cisco techadvantage webinar simplifying device provisioning with next generation plug and play

1 © 2013 Cisco and/or its affiliates. All rights reserved.

Cisco TechAdvantage Webinars Simplifying Device Provisioning with NG Plug and Play Amit Dutta and Bhaskar Bhattacharjee

Follow us @GetYourBuildOn

We’ll get started a few minutes past the top of the hour.

Note: you may not hear any audio until we get started.

© 2013 Cisco and/or its affiliates. All rights reserved. 2

•  Submit questions in Q&A panel and send to “All Panelists” Avoid CHAT window for better access to panelists

•  Please complete the post-event survey

•  For WebEx audio, select COMMUNICATE > Join Audio Broadcast

•  Where can I get the presentation? Or send email to: [email protected]

•  Join us for upcoming TechAdvantage Webinars: www.cisco.com/go/techadvantage

•  For WebEx call back, click ALLOW phone button at the bottom of participants side panel


Panelists Speakers

Amit Dutta Product Manager

[email protected]

Yogesh Shetty Product Manager Engineering

[email protected]

Bhaskar Bhattacharjee Technical Leader

[email protected]

Nathan Sowatskey Technical Marketing Engineer

[email protected]


•  Focus on enhancing automatic network device installation

•  New solution based on the NG PnP agent in IOS and a central/cloud server

•  APIC EM controller introduced today •  Future phases include cloud based servers

•  Review challenges with current solutions, explain how NG PnP eases adoption of Cisco Network Devices

•  Describe solution components, their functions, and targeted deployment scenarios


At the end of the session, the participants should be able to:

•  Identify the various components of the NG PnP Solution

•  Understand the most common use cases for NG PnP Solution

•  Understand the capabilities of the embedded agent

•  Learn how to leverage this solution in their network


§  Introduction

§  Requirements for a ZTD solution

§  Specific Day 0 Use Cases and Deployment

§  Discovery Methods

§  Agent Services


Purchase

Pre-‐Staging

Installa2on (Truck Roll)

Handling Misconfigura2ons

(Truck Roll)

Service Ac2va2on

Management/ Customiza2on


Typical Use Case - Remote Branch Deployment •  Cost

Shipping equipment multiple times Expensive partners for one off installations Travel and opportunity costs of IT personnel

•  Complexity Manual CLI causes configuration errors Different products (Switching, Routing, Wireless) each handled separately

•  Security Network device configuration visible to third party installers Trusted partners not available at all locations

•  Time to Service (TTS) Manual process is time consuming


Which steps can I eliminate?

Can Zero-touch Solutions help?

Is Pre-staging really necessary?

Without pre-staging, how do I ensure security ?

What about Post-deployment operations? – should I consider SDN?

Can I avoid truck-rolls due to misconfigurations?


Device Discovery

Config / Image Download

Security

Automated Testing Suites

Management / Feedback /

Customization

Consistent Reachability


Auto Install Bootstrap config to reach

Provisioning Server

Provisioning Server

Device Authentication + Config / Image Download

DHCP, DNS, TFTP servers

Layer2 or Pre-staged helper network


Auto Install

Smart Install Cisco

Config Engine

Auto Install

Smart Install


Introducing Next generation Plug and Play


Smart Install

Auto Install

Cisco Config Engine

Config / Image Download APIC EM Integration Security Open Protocol More….


DHCP server

Cloud based PnP Server

Local PnP Server

DNS Server

DNS Server

DHCP server based

DHCP option 43/60 = PnP

server address

DHCP + DNS server

Cloud based PnP server

Mobile Helper device

Neighbor Assisted PnP

Name Lookup pnpserver.

localdomain.com

Cloud Redirection devicehelper cisco.com

Mobile app connects to PnP server over WAN to distribute bootstrap config

PnP NAPP Server

NAPP Server Receives UDP broadcast from new device and acts as proxy server

Send UDP broadcast

on LAN

Gateway


•  Fully automated network device install No CLI needed. No manual intervention. No touching required. No experienced network admin needed on site

•  Security built in Configurations passed to device with secure transport Rogue device detection

•  RMA: Automated device replacement •  Customizable

Customers can adapt the solution to fit their needs

•  Not Cisco Proprietary Protocol is open and based on XMPP and HTTP Based on Publically available schema

•  Final and Unique configuration delivered to every device


Cloud Hosted Redirection Service Web hosted app on cisco.com to help discover

customer specific Plug-n-Plug server

Plug-n-Play Server App A centralized server that manages the network

devices for images, configurations, files, licenses, etc.

