Zero Touch Provisioning Concepts
The Cisco Crosswork Zero Touch Provisioning (ZTP) application allows you to provision networking devices remotely. You can ship factory-fresh devices to a branch office or remote site. Local operators can cable these devices to the network without installing an image or configuring them. To use ZTP, you first establish an entry for each device in the DHCP server and in the ZTP application. You can then activate ZTP processing by connecting the device to the network and powering it on or reloading it. ZTP downloads and applies a certified image and one or more configurations to the device automatically (you can also apply configurations only). Once configured, ZTP on boards the new device to the Cisco Crosswork device inventory. You can then use other Cisco Crosswork applications to monitor and manage the device.
Cisco Crosswork ZTP uses the following basic terms and concepts:
-
Classic ZTP: A process to download and apply software and configuration files to devices. It uses iPXE firmware and HTTP to boot the device and perform downloads. It's not suitable for use over public networks.
-
Secure ZTP: A secured process to download and apply software images and configuration files to devices. It uses secure transport protocols and certificates to verify devices and perform downloads.
-
Evaluation License Countdown: Licenses for devices onboarded using ZTP have an evaluation period, normally 90 days. Cisco Crosswork displays a countdown banner throughout the evaluation period. Try to purchase a pool of licenses by the time the evaluation period expires. After expiration, Cisco Crosswork displays a warning banner and blocks onboarding of new devices until you apply purchased licenses.
-
Image file: A binary software image file, used to install the network operating system on a device. For Cisco devices, these files are the supported versions of Cisco IOS-XR images. When configured to do so, the Classic ZTP process downloads the image from Cisco Crosswork and installs it using the open-source boot firmware iPXE. If you must install SMUs, ZTP applies them as part of configuration processing.
-
Configuration file: A file used to set the operating parameters of the newly imaged or reimaged device. The file can be a Python script, Linux shell script, or a sequence of Cisco IOS CLI commands stored as ASCII text. The ZTP process downloads the configuration file to the newly imaged device, which then executes it. ZTP processing requires configuration files.
-
Credential profile: Collections of passwords and community strings that are used to access devices via SNMP, SSH, HTTP, and other network protocols. Cisco Crosswork uses credential profiles to access your devices, automating device access. All credential profiles store passwords and community strings in encrypted format.
-
Bootfile name: The explicit path to and name of a software image that is stored in the ZTP repository. For each device you plan to onboard using ZTP, specify the bootfile name as part of the device configuration in DHCP.
-
HTTPS/TLS: Hypertext Transport Protocol Secure (HTTPS) is a secure form of the HTTP protocol. It wraps an encrypted layer around HTTP. This layer is the Transport Layer Security (TLS) (formerly Secure Sockets Layer, or SSL).
-
iPXE: The open-source boot firmware iPXE is the popular implementation of the Preboot eXecution Environment (PXE) client firmware and bootloader. iPXE allows devices without built-in PXE support to boot from the network. The iPXE boot process is part of Classic ZTP processing, and isn't part of Secure ZTP processing. However, on-site technicians can still force iPXE boot and then begin Secure ZTP processing.
-
Owner certificate: The CA-signed end-entity certificate for your organization, which binds a public key to your organization. You install owner certificates on your devices.
-
Ownership Voucher: Nonceless audit vouchers that verify that devices onboarded with ZTP are bootstrapping into a domain your organization owns. Cisco supplies OVs in response to requests from your organization.
-
PDC: A Pinned Domain Certificate (PDC) is the CA- or self-signed domain certificate of your organization. The public key of the PDC pins the PDC to the DNS network domain assigned to your organization. The PDC helps your devices verify that images and configurations that are downloaded and applied during ZTP processing come from within your organization.
-
SUDI: The Secure Unique Device Identifier (SUDI) is a certificate with an associated key pair. The SUDI contains the product identifier and serial number. Cisco inserts the SUDI and key pair in the device hardware Trust Anchor module (TAm) during manufacturing, giving the device an immutable identity. During Secure ZTP processing, the back-end system challenges the device to validate its identity. The router responds using its SUDI-based identity. This exchange, and the TAm encryption services, permit the back-end system to provide encrypted image and configuration files. Only the specific router can open these encrypted files, ensuring confidentiality in transit over public networks.
