Inside Cisco IT: Zero Touch Deployment Using
Cisco Prime Infrastructure
Stephen Hoover - Member of Technical Staff
David Iacobacci - Member of Technical Staff
Mary Kadomoto - Director
BRKCOC-2001
• Introduction
• The “Zero Touch Deployment process”
• Cisco IT Deployment Strategy
• IT Extensions
• Lessons Learned
• Demo
• Conclusion
Agenda
What is Zero Touch Deployment?
• Capability to securely automate the following activities associated with a device:
• Provisioning
• Deployment
• Upgrades
Rack, Stack, Cable Upgrade Operate Provision Deploy
Reasons to pursue ZTD
Save money :
• Cut incident rates due to inconsistent configurations
• Reduce skills level necessary to deploy production network devices
• Shorten time to deploy
Inside Cisco IT
• Network of 100,000+ devices
• Prime Infrastructure as part of Cisco IT network management strategy
• 6 instances across the globe
• Close collaboration with PI BU (CVG)
• EFTs
• Enhancement requests
• Cisco IT extensions
Existing Cisco ZTD Solutions
• Autoinstall
• IOS device obtains configuration via DHCP and TFTP during boot-up sequence
• Smart Install
• Switches
• Configuration Engine
• Large number of devices with similar configurations, pushed via cns protocol
• Tcl Scripts
Cisco IT ZTD experience with CVOCVO - Cisco Virtual Office Teleworker Solution
• SDP: Secure Device Provisioning Registrar (IOS with templates)
• Configuration Engine: push configurations and images to routers
• Cisco Security Manager: Repository for templates and policies
Corporate
Network
Encrypted
Tunnel Internet
Components to implement ZTD using PI
• Prime Infrastructure v2.2
• Plug and Play Gateway v2.2
• Target router or switch
• Cisco Plug and Play Application (iOS/Windows based) or DHCP/TFTP servers
Deployment of PI and PnP GW
Option to collapse PnP GW and PI server
- PI and the PnP GW could be installed and operated on the same host
PnP GW Prime
Infrastructure
Target
Device
Maintain PnP GW independent of PI server
By maintaining PI and the PnP GW on independent devices, PI could remain in the DC while the PnP GW could be installed in the DMZ for access across the Internet
PnP GWPrime
InfrastructureTarget
Device
PI Based ZTD Overview
Three phases, referred to as “Days” are used to deploy a configuration :
• Day0:
• Basic IP connectivity, CNS configuration, basic routing, …
• Day1:
• Common configuration (AAA, routing protocols, …)
• Day2:
• Device specific configuration (interfaces configuration, VLANs, …)
PI Based ZTD OverviewCisco IT Deployment
Target Device
PrimeInfrastructure
PnP Gateway
Step 0: Provision target device
• Create day0 (bootstrap) and day1 configurations
• Create Plug and Play profile that consists of day0,
day1 and image
Internal
network
PI Based ZTD OverviewCisco IT Deployment
Step 0: Provision target device
Step 1: Install device
Rack, stack and cable
Target Device
Internal
network
PnP Gateway
PrimeInfrastructure
PI Based ZTD OverviewCisco IT Deployment
Step 2: Apply day0 (bootstrap)
configuration to device
Plug and Play application
Target Device
Internal
network
PnP Gateway
PrimeInfrastructure
Step 0: Provision target device
Step 1: Install device
PI Based ZTD OverviewCisco IT Deployment
Step 2: Apply day0 (bootstrap)
configuration to device
Target Device
Internal
network
PnP Gateway
PrimeInfrastructure
Step 0: Provision target device
Step 1: Install device
Step 3: Device requests configuration via cns
PI Based ZTD OverviewCisco IT Deployment
Step 2: Apply day0 (bootstrap)
configuration to device
Target Device
Internal
network
PnP Gateway
PrimeInfrastructure
Step 0: Provision target device
Step 1: Install device
Step 3: Device requests configuration via cns
Step 4: Day1 configuration & image provided
PI Based ZTD OverviewCisco IT Deployment
Step 2: Apply day0 (bootstrap)
configuration to device
Target Device
Internal
network
PnP Gateway
PrimeInfrastructure
Step 0: Provision target device
Step 1: Install device
Step 3: Device requests configuration via cns
Step 4: Day1 configuration & image provided
Step 5: Day2 configuration provisioned and applied to device
Device Provisioning: Plug and Play Profiles
• Defines features and configurations for new deployments.