PnP Helper Applications Applications on smart phones and personal computers that

facilitates to deliver boot strap configuration as needed

PnP Agent An embedded agent that runs on the Cisco devices to automate deployment process

Plug-n-Play protocol Protocol used between the Agent

and the PnP server. This is an open schema allowing third-party

development of PnP servers


•  Embedded software running on Cisco routers and switches

•  Automatically starts on boot up for new devices

•  Automatically discovers the Central Management Server

•  Communicates with the Server over Secure channel

•  Based on Open PnP protocol spec •  Capable of performing

•  Image upgrade •  Full and partial config upgrade •  License management •  Topology discovery and so on

•  Supports secured file transfer protocols for config and images


Cisco Devices Catalyst, ISR, ASR

Cisco ONE Enterprise APIC Controller - EM

CLI, OpenFlow, OnePK API, PNP Protocol

REST API

Zero Touch Deployment (ZTD)

App

Enterprise Applications & Orchestration Layer

Image & Config. Policy Definition

Pre-Provisioning

ZTD component

Scripts based on REST API

ZTD component

First GUI based PnP Server from Cisco

Security QOS Mobility


Special App Console cables

•  iOS / Android based mobile app for a single touch device bootstrapping

•  Installer simply connects cable and pushes a button to bootstrap. No CLI required to be entered by the installer

•  Communicates with PnP Server to authenticate the device and get the correct bootstrap config

•  Connects to the server over 3G/4G/Wifi •  On the spot troubleshooting for device status •  Provides device install status & progress

•  The mobile App is optional for solution •  Used for bootstrap and installer aid only •  Supported Devices: Iphone, Ipad, laptop •  Uses special Serial/console cable


www.cisco.com

•  Cisco hosted PnP server redirection service over the cloud

•  Based on Open PnP protocol spec •  Customers get to maintain their device

portfolio securely as well as privately on the web service portal

•  PnP enabled devices automatically speaks to the cloud service, gets authenticated, and then gets redirected to the correct customer PnP server

•  Ideal for branches and satellite locations •  This is to be included in Phase II of this

solution along with many other additions


•  PnP agent uses standard and open communication protocols to make it developer friendly

•  The agent uses HTTP and XMPP as the transport protocols for all communication between the agent and the server

•  SSL or TLS is used for securing the data exchanged between the agent and the server

•  Agent exposes commands as RPCs for the server to use

•  Agent and the server communicates with each other in XML over the wire

•  Schemas for the requests and responses are open and being published on the cisco.com


PnP Server in NOC

PnP Server

Install Loca4on

Day 0: New device is pre-‐provisioned in PnP Server with image & config details

Day 1: PnP server authen4cates the device. A secure communica4on channel is created

Day 1: PnP server sends configura4on, image, licenses and files to the device

Day 1: Device reloads executes post install ac4ons (script or CLI)

Device-‐ Database UDI: AF34P7 Dev. Info.

license

config

image

Day 1: Installer connects the network cables and powers on the device. Day 1: Device discovers PnP server and sends it’s SUDI cer4ficate

1

2

3

4

5

6

Day 1: Install success/failure no4fica4ons are sent by the PnP server as needed. 7


Pre Provision Projects/Sites •  Policies •  Match Rules •  Configs/Image •  IP Addressing

Network Admin

Installer

Day 0

Day 1 Day 1

PnP Server

Network Admin

Internet Deliver bootstrap

IT Admin remotely monitors status of install while in progress.

