR 4000 series 16.7 (3r)
  • The ISRv router is running the minimum required version of the CIMC and NFVIS software, as shown in the table below.
Hardware Platform CIMC NFVIS
ISRv 3.2.4 3.8.1

Hardware Requirements

  • The ISR 4000 series router has at least 4 gigabytes (GB) of DRAM installed. It is recommended that the router have 8 GB of DRAM.
  • The ASR 1000 series router has at least 8 GB of DRAM installed. The ASR 1002-HX router has at least 16 GB of DRAM installed.
  • The router's bootflash has a minimum of 1.5 GB space available for the XE SD-WAN image.
  • All unsupported modules are removed from the router before installing the XE SD-WAN software. For a list of supported modules, see Supported Interface Modules and Supported Crypto Modules.

Download the XE SD-WAN Software

To download the XE SD-WAN software from the Cisco site:

  1. Go to https://www.cisco.com.
  2. Click Support & Downloads from the menu on the left side.
  3. On the Products and Downloads page, in the Downloads search box, search for Software-Defined WAN (SD-WAN) and select it.
  4. On the Select a Product page, from the right-most pane, select XE SD-WAN Routers.
  5. From the right-most pane, select your router model:
    • ASR 1000 Series IOS XE SD-WAN
    • ISR 1000 Series IOS XE SD-WAN
    • ISR 4000 Series IOS XE SD-WAN.
  6. Click the desired software release version to download it. The software image name has the format router-model-ucmk9.​release-number.
  7. Copy the software image to an HTTP or FTP file server in your local network.

Install the XE SD-WAN Software

To install the XE SD-WAN software on a new IOS XE router, nothing is required. All IOS XE routers ship with the XE SD-WAN software already installed.

If you have an existing IOS XE router, follow these steps to install the XE SD-WAN software:

  1. Download the XE SD-WAN software image from the Cisco site.
  2. Upload the XE SD-WAN software image from the file server to the router's bootflash. See sample syntax below.
    FTP:
    ISR4K# (config)# ip ftp source-interface interface
    ISR4K# copy ftp://username:password@server- IP/file-location bootflash:

    TFTP:
    ISR4K# (config)# ip tftp source-interface interface
    ISR4K# (config)# ip tftp blocksize 8192
    ISR4K# copy tftp: bootflash:

    SCP (assumes SSH is enabled):
    ISR4K# (config)# ip scp server enable
    FileServer$ scp filename username@router-IP:/filename
  3. Ensure that the router is connected to a management console.
  4. Create a backup of the current configuration that can be saved in the router's bootflash:
    ISR4K# copy run bootflash:original-xe-config
  5. Remove all existing boot statements and save the configuration:
    ISR4K# (config)# no boot system ...
    ISR4K# wr mem
  6. Verify that the BOOT variable is blank in the following output:
    ISR4K# show bootvar
    BOOT variable =
    CONFIG_FILE variable does not exist
    BOOTLDR variable does not exist
    Configuration register is 0x2102
    Standby not ready to show bootvar
  7. Add a boot variable that points to the XE SD-WAN image:
    ISR4K# (config)# boot system flash bootflash:SDWAN-image
    ISR4K# wr mem
  8. Verify that the BOOT variable points to the XE SD-WAN image:
    ISR4K# show bootvar
    BOOT variable = bootflash:isr4300-ucmk9.16.9.1.SPA.bin,1;
    CONFIG_FILE variable does not exist
    BOOTLDR variable does not exists
    Configuration register is 0x2102
    Standby not ready to show bootvar
  9. Remove all existing configuration from the router:
    ISR4K# write erase
  10. Set the config-register to 0x2102:
    ISR4K# config t
    ISR4K(config)# config-register 0x2102
    ISR4K(config)# end

  11. Verify that the config-register is set to 0x2102 or that it will be set to 0x2102 at the next reboot:
    ISR4K# show bootvar
  12. Reboot the router:
    ISR4K# reload
    Proceed with reload? [confirm] Yes