• Easy to reuse
• Required for communication with PI
• Organizes provisioning components by
• Device type
• Deployment Scenario (topology)
Day0 template considerations
• Day0 template is “one-size-fits-all”
• Apache VTL for flexible scripting logic
• Users populate variables during pre-provisioning to generate the device specific Day0 configuration
• Configuration built for the Day0 template
• Hostname
• Management interface IP address/mask
• IP routing
• PnP GW certificate (if using CNS over HTTPS)
• CNS commands
Day2 – Finalizing the device configuration
• Device specific configurations:
• Interfaces
• QoS
• TrustSec
• ION (Internet Only Network – Guest)
• CNS negation
• Deployed remotely to devices managed by PI
• Runs as configuration job in PI console
• Communicates over SSH with target device
Focus first on the Remote Office – Why?
• Opportunity to reduce deployment resources and travel costs
• Devices such as desktop switches (4510) share similar configuration with Campus
• Target next generation of network devices and RO topologies
• Small
• Medium
• Large
Remote Office HW Target State
Function Current Hardware Next Generation Hardware
WAN GW >= OC3/155 Mbps - ASR 1K
< OC3/155 Mbps - ISR G2 3945, 2951, 891
> GE - ASR 1K
<= GE - ISR 4451-X
LAN GW 6500/Sup720 > 40 ports - 6500/Sup2T
<= 40 ports - 4500-X
LAN SW Modular Chassis - 4500/Sup7E
Fixed/Stackable - 3750-X
Modular Chassis - 4500/Sup8E
Fixed/Stackable - 3850
WLC Appliance 5508 Integrated into LAN SW
WAAS Appliance 8541,7571, 694 Virtualized on 4451-X & UCS
APs 3500 3700
LAB GW 3945, 2951 ISR 4451-X
Console Server 2901 ISR 4451-X
ISR 4451-X• WAN - 4 GE ports
• Voice - SRST, TDM voice module
• ISR-WAAS w/App-NAV-XE
3700 Series APs
• Target of 15 users per AP
Catalyst 3850• Up to 48 GE/PoE+ ports
• Built-in WLC
Small Office (1 – 24 users)• Equipment installed in noise damping portable rack
• Wiring closet not required
WAN
Wireless
LAN
Wired
LAN
802.11ac
LAB GW
Medium Office (25 – 299 users)
40
Wireless
LAN
Wired
LAN
WAN
Console Srv
LAB GW
ASR1004• WAN > GE
3700 Series APs
• Target of 15 users per AP
• Up to 48 GE
/PoE+
• Built-in WLC
• Up to 384
GE/UPoE
• Built-in WLC
ISR 4451-X• WAN• Voice
802.11ac 802.11ac
WAAS
Voice GW
Catalyst 3850Cat 4510/Sup8
ASR 1004
Large Office (300+ users)
Wireless
LAN
WAN
Console Srv
LAB GW
ASR1004
•WAN > GE
3700 Series APs
•Target of 15 users per AP
ISR 4451-X
•WAN
•Voice
WAAS
Wired
LAN
Core
3700 Series APs
•Up to 48 GE/PoE+
•Built-in WLC
Catalyst 3850Catalyst 4510/8E
•Up to 2TB capacity
•VSS
•800G switching
capacity
•VSS
•Up to 384 GE/UPoE
•Built-in WLC
Catalyst 4500-XCatalyst 6500/2T
Voice GW
802.11ac802.11ac
Configuration Lifecycle Management
• CLM is a centralized configuration solution
• Content control• Revision control (interfacing PI with SVN)
• Change tracking and approval (interfacing PI with Cisco Process Orchestrator)
• Optimization of configuration creation• Reusable blocks of sub-configurations (templates)
• Object-oriented configuration structure (recursive composite templates)
• CLM generates standard PI templates that can be used by devices (manual push, ZTD, …)
Cisco IT Prime Infrastructure extensions
Prime
Infrastructure
API’s
Production
Golden Config
Subversion Version Control
Cisco Process Orchestrator Approval System
Configuration Lifecycle Management
New Device
New Service
Configuration Update
Development
Config
Opportunity to simplify documentation
• A cookbook is a Word document created per “Place In the Network” (PIN), detailing how to deploy new or existing networks
• Generic PIN Configuration (cutsheets) is embedded in the cookbook
• A cutsheet comprise over half of the 2,000 page Remote Office cookbook
• Cutsheets require most frequent updates
• Compared to rest of cookbook
• Cutsheets are labor intensive, require review/updates to multiple sections
Lessons learned
• Simplify the network
• Many standards are difficult to automate!