-
SUDI Root CA Certificates: A root authority certificate for SUDIs, issued and signed by a Certificate Authority (CA), used to authenticate subordinate SUDI certificates.
-
UUID: The Universal Unique Identifier (UUID) uniquely identifies an image file that is uploaded to Cisco Crosswork. You can use the UUID of the software image file in the DHCP bootfile URL. UUIDs are not required for configuration files.
-
ZTP asset: ZTP requires access to several types of files and information in order to onboard new devices. We refer to these files and information collectively as "ZTP assets." You load these assets as part of ZTP setup, before initiating ZTP processing.
-
ZTP profile: A Cisco Crosswork storage construct that combines (normally) one image and one configuration into a single unit. Cisco Crosswork uses ZTP profiles to automate imaging and configuration processes. Using ZTP profiles is optional, but we recommended them. They are an easy way to organize ZTP images and configurations around device families, classes, and roles, and help maintain consistent ZTP use.
-
ZTP repository: The location where Cisco Crosswork stores ZTP image and configuration files.
ZTP Processing Logic
Cisco Crosswork ZTP processing differs depending on whether you choose to implement Classic ZTP or Secure ZTP.
Classic ZTP Logic
The following illustration shows the processing logic that Classic ZTP uses to provision and onboard devices. The DHCP server verifies the device identity based on the device serial number, then offers downloads of the boot file and image. Once ZTP images the device, the device downloads the configuration file and executes it.
Secure ZTP Logic
The following illustration shows the process logic that Secure ZTP uses to provision and onboard devices. The device and the ZTP bootstrap server authenticate each other using the Secure Unique Device Identifier (SUDI) on the device and server certificates over TLS/HTTPS. Over a secure HTTPS channel, the bootstrap server lets the device download signed image and configuration artifacts. These artifacts must adhere to the RFC 8572 YANG schema. Once the device installs the new image (if any) and reloads, the device downloads configuration scripts and executes them.
ZTP State Transitions
Once initiated by a device reset or reload, the ZTP process proceeds automatically. Cisco Crosswork also updates the Zero Touch Devices window with status messages showing which stage of the process each device has reached. The states and their transitions differ between Classic and Secure ZTP, as explained in the next two sections.
The configuration scripts you use with ZTP must report device state changes to Cisco Crosswork using Cisco API calls. Failure to do so means Cisco Crosswork can't register state changes when they occur, resulting in failed provisioning and onboarding. To see examples of these calls, select Download Sample Script.
, then clickClassic ZTP State Transitions
The following figure shows the state changes for Classic ZTP processing.
Classic ZTP device entries start out in the Unprovisioned state. After you initiate ZTP, devices transition to the InProgress state, when they connect to the network and start downloading image and configuration files. The device remains in the InProgress state until it reports either that it ran into a Provisioning Error or that it's Provisioned. If provisioning is successful, the device transitions to the Provisioned state. Once provisioned, Cisco Crosswork onboards the device. If Cisco NSO is a Cisco Crosswork provider, Cisco NSO also onboards the device. If onboarding is successful, the device state changes to Onboarded. It's now part of inventory and you can monitor and manage it like any other Cisco Crosswork network device.
Classic ZTP is successful when the device loads its image and/or configuration code successfully, connects with Cisco Crosswork, and reports a Provisioned status. This status change causes one license to be counted for that device serial number. Because the license is tied to the serial number, later transition to the Onboarded state, or any further ZTP processing, doesn't affect the license count.
Secure ZTP State Transitions
The following figure shows the state changes for Secure ZTP processing.
Secure ZTP device entries start out in the Unprovisioned state. After you initiate ZTP, the device and the bootstrap server validate each other and the payload. The two use the device SUDI, ownership vouchers and device owner certificates to validate over HTTP/TLS. After validation, the device entry transitions to the InProgress state, when it connects to the network and starts downloading image and configuration files. The device remains in the InProgress state until it posts a Provisioning Error, ZTP Error or Provisioned status to Cisco Crosswork. If the provisioning is successful, the device transitions to the Provisioned state. Once provisioned, Cisco Crosswork onboards the device. If Cisco NSO is a Cisco Crosswork provider, Cisco NSO also onboards the device. If onboarding is successful, the device state changes to Onboarded. It's now part of inventory and you can monitor and manage it like any other Cisco Crosswork network device.
