Inside Cisco IT: Zero Touch Deployment Using

Cisco Prime Infrastructure

Stephen Hoover - Member of Technical Staff

David Iacobacci - Member of Technical Staff

Mary Kadomoto - Director

BRKCOC-2001

• Introduction

• The “Zero Touch Deployment process”

• Cisco IT Deployment Strategy

• IT Extensions

• Lessons Learned

• Demo

• Conclusion

Agenda

What is Zero Touch Deployment?

• Capability to securely automate the following activities associated with a device:

• Provisioning

• Deployment

• Upgrades

Rack, Stack, Cable Upgrade Operate Provision Deploy

Reasons to pursue ZTD

Save money :

• Cut incident rates due to inconsistent configurations

• Reduce skills level necessary to deploy production network devices

• Shorten time to deploy

Inside Cisco IT

• Network of 100,000+ devices

• Prime Infrastructure as part of Cisco IT network management strategy

• 6 instances across the globe

• Close collaboration with PI BU (CVG)

• EFTs

• Enhancement requests

• Cisco IT extensions

Existing Cisco ZTD Solutions

• Autoinstall

• IOS device obtains configuration via DHCP and TFTP during boot-up sequence

• Smart Install

• Switches

• Configuration Engine

• Large number of devices with similar configurations, pushed via cns protocol

• Tcl Scripts

Cisco IT ZTD experience with CVOCVO - Cisco Virtual Office Teleworker Solution

• SDP: Secure Device Provisioning Registrar (IOS with templates)

• Configuration Engine: push configurations and images to routers

• Cisco Security Manager: Repository for templates and policies

Corporate

Network

Encrypted

Tunnel Internet

The “Zero Touch Deployment” process

Components to implement ZTD using PI

• Prime Infrastructure v2.2

• Plug and Play Gateway v2.2

• Target router or switch

• Cisco Plug and Play Application (iOS/Windows based) or DHCP/TFTP servers

Deployment of PI and PnP GW

Option to collapse PnP GW and PI server

- PI and the PnP GW could be installed and operated on the same host

PnP GW Prime

Infrastructure

Target

Device

Maintain PnP GW independent of PI server

By maintaining PI and the PnP GW on independent devices, PI could remain in the DC while the PnP GW could be installed in the DMZ for access across the Internet

PnP GWPrime

InfrastructureTarget

Device

PI Based ZTD Overview

Three phases, referred to as “Days” are used to deploy a configuration :

• Day0:

• Basic IP connectivity, CNS configuration, basic routing, …

• Day1:

• Common configuration (AAA, routing protocols, …)

• Day2:

• Device specific configuration (interfaces configuration, VLANs, …)

PI Based ZTD OverviewCisco IT Deployment

Target Device

PrimeInfrastructure

PnP Gateway

Step 0: Provision target device

• Create day0 (bootstrap) and day1 configurations

• Create Plug and Play profile that consists of day0,

day1 and image

Internal

network

PI Based ZTD OverviewCisco IT Deployment

Step 0: Provision target device

Step 1: Install device

Rack, stack and cable

Target Device

Internal

network

PnP Gateway

PrimeInfrastructure

PI Based ZTD OverviewCisco IT Deployment

Step 2: Apply day0 (bootstrap)

configuration to device

Plug and Play application

Target Device

Internal

network

PnP Gateway

PrimeInfrastructure

Step 0: Provision target device

Step 1: Install device

PI Based ZTD OverviewCisco IT Deployment

Step 2: Apply day0 (bootstrap)

configuration to device

Target Device

Internal

network

PnP Gateway

PrimeInfrastructure

Step 0: Provision target device

Step 1: Install device

Step 3: Device requests configuration via cns

PI Based ZTD OverviewCisco IT Deployment

Step 2: Apply day0 (bootstrap)

configuration to device

Target Device

Internal

network

PnP Gateway

PrimeInfrastructure

Step 0: Provision target device

Step 1: Install device

Step 3: Device requests configuration via cns

Step 4: Day1 configuration & image provided

PI Based ZTD OverviewCisco IT Deployment

Step 2: Apply day0 (bootstrap)

configuration to device

Target Device

Internal

network

PnP Gateway

PrimeInfrastructure

Step 0: Provision target device

Step 1: Install device

Step 3: Device requests configuration via cns

Step 4: Day1 configuration & image provided

Step 5: Day2 configuration provisioned and applied to device

Device Provisioning: Plug and Play Profiles

• Defines features and configurations for new deployments.