PnP Server site Device list

Installer on site •  Mount and cable

devices •  Power-on

PID Serial # Hostname IP address

ISR-2951 FOX23zxcd ISR-main 192.168.15.1

ISR-2951 FOX23zxcb ISR-bakcup 192.168.15.2

C3850 FOC123dfg Dist1 192.168.16.3

C3560C FOC443asd ACC-sw1 192.168.16.4

C3560C FOC443asa ACC-sw2 192.168.16.5

C3560C FOC443asg ACC-sw3 192.168.16.6

C3560C FOC443asx AC-sw4 192.168.16.7

Booting devices contact PnP Server requesting instructions


Installer

Remote Installer •  Mount and cable

devices •  Power-on

Day 1

PnP Server

Campus – Bldg-1

Campus – Bldg-2

Pre Provision Projects/Sites •  Policies •  Match Rules •  Configs/Image •  IP Addressing

Network Admin

Day 0

Network Admin remotely monitors status of install while in progress. Booting devices call out to PnP Server, requesting instructions

Day 1

Campus – Bldg-3 Campus – Bldg-4


Mark Device for RMA •  Use Inventory to find

device PnP Server waiting for replacement device Opens TAC Case

Network Admin

Day N

Asst. Branch Mgr. •  Removes old device. •  Mount and cable

replacement device •  Power-on

Day N+1

No replacement Pre Provisioning

1.  Zero-touch RMA based on neighbor table

•  PnP Server maintains neighbor info.

•  Applies same image/config to new device OR

2. Serial Number match

•  Incoming Switch SR# configured as replacement device

•  Image/Config applied to new device

Note: PID must match!

Cisco ships replacement

PnP Server

Internet

Asst. Branch Mgr.

At Branch, •  No Bootstrap config •  No CLI •  App optional


•  “SMI Proxy” runs on the Device with PnP Agent.

•  “SMI Proxy” Translates SMI to PNP Represents SMI Client to the PnP Server

•  “SMI Proxy” must be explicitly enabled.

•  PnP Server can manage Legacy IOS images on Catalyst switches

•  Catalyst 3k/4k with minimum IP Base support SMI Proxy

Internet

ISR: Agent enabled

3850: Agent enabled SMI Proxy enabled

SMI clients

Smart Install protocol

PnP Protocol On http

Translation layer

APIC EM Server


•  Non PNP Agent images do not get all benefits of Agent support

•  Caveats to Solution with older IOS clients •  APIC EM discovery •  SMI Proxy Device must be explicitly enabled.

•  Must be in distribution layer (SMI Director)

•  Not managed by APIC EM as a special device •  Scale and performance limits

Internet

ISR: Agent enabled

3850: Agent enabled SMI Proxy enabled

SMI clients

Smart Install protocol

PnP Protocol On http

Translation layer

APIC EM Server


DHCP server

Cloud based PnP Server

Local PnP Server

DNS Server

DNS Server

DHCP server based

DHCP option 43/60 = PnP

server address

DHCP + DNS server

Cloud based PnP server

Mobile Helper device

Neighbor Assisted PnP

Name Lookup pnpserver.

localdomain.com

Cloud Redirection devicehelper cisco.com

Mobile app connects to PnP server over WAN to distribute bootstrap config

PnP NAPP Server

NAPP Server Receives UDP broadcast from new device and acts as proxy server

Send UDP broadcast

on LAN

Gateway


DHCP Server PnP Server

New device is powered on

Device receives PnP server specific metadata info configured in DHCP op4on 43

1

2

Device validates server’s loca4on and establishes a communica4on with the server

3

Assumptions: • New devices can reach DHCP server

• Customer is willing to configure DHCP server for network devices


ip dhcp pool PNP-POOL network 172.19.210.0 255.255.255.0 option 43 ascii "5A;K4;B2;I172.19.210.215;J80"

•  Sample DHCP pool config with PnP specific op4on 43 on an IOS device:

class "Cisco PnP" { match if option vendor-class-identifier = "Cisco PnP"; option vendor-class-identifier "Cisco PnP"; vendor-option-space CISCO_PNP; option CISCO_PNP.server-address 192.168.247.55; }

•  Sample DHCP config with PnP specific op4on 60 and 43 on a Linux device:

option pnp-server code 43 = {string}; option pnp-server "5A;B2;K4;I172.19.210.215;J80”;

•  Sample DHCP config with PnP specific op4on 43 on a Linux device:


Mar 30 01:31:05.441: PNPA-discovery: Info: Checking if PnP discovery should start Mar 30 01:31:05.441: PNPA-discovery: Info: PnP discovery process is not running Mar 30 01:31:05.441: PNPA-discovery: Info: Started PnP Discovery Process, pid=446 Mar 30 01:31:29.156: PNPA-discovery: Info: Startup config does not exists Mar 30 01:31:29.156: PNPA-discovery: Info: Initiating PnP discovery manager Mar 30 01:32:06.963: %PNPA-DHCP Op-43 Msg: _pdgfa.1.inp=[K4;B2;I10.10.10.13;J6088] Mar 30 01:32:06.963: %PNPA-DHCP Op-43 Msg: _pdgfa.1.K4.htp=[ transport http ] Mar 30 01:32:06.963: %PNPA-DHCP Op-43 Msg: _pdgfa.1.B2.s12=[ ipv4 ] Mar 30 01:32:06.963: %PNPA-DHCP Op-43 Msg: _pdgfa.1.Ix.srv.ip.rm=[ 10.10.10.13 ] Mar 30 01:32:06.963: %PNPA-DHCP Op-43 Msg: _pdgfa.1.Jx.srv.rt.rm=[ port 6088 ] Mar 30 01:32:06.963: %PNPA-DHCP Op-43 Msg: _pdoop.1.ztp=[pnp-zero-touch] host=[] ipad=[10.10.10.13] port=6088 Mar 30 01:33:06.984: %PNPA-DHCP Op-43 Msg: Command = pnp profile pnp-zero-touch, Return code = 0 Mar 30 01:33:07.999: %PNPA-DHCP Op-43 Msg: Command = transport http ipv4 10.10.10.13 port 6088 , Return code = 0 Mar 30 01:38:12.958: PNPA-discovery: pnpa_disc_dhcp_option_43: Port is 6088 Mar 30 01:38:12.958: PNPA-discovery: pnpa_validate_port_type: Port is 6088 Mar 30 01:38:12.958: PNPA-discovery: Info: PnP server discovery was successful Mar 30 01:38:27.991: PNPA-discovery: Info: PnP profile configuration was successful Mar 30 01:38:27.991: PNPA-discovery: Info: PnP discovery process was successful Mar 30 01:38:27.991: PNPA-discovery: Info: Exitting PnP Discovery Process...

•  Sample console debug logs from DHCP based discovery


pnp profile pnp-zero-touch transport http ipv4 10.10.10.13 port 6088

•  Sample PnP configura4on on the device from DHCP based discovery




DHCP server sends packet

1

2

Device validates server’s loca4on and establishes a communica4on with the server

4

Assumptions: • New devices can reach DHCP server • Customer is NOT willing to configure DHCP server for network devices • Upstream SW is configured to snoop DHCP

Upstream device intercepts DHCP packet and adds PnP server specific metadata info by adding op4on 43

3


<snooping> <enableSnooping> <serverIp>10.10.10.111</serverIp> <profileName>pnp_profile</profileName> <vlanId>1</vlanId> <trustedInterfaces> <interfaces>GigabitEthernet1/0/1</interfaces> <interfaces>GigabitEthernet1/0/3</interfaces> </trustedInterfaces> </enableSnooping> </snooping>

•  Sample PnP message to enable PnP snooping on the upstream switch




Receives domain name of the network

1

2

Device establishes a communica4on with the server

4

Assumptions: • New devices can reach DHCP server

• Customer deployed PnP server in the network with the name “pnpserver”

Device reads domain name and creates predefined PnP server name such as pnpserver.cisco.com and looks it up on the DNS server

3

DNS Server


PnP Server

•  New devices get provisioned with the help of a pre-provisioned PnP device

•  Device joins the network and informs the neighbor that it requires provisioning

•  Neighbor device validates the new devices with the PnP server

•  Server send the correct config for the new device to the neighbor

•  Config is passed down to the new device by the neighbor device

•  No DHCP or DNS server required in this mechanism



Device reaches out to the Cisco cloud service using a well known URL as shown on the right

1

2

Device establishes a communica4on with the server

4

Assumptions: • New device has internet connectivity (from the ISP)

• Cisco cloud server URL is hard coded to https://devicehelper.cisco.com/device-helper

Cloud service verifies the devices and points to the right PnP server at the customer premises