If any of the validation steps fail, Secure ZTP posts a Provisioning Error. If the image or configuration code fails verification or installation, Secure ZTP posts a ZTP Error instead. Like Classic ZTP, Secure ZTP is successful when the device loads its image and/or configuration code successfully, connects with Cisco Crosswork, and posts a Provisioned status. License consumption is the same as in Classic ZTP.
ZTP and Evaluation Licenses
All licenses start with an evaluation period of 90 days. When the evaluation period expires, Cisco Crosswork displays a banner warning users that evaluation licenses have expired. While ZTP displays this banner, it blocks some operations, including configuration downloads. When your organization enrolls in smart licensing and applies licenses to some of the onboarded devices, ZTP removes the block. ZTP displays the warning banner until you license all your onboarded devices.
Your onboarded ZTP devices are always associated with either:
-
A serial number, or
-
The values of the Option 82 location ID attributes (remote ID and circuit ID).
Serial numbers and location IDs form an "allowed" list. ZTP uses this list when deciding to onboard a device and assign it a license. If you delete an onboarded ZTP device from inventory, and then onboard it again later, use the same serial number or location ID. If you use a different serial number or location ID, you may consume an extra license. The current release provides no workaround for this scenario. In any case, you can't have two different ZTP devices with the same serial number or location ID active at the same time.
Platform Support for ZTP
This topic details Cisco Crosswork Zero Touch Provisioning support for Cisco and third-party software and devices.
Platform Support for Classic ZTP
The following platforms support Classic ZTP:
-
Software: Cisco IOS-XR versions 6.6.3, 7.0.1, 7.0.2, 7.0.12, and 7.3.1 or later.
-
Hardware:
-
Cisco Network Convergence Systems (NCS) 540 Series Routers
-
Cisco NCS 1000-1004 Series Routers
-
Cisco NCS 5500 Series Routers
-
Cisco NCS 8000 and 8800 Series Routers (Spitfire fixed mode)
-
Classic ZTP doesn't support third-party devices or software.
Platform Support for Secure ZTP
The following platforms support Secure ZTP:
-
Software: Cisco IOS-XR version 7.3.1 or later.
You can upgrade from IOS-XR 6.6.3 to 7.3.1 as a single image installation.
-
Hardware:
-
Cisco Network Convergence Systems (NCS) 540 Series Routers
-
Cisco NCS 1000-1004 Series Routers
-
Cisco NCS 5500 Series Routers
-
Cisco NCS 8000 and 8800 Series Routers (Spitfire fixed mode)
-
Secure ZTP supports provisioning for third-party devices only if the third-party devices:
-
Are 100-percent compliant with the Secure ZTP RFC 8572(https://tools.ietf.org/html/rfc8572).
-
Match Cisco format guidelines for serial numbers in device certificates and ownership vouchers. For details, see the following section, "Guidelines for Third-Party Device Certificates and Ownership Vouchers."
Guidelines for Third-Party Device Certificates and Ownership Vouchers
Secure ZTP processing for any device starts with a successful HTTPS/TLS handshake between the device and Cisco Crosswork. After the handshake, Secure ZTP must extract a serial number from the device certificate. Secure ZTP then validates the extracted serial number against its internal "allowed" list of serial numbers. You create the allowed list by uploading device serial numbers to Cisco Crosswork. A similar serial-number validation step occurs later, when validating downloads using ownership vouchers.
Unlike Cisco IOS-XR devices, the format of the serial number in third-party vendors' device certificates is not standardized
across vendors. Typically, a third-party vendor's device certificate has a Subject
field or section. The Subject
contains multiple key-value pairs that the vendor decides upon. One of the key-values pairs is usually a serialNumber
key. This key's value contains the actual device serial number as a string, which is preceded by the string SN:
. For example: Let's suppose that the third-party device certificate's Subject
section contains the following key and value: serialNumber = PID:NCS-5501 SN:FOC2331R0CW
. Secure ZTP will take the value after the SN:
string and match that to one of the serial numbers in the allowed list.
If the third-party vendor's device certificate has a different format, validation failures can occur. The degree of failure
depends on the degree of difference. The vendor certificate may not match this format at all. The certificate's Subject
field may not contain a serialNumber
key with a value that contains the SN:
string. In this case, Secure ZTP processing falls back to using the whole string value of the serialNumber
key (if present) as the device serial number. It will then try to match that value to one in the allowed list of serial numbers.
