Installation of new networking devices or replacement of devices can be expensive, time-consuming and error-prone when performed
manually. Typically, new devices are first sent to a central staging facility where the devices are unboxed, connected to
a staging network, updated with the right licenses, configurations and images; then packaged and shipped to the actual installation
location. After these processes are completed, experts must travel to the installation locations to perform the installation.
Even in scenarios where the devices are installed in the NOC/Data Center itself, there may not be enough experts for the sheer
number of devices. All these issues contribute to delays in deployment and add to the operational costs.
Connecting to PNP Server
To allow the switch to connect to the PnP server, a discovery process takes place, in which the switch discovers the PNP server
address/url. There are multiple discovery methods, and they are executed by the switch according to the sequence detailed
below. If a PnP server is discovered by a certain method, the discovery process is completed and the rest of the methods are
not executed:
-
User configured address - the PnP server url or IP address are specified by the user.
-
Address received from DHCP response option 43 - the PnP server url or IP address are received as part of option 43 in the
DHCP response
-
DNS resolution of hostname "pnpserver" - the PnP server IP addressed is obtained via DNS server resolution of hostname “pnpserver”.
-
Cisco Plug and Play Connect - a redirection service that allows full “out of the box” PNP server discovery which runs over
HTTPs.
The switch contacts the redirection service using the FQDN “devicehelper.cisco.com”.
Cisco PnP Connect Prerequisites
To allow Cisco Plug and Play Connect operation, the user needs to create devices and controller profiles in Plug and Play
Connect (navigate to https://software.cisco.com and click the PnP Connect link). Note that a Cisco Smart Account is required to use PnP Connect. To create or update a Smart
Account, see the Administration section of https://software.cisco.com.
In addition, the following prerequisites are required to be met on the switch itself:
-
The PNP server was not discovered by the other discovery methods
-
The device is able to successfully resolve the name devicehelper.cisco.com (either static configuration or using DNS server)
-
System time was set using one of the following methods
-
Time was updated by an SNTP server
-
Clock was set manually by user
-
Time was preserved across resets by Real Time Clock (RTC).
CA-Signed Certificate based Authentication
Cisco distributes certificates signed by a signing authorities in .tar file format and signs the bundle with Cisco Certificate
Authority (CA) signature. This certificate bundle is provided by Cisco infoSec for public downloads on cisco.com.
If the PNP server discovery is based on DHCP option 43, use the “T<Trust pool CA bundle URL>;” parameter in DHCP option 43
to provide the URL for downloading the trust pool. The certificates from this bundle can be installed on the Cisco device
for server-side validation during SSL handshake. It is assumed that the server uses a certificate, which is signed by one
of the CA that is available in the bundle.
The PnP agent uses the built-in PKI capability to validate the certificate bundle. As the bundle is signed by Cisco CA, the
agent is capable of identifying a bundle that is tampered before installing the certificates on the device. After the integrity
of the bundle is ensured by the agent, the agent installs the certificates on the device. After the certificates are installed
on the device, the PnP agent initiates an HTTPs connection to the server without any additional steps from the server.
Note
|
The device also supports a built in certificate bundle which is installed as part of the bootup process. this bundle can be
used to validate PNP server. If a Bundle is downloaded based on Cisco PnP Connect information then the certificates from the
downloaded bundle are installed and the certificates based on the built in bundle are un-installed.
|
Note
|
In addition to validating PNP certificate based on installed CA certificate the PNP Agent also validates that the certificate's
Common Name/Subject Alternate Name (CN/SAN) matches the hostname/IP address of the PNP server. If they don't match validation
of certificate is rejected.
|
Cisco PnP DHCP Option 43 Usage Guidelines
DHCP option 43 is a vendor specific identifier which is one of the methods that can be used by the PnP agent to locate and
connect to the PnP server (see Cisco Plug-n-Play for more information).
The following provides Information on configuration of Option 43 to allow proper configuration on DHCP server.
Option 43 includes the following fields/parameters:
<DHCP-typecode><feature-opcode><version><debug-option>;<arglist>
The <arglist> parameter should use the following syntax:
B<IP address type>;I<IP address>;J<Port>;K<Transport protocol>;T<Trust pool CA bundle URL>;Z<SNTP server IP address>
The following table details the description and usage of option 43 fields
Parameter |
Description |
DHCP-typecode |
DHCP sub-option type. The DHCP sub-option type for PnP is 5. |
Feature-opcode |
Feature operation code – can be either Active (A) or Passive (P). The feature operation code for PnP is Active (A) which implies
that PnP agent initiates a connection to the PnP server. If the PnP server cannot be reached, PnP agent retries until it makes
a connection.
|
Version |
Version of template to be used by PnP agent. Must be 1. |
Debug-option |
Turns ON or OFF the debug messages during the processing of the DHCP Option 43:
D – debug option is ON ; N – debug option is OFF.
|
K |
Transport protocol to be used between PnP agent and PnP server:
4 - HTTP or 5 – HTTPS.
|
B |
IP address type of PnP server IP address specified with the letter code
‘I’:
1 - host , 2- IPv4 , 3 - IPv6
|
I |
IP address or hostname of PnP server. If hostname is specified, DNS related options must be present in the DHCP server to
allow for successful use of hostname.
|
T |
URL of trust pool CA bundle. You can get the CA bundle from a Cisco Business Dashboard, or from a TFTP server.
-
When using Cisco Business Dashboard, use the following URL format:
http://CBD IP address or domain name/ca/trustpool/CA_bundle_name
-
When using TFTP Server, use the following URL format: tftp://tftp server IP/CA_bundle_name
|
Z |
SNTP server IP address. You must sync the clock before configuring a trust pool.
Note
|
The switch clock is considered synchronized if it was updated by any SNTP server supported by the switch (by default, userconfigured
or in Z parameter) or set manually by the user. This parameter is required when using trust pool security if the switch can
not reach any other SNTP server. For example, for an out-of-thebox switch with factory default configuration but no Internet
connectivity to reach the default SNTP servers.
|
|
J |
Port number http=80 https=443
|
Examples for Option 43 usage:
-
The following format is used for PnP connection setup using HTTP:
option 43 ascii 5A1N;K4;B2;I10.10.10.3;J80
-
The following format is used for PnP connection setup on top of HTTPS, directly using a trust pool. HTTPS can be used when
the trust pool CA bundle is downloaded from a Cisco Business Dashboard and the Cisco Business Dashboard server certificate
was issued by a 3rd party (not self signed). In the example below “10.10.10.3” is the Cisco Business Dashboard IP address.
Optionally, you can specify a domain name:
option 43 ascii 5A1N;K5;B2;I10.10.10.3;Thttp://10.10.10.3/ca/trustpool/ios.p7b;Z10.75.166.1