    If prompted to save the configuration, enter No. The router reboots with the XE SD-WAN image.
  13. If prompted to enter the initial configuration dialog, enter No.
    --- System Configuration Dialog ---
    Would you like to enter the initial configuration dialog? [Yes/No]: No
  14. If prompted to terminate auto-install, enter Yes.
    Would you like to terminate auto-install? [Yes/No]: Yes
  15. At the login prompt, log in with the default username, which is admin, and the default password, which is admin.
  16. Stop PnP and allow the XE SD-WAN packages to install:
    ISR4K# pnpa service discovery stop
  17. Enable this image to be the default image on the router:
    ISR4K# request platform software sdwan software reset

The router reboots with the XE SD-WAN image.

Configure the IOS XE Router from the CLI

If your IOS-XE router is connected to a DHCP server, PnP runs automatically and vManage NMS automatically configures the device after the control connections are up. To verify that the control connections are up and the device is validated, enter the following command at the system prompt:

ISR4K# show sdwan control connections

If your IOS XE router is connected to a DHCP server and you are not using PnP, or if your IOS XE router is not connected to a DHCP server on the WAN, configure the router manually using the CLI:

  1. Connect to the the router using a management console.
  2. Stop PnP to allow access to the CLI:
    ISR4K# pnpa service discovery stop
  3. Enter configuration mode:
    ISR4K# config-transaction
    ISR4K(config)#
  4. Configure the hostname:
    ISR4K(config)# system host-name hostname
    Configuring the hostname is optional, but is recommended because this name in included as part of the prompt in the CLI and it is used on various vManage NMS screens to refer to the device.
  5. Configure the system IP address.
    ISR4K(config-system)# system-ip ip-address
    The vManage NMS uses the system IP address to identify the device so that the NMS can download the full configuration to the device.
  6. Configure the numeric identifier of the site where the device is located:
    ISR4K(config-system)# site-id site-id
  7. Configure the IP address of the vBond orchestrator or a DNS name that points to the vBond orchestrator. The vBond orchestrator's IP address must be a public IP address, to allow the router to reach the vBond orchestrator.
    ISR4K(config-system)# vbond (dns-name | ip-address)
  8. Configure the organization name, which is the name that is included in the certificates on all devices in the overlay network. This name must be the same on all devices.
    ISR4K(config-system)# organization-name name
  9. Configure the tunnel interface to use for overlay connectivity. The tunnel number must match the WAN interface used. For example, if the router interface is Gig0/0/2, the tunnel interface number is 2.
    ISR4K(config)# interface Tunnel #
    ISR4K(config-if)# ip unnumbered wan-physical-interface
    ISR4K(config-if)# tunnel source wan-physical-interface
    ISR4K(config-if)# tunnel mode sdwan
  10. If the router is not connected to a DHCP server, configure the IP address of the WAN interface:
    ISR4K(config)# interface GigabitEthernet #
    ISR4K(config)# ip address ip-address mask
    ISR4K(config)# no shut
    ISR4K(config)# exit
  11. Configure tunnel parameters:
    ISR4K(config)# sdwan
    ISR4K(config-sdwan)# interface WAN-interface-name
    ISR4K(config-interface-interface-name)# tunnel-interface
    ISR4K(config-tunnel-interface)# color color/path-name
    ISR4K(config-tunnel-interface)# encapsulation ipsec
  12. If an IP address is manually configured on the router, configure a default route:
    ISR4K(config)# ip route 0.0.0.0 0.0.0.0 next-hop-ip-address
  13. If the vBond address was defined as a hostname, configure DNS:
    ISR4K(config)# ip domain lookup
    ISR4K(config)# ip name-server dns-server-ip-address

  14. Save the changes and exit configuration mode:
    ISR4K(config)# commit and-quit
    ISR4K# exit

  15. If using a certificate signed by your enterprise root CA, install the certificate:
    ISR4K# request platform software sdwan root-cert-chain install bootflash:certificate

  16. Verify that the control connections are up and the router is validated:
    ISR4K# show sdwan control connections

You can now configure SD-WAN features on the router using the vManage NMS templates.