These two methods – string matching and the fallback – are the only means Secure ZTP has for determining the third-party device's
serial number. If the vendor certificate differs from this expectation sufficiently, Secure ZTP may be unable to validate
the device at all.
Secure ZTP has similar format expectations for ownership vouchers. Cisco tools generate ownership vouchers with filenames
in the format SerialNumber.vcj
, where SerialNumber
is the device's serial number. Secure ZTP extracts the serial number from the filename and then attempts to match it to one
in the allowed list. For multivendor support, we assume that third-party vendor tools generate OV files in the same format.
If this expectation isn't met, validation failures are likely.
ZTP Implementation Decisions
ZTP offers a range of implementation choices and cost vs. benefit tradeoffs worth considering in advance:
-
When to Use Classic ZTP: Classic ZTP is easier to implement than Secure ZTP. It needs no PDC, owner certificates, or ownership vouchers. It’s less subject to processing errors, as device and server verification is less stringent and setup is less complex. It’s your only choice if your Cisco devices run IOS XR versions earlier than 7.3.1, as Secure ZTP doesn’t support them. Although Classic ZTP new includes a device serial-number check, it remains insecure at the transport layer. It's not recommended if routes to your remote devices cross a metro or otherwise unsecured network.
-
When to Use Secure ZTP: Use Secure ZTP when you must traverse public networks and you have devices that support Secure ZTP. The additional security that it provides requires a more complex setup than Classic ZTP. This complexity can make processing error-prone if you’re new to the setup tasks. Secure ZTP setup also requires a certificates and ownership vouchers from the device manufacturer. Use it if your devices are from third-party manufacturers, as Classic ZTP doesn't support third-party hardware. Third-party devices and their software must be 100-percent compliant with RFCs 8572 and 8366. Device certificates for third-party devices must contain the device serial number. Third-party ownership vouchers must be in a format that uses the device serial number as the filename. Cisco can’t guarantee Secure ZTP compatibility with all third-party devices. For more details on third-party device support, see Platform Support for ZTP.
-
Use ZTP With Imaged Devices: There’s no need to specify a software image when you use Classic or Secure ZTP. This feature allows you the option of shipping to your remote location one or more devices on which you have already installed a software image. You can then connect to these devices and trigger ZTP processing remotely. Depending on how you set up things, you can apply:
-
A configuration only
-
One or more images or SMUs, with more configurations.
All licenses start with an evaluation period of 90 days. When the evaluation period expires, Cisco Crosswork displays a banner warning users that evaluation licenses have expired. While ZTP displays this banner, it blocks some operations, including configuration downloads. When your organization enrolls in smart licensing and applies licenses to some of the onboarded devices, ZTP removes the block. ZTP displays the warning banner until you license all your onboarded devices.
Secure ZTP offers more flexibility with preimaged devices because it offers preconfiguration, day-zero, and postconfiguration script execution capability. But both ZTP modes can chain configuration files that load images, SMUs and configurations.
In both cases, the result is to onboard the device. Once onboarded to Cisco Crosswork, you can’t use ZTP to configure the device.
-
-
Organize Configurations: Keep your configurations as consistent as possible across devices. Consistency makes solving problems easier. It minimizes the amount of extra configuration you must perform to bring new devices online. It also reduces the number of "special" things to keep in mind when it comes time to reconfigure or upgrade your devices. Start by ensuring that all devices from the same device family and with similar roles have the same or similar basic configurations.
How you define the role that a device plays depends on your organization, its operational practices, and the complexity of your network environment. For example: Suppose that your organization is a financial services enterprise. It has three types of branches: Sidewalk ATMs, retail branches open during standard business hours, and private trading offices. You could define three sets of basic profiles covering all the devices at each type of branch. You can map your configuration files to each of these profiles.
Another method of enforcing consistency is to develop basic script configurations for similar types of devices, then use the script logic to call other scripts. If you’re using Classic ZTP, the script is in the specified configuration file. That script downloads the basic configuration, then downloads other scripts depending on the branch type. If using Secure ZTP, you have even more flexibility, as you can specify preconfiguration and postconfiguration scripts in addition to the main or day-zero configuration script.