3

PnP Server

https://devicehelper.cisco.com/device-helper


Device in a branch or satellite loca4on gets powered on

Installer plugs in laptop/smart phone to the device to auto bootstrap the device

1

2

Assumptions: • New device is the first device to be deployed and has no internet connectivity

Device gets configured to establish a communica4on with the PnP server

4

PnP Server

Installer

Mobile App collects device info, sends it to the server over 3G/4G/Wifi to verifica4on, and receives the right bootstrap configura4on for the device

3


Ø Use case driven capabilities built within the agent to perform end-to-end operations Ø  Image Install Service Ø  Configuration Upgrade Service

Ø  License Management Service

Ø  Tcl Script Execution Service Ø  Certification Install Service

Ø  Configuration CLI Service

Single Chassis Cat3750 High Availability Cat4500 9 Member Stacked Cat3750

APIC EM Server File

Server

Services add intelligence to the workflow and encapsulates the platform complexities from the server.


•  PnP server sends image location based on the PID of the device

•  PnP agent ü  Checks if the path is valid ü  Calculates disk space on the destination, if not finds an alternate disk space on the device ü  downloads the image to the right destination where enough space is avaiable ü  Checks the integrity of the image ü  Installs the image to all the applicable hardware (Standalone unit, HA unit, Stacked unit) ü  Notifies the server that image installation was successful ü  Reloads the device ü  If any error occurs in between the process of Image installation, the agent aborts and reports back to the

server on the error


<?xml version="1.0" encoding="UTF-8"?> <pnp xmlns="urn:cisco:pnp" version="1.0" udi="PID:WS-C3750E-24TD,VID:V03,SN:FDO1332R0R8">

<request correlator="1234"> <image> <copy> <source> <location>http://10.10.10.19/images/isr4400-universalk9.20140420.bin</location> <checksum>1eb1e2853f413a76fa7199147b34d324</checksum> </source> <destination> <location>flash0:</location> </destination> </copy> </image> <reload> <reason>pnp image installation</reason> <delayIn>0</delayIn> <user>admin</user> <saveConfig>true</saveConfig> </reload>

</request> </pnp?

•  Sample XML payload for image installa4on request from the PnP server


Mar 30 09:09:54.084: PNPA-image-install: Source file is of type image (mzip) Mar 30 09:09:54.084: PNPA-image-install: Config-register: 0xF Mar 30 09:09:54.126: PNPA-image-install: Destination file: flash:c3750e-universalk9-mz.1 Mar 30 09:09:54.126: PNPA-image-install: Initialization Successful Mar 30 09:09:54.126: PNPA-image-install: Calculating current running image checksum... Mar 30 09:09:54.126: PNPA-image-install: Performing image checksum verification... Mar 30 09:10:20.659: PNPA-image-install: Expected checksum: 4d8e713f2e290ce6938a5a2018eb1c49 Mar 30 09:10:20.659: PNPA-image-install: Computed checksum: 1a2c66abe64cb7fe20b0a5dde76e4f70 Mar 30 09:10:20.659: PNPA-image-install: Running Image flash:c3750e-universalk9-mz checksum different from provided checksum Mar 30 09:10:20.793: PNPA-image-install: Total free size on flash: 32125952 bytes Mar 30 09:10:20.793: PNPA-image-install: Copying Image............. Mar 30 09:12:51.100: PNPA-image-install: Image copy successful Mar 30 09:12:51.100: PNPA-image-install: Performing image checksum verification.... Mar 30 09:13:17.675: PNPA-image-install: Expected checksum: 4d8e713f2e290ce6938a5a2018eb1c49 Mar 30 09:13:17.675: PNPA-image-install: Computed checksum: 4d8e713f2e290ce6938a5a2018eb1c49 Mar 30 09:13:17.675: PNPA-image-install: Checksum verified for flash:c3750e-universalk9-mz.1 Mar 30 09:13:18.011: PNPA-image-install: Found boot start marker Mar 30 09:13:21.970: PNPA-image-install: Set to boot new Image Mar 30 09:13:22.029: PNPA-image-install: Reload scheduled by user Mar 30 09:13:22.029: PNPA-image-install: PNP ImageInstall Successful CP-BL16-C3750E-1#