Add the IOS XE Router to the PnP Portal

  1. Go to https://software.cisco.com.
  2. In the Network Plug and Play box, click Plug and Play Connect. The Plug and Play Connect dialog box opens.
  3. If you have not already created the controller profile, do so now:
    1. Click the Controller Profiles tab located directly beneath the Plug and Play Connect title and to the right of the Devices tab.
    2. Click Add Profile. The Add Controller Profile dialog box opens with Step 1 Profile Type highlighted.
      G00546.png
    3. In the Controller Type drop-down, select vBond.
    4. Click Next. Step 2 Profile Settings is highlighted and the profile setting fields displayed.
      G00547.png
    5. In the Profile Name field, enter a name for the PnP profile you are creating.
    6. In the Description field, enter a description of the profile you are creating. This field is optional.
    7. In the Default Profile drop-down, select Yes if no other controller profile exists.
    8. In the Organization Name field, enter the organization name that is included in the certificates on all devices in the overlay network. You can find the organization name in the vManage NMS Administration ► Settings screen.
    9. In the Primary Controller drop down, select Domain Name or IPv4, and fill in the appropriate fields.
    10. Click Next. The system returns you to the Devices tab of the Plug and Play Connect dialog box.
      G00549.png
  4. If the router details have been stored in a CSV file, click Import using a CSV file and attach the file. Otherwise, select Enter Device info manually to add the router to the PnP portal.
  5. Click Next. The Identify Device popup window opens.
    G00548.png
  6. Fill in the Serial Number, Base PID, and Certificate Serial Number fields with the output of the show crypto pki certificates CISCO_IDEVID_SUDI command issued at the system prompt:
    ISRK# show crypto pki certificates CISCO_IDEVID_SUDI
    Certificate
      Status: Available
      Certificate Serial Number (hex): XXXXXXXX
      Certificate Usage: General Purpose
      Issuer:
        cn=ACT2 SUDI CA
        o=Cisco
      Subject:
        Name: ISR4431/K9
        Serial Number: PID:ISR4431/K9 SN:XXXXXXXXXXX
        cn=ISR4431/K9
        ou=ACT-2 Lite SUDI
        o=Cisco
        serialNumber=PID:ISR4431/K9 SN:XXXXXXXXXXX
      Validity Date:
        start date: 19:35:04 UTC Mar 28 2016
        end date: 19:35:04 UTC Mar 28 2026
      Associated Trustpoints: CISCO_IDEVID_SUDI


    See Before You Begin.
  7. In the Controller Profile drop-down, select the controller profile you created in Step 3.
  8. Click Save.

The router's serial number is added to the PnP portal.

Downgrade the XE SD-WAN Software

If you have installed the XE SD-WAN Software Release 16.9.1 on an IOS XE router and wish to roll back to the previous release:

  1. Ensure that the router is connected to a management console.
  2. If PnP is running, stop PnP to allow access to the CLI:
    ISR4K# pnpa service discovery stop
  3. Change the config-register to 0x0:
    ISR4K# config-transaction
    ISR4K(config)# config-register 0x0
    ISR4K(config)# commit>
    ISR4K(config)# end
  4. Verify that the config-register will be set to 0x0 when the router reboots:
    ISR4K(config)# show bootvar
  5. Reboot the router:
    ISR4K# reload
    Proceed with reload? [confirm] Yes

    The router reboots and goes into ROMMON mode.
  6. Check the router's bootflash to obtain the software image name to load:
    rommon 1> dir bootflash:
    rommon 2> boot bootflash: image_name

The router reboots with the previous software image.

Additional Information

See the documentation for your Cisco router.
See the Templates help article for your software release.
Software Installation and Upgrade for vEdge Routers

  • Was this article helpful?