• Plan hierarchical template structure
• Repeatable content for composite templates
• Simplify and minimize variables
• Work with users to:• Create intuitive labels
• Organize variables for easier data input
• Focus on manipulating data in programmatic manner • CIDR for subnet mask conversion
• Poll DB variables for Day2 template
Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.
• Complete your session surveys though the Cisco Live mobile app or your computer on Cisco Live Connect.
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings
• Related sessions
Internet of Things (IoT) Cisco Education OfferingsCourse Description Cisco Certification
NEW! CCNA Industrial An associate level instructor led training course designed to prepare you
for the CCNA Industrial certification
CCNA® Industrial
Managing Industrial Networks with
Cisco Networking Technologies (IMINS)
This curriculum addresses foundational skills needed to manage and
administer networked industrial control systems. It provides plant
administrators, control system engineers and traditional network engineers
with an understanding of the networking technologies needed in today's
connected plants and enterprises
Cisco Industrial
Networking Specialist
Control Systems Fundamentals
for Industrial Networking (ICINS)
For IT and Network Engineers, covers basic concepts in Industrial Control
systems including an introduction to automation industry verticals,
automation environment and an overview of industrial control networks
Networking Fundamentals
for Industrial Control Systems (INICS)
For Industrial Engineers and Control System Technicians, covers basic IP
and networking concepts, and introductory overview of Automation
industry Protocols.
For more details, please visit: http://learningnetwork.cisco.com
Questions? Visit the Learning@Cisco Booth or contact [email protected]
Network Programmability Cisco Education OfferingsCourse Description Cisco Certification
Integrating Business Applications with Network
Programmability (NIPBA);
Integrating Business Applications with Network
Programmability for Cisco ACI (NPIBAACI)
Learn networking concepts, and how to deploy and troubleshoot
programmable network architectures with these self-paced courses.
Cisco Business Application
Engineer Specialist Certification
Developing with Cisco Network Programmability
(NPDEV);
Developing with Cisco Network Programmability
for Cisco ACI (NPDEVACI)
Learn how to build applications for network environments and effectively
bridge the gap between IT professionals and software developers.
Cisco Network Programmability
Developer Specialist Certification
Designing with Cisco Network Programmability
(NPDES);
Designing with Cisco Network Programmability
for Cisco ACI (NPDESACI)
Learn how to expand your skill set from traditional IT infrastructure to
application integration through programmability.
Cisco Network Programmability
Design Specialist Certification
Implementing Cisco Network Programmability
(NPENG);
Implementing Cisco Network Programmability
for Cisco ACI (NPENGACI)
Learn how to implement and troubleshoot open IT infrastructure
technologies.
Cisco Network Programmability
Engineer Specialist Certification
For more details, please visit: http://learningnetwork.cisco.com
Questions? Visit the Learning@Cisco Booth or contact [email protected]
Cloud Cisco Education OfferingsCourse Description Cisco Certification
Designing the FlexPod Solution (FPDESIGN);
Implementing and Administering the FlexPod
Solution (FPIMPADM)
Learn how to design, implement and administer FlexPod solutions FlexPod Design Specialist;
FlexPod Implementation &
Administration Specialist
UCS Director (UCSDF) Learn how to manage physical and virtual infrastructure using
orchestration and automation functions of UCS Director.
Cisco Prime Service Catalog Learn how to deliver data center, workplace, and application services in an
on-demand, automated, and repeatable method.
Cisco Intercloud Fabric Learn how to implement end-to-end hybrid clouds with Intercloud Fabric
for Business and Intercloud Fabric for Providers.
Cisco Intelligent Automation for Cloud Learn how to implement and manage cloud deployments with Cisco
Intelligent Automation for Cloud
For more details, please visit: http://learningnetwork.cisco.com
Questions? Visit the Learning@Cisco Booth or contact [email protected]