•  Sample Image Installa4on console debug logs


<?xml version="1.0" encoding="UTF-8"?> <pnp xmlns="urn:cisco:pnp" version="1.0" udi="PID:WS-C3750E-24TD,VID:V03,SN:FDO1332R0R8"> <response xmlns="urn:cisco:pnp:image-install" version="1.0" success="0" correlator="03"> <errorInfo> <errorSeverity>ERROR</errorSeverity> <errorCode>PnP Service Error (1804)</errorCode> <errorMessage>Config-register cannot be 0x0</errorMessage> </errorInfo> </response> </pnp>

•  Sample Image Install error response


Ø Services designed to retrieve device specific information

Ø  Topology Discovery Service

Ø  Device Information Service

Ø  Operational CLI Service

Ø  SNMP MIB Service

Ø  Syslog Relay Service


<?xml version="1.0" encoding="UTF-8"?> <pnp xmlns="urn:cisco:pnp“version="1.0" udi="PID:WS-C3750E-24TD,VID:V03,SN:FDO1332R0R8"> <response correlator="03" version="1.0" success="1" xmlns="urn:cisco:pnp:topology"> <topology> <element> <local> <interface>GigabitEthernet0/0</interface> <shortInterface>Gi0/0</shortInterface> <macAddress>f866.f27b.a870</macAddress> </local> <remote> <interface>FastEthernet0/10</interface> <macAddress>001f.6d0c.3dca</macAddress> <deviceName>switch-172-BL20</deviceName> <platform>cisco WS-C2950-24</platform> <version>Cisco Internetwork Operating System Software IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA10a, RELEASE SOFTWARE (fc2) Copyright (c) 1986-2007 by cisco Systems, Inc. Compiled Tue 24-Jul-07 17:13 by antonino</version> </remote> </element> <element> <local> <interface>FastEthernet0/1/0</interface> <shortInterface>Fa0/1/0</shortInterface> <macAddress>c84c.7543.5d7d</macAddress> </local> <remote> <interface>FastEthernet0/1/0</interface> <macAddress>f866.f24d.6a8e</macAddress> <deviceName>eem-2900-1</deviceName> <platform>Cisco CISCO2921/K9</platform> <version>Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.4(0.21)T, ENGINEERING WEEKLY BUILD, synced to V153_3_M0_3 Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2013 by Cisco Systems, Inc. Compiled Thu 12-Sep-13 10:17 by hlo</version> </remote> </element> </topology> </response> </pnp>

•  Sample Topology discovery service output


•  A new way of logically grouping devices within a network

•  Devices placed in the same physical location may be grouped logically based their functional groups

•  The PnP tag gets propagated in the network at the bootup time and sent back to the server to identify its location or group

•  PnP server may use this tag to determine what config or operation is right for this device

PnP Server


•  Optional extra support for PnP customisation and integration with existing systems

•  Python implementation of PnP Server for HTTP and XMPP

•  Provided as open source with sample responses for the main use cases

•  Can be used with IOSv/VIRL virtual networks for ease of development

•  Will be made available in GitHub shortly


Platform Support •  Catalyst 2K, 3k and 4k

15.2(2)E

•  Catalyst 6500 15.1(2)SY

•  ISR-G2 15.4(2)T

•  ASR 1000/ ISR 4400 15.4(2)S

•  APIC EM ZTD Service 2HCY 2014

•  Mobile Application – Android/iOS 2HCY 2014

IOS Catalyst 3750 4500

IOS XE ASR 1000 Cisco IOS

Catalyst

6500


The Key Takeaways of this presentation are:

•  Cisco has a fully automated solution for network device deployment. The solution scales and its secure

•  The key component is the Agent in IOS products.

•  APIC EM is Cisco’s Central Server for the solution

•  Not Cisco Proprietary. The solution is open. Customers and Partners can use PnP Server to build their own solutions, or adapt PnP Server into their own processes.

•  [email protected]


•  Thank you! •  Please complete the post-event survey •  Join us for upcoming webinars:

Register: www.cisco.com/go/techadvantage Follow us @GetYourBuildOn

cisco techadvantage webinar simplifying device provisioning with next generation plug and play

Technology

cisco andor

cisco techadvantage

ng pnp solution

solution components

ng pnp agent

ng plug

device provisioning

webex audio