• Easy to reuse

• Required for communication with PI

• Organizes provisioning components by

• Device type

• Deployment Scenario (topology)

High Level Overview

Plug and Play Profile

Day0 Day1

AAA ACLs Global Templates

IOS Image

Device Provisioning

User Input (Variables)

Plug and Play Profile

Day0 template considerations

• Day0 template is “one-size-fits-all”

• Apache VTL for flexible scripting logic

• Users populate variables during pre-provisioning to generate the device specific Day0 configuration

• Configuration built for the Day0 template

• Hostname

• Management interface IP address/mask

• IP routing

• PnP GW certificate (if using CNS over HTTPS)

• CNS commands

Day0 (bootstrap) template

Bootstrap template variables

Day0 template form view

Day1 template

Plug and Play profile

Device provisioning profile

Device provisioning profiles

PnP App provisioning profile download

PnP App provisioning profile deployment

Verifying successful deployment

Day2 – Finalizing the device configuration

• Device specific configurations:

• Interfaces

• QoS

• TrustSec

• ION (Internet Only Network – Guest)

• CNS negation

• Deployed remotely to devices managed by PI

• Runs as configuration job in PI console

• Communicates over SSH with target device

Day2 - Finishing the ZTD deployments

User Input (Variables)

Day2 Composite Template

Cisco IT Deployment Strategy

Focus first on the Remote Office – Why?

• Opportunity to reduce deployment resources and travel costs

• Devices such as desktop switches (4510) share similar configuration with Campus

• Target next generation of network devices and RO topologies

• Small

• Medium

• Large

Remote Office HW Target State

Function Current Hardware Next Generation Hardware

WAN GW >= OC3/155 Mbps - ASR 1K

< OC3/155 Mbps - ISR G2 3945, 2951, 891

> GE - ASR 1K

<= GE - ISR 4451-X

LAN GW 6500/Sup720 > 40 ports - 6500/Sup2T

<= 40 ports - 4500-X

LAN SW Modular Chassis - 4500/Sup7E

Fixed/Stackable - 3750-X

Modular Chassis - 4500/Sup8E

Fixed/Stackable - 3850

WLC Appliance 5508 Integrated into LAN SW

WAAS Appliance 8541,7571, 694 Virtualized on 4451-X & UCS

APs 3500 3700

LAB GW 3945, 2951 ISR 4451-X

Console Server 2901 ISR 4451-X

ISR 4451-X• WAN - 4 GE ports

• Voice - SRST, TDM voice module

• ISR-WAAS w/App-NAV-XE

3700 Series APs

• Target of 15 users per AP

Catalyst 3850• Up to 48 GE/PoE+ ports

• Built-in WLC

Small Office (1 – 24 users)• Equipment installed in noise damping portable rack

• Wiring closet not required

WAN

Wireless

LAN

Wired

LAN

802.11ac

LAB GW

Medium Office (25 – 299 users)

40

Wireless

LAN

Wired

LAN

WAN

Console Srv

LAB GW

ASR1004• WAN > GE

3700 Series APs

• Target of 15 users per AP

• Up to 48 GE

/PoE+

• Built-in WLC

• Up to 384

GE/UPoE

• Built-in WLC

ISR 4451-X• WAN• Voice

802.11ac 802.11ac

WAAS

Voice GW

Catalyst 3850Cat 4510/Sup8

ASR 1004

Large Office (300+ users)

Wireless

LAN

WAN

Console Srv

LAB GW

ASR1004

•WAN > GE

3700 Series APs

•Target of 15 users per AP

ISR 4451-X

•WAN

•Voice

WAAS

Wired

LAN

Core

3700 Series APs

•Up to 48 GE/PoE+

•Built-in WLC

Catalyst 3850Catalyst 4510/8E

•Up to 2TB capacity

•VSS

•800G switching

capacity

•VSS

•Up to 384 GE/UPoE

•Built-in WLC

Catalyst 4500-XCatalyst 6500/2T

Voice GW

802.11ac802.11ac

IT Extensions:Configuration Lifecycle

Management

Configuration Lifecycle Management

• CLM is a centralized configuration solution

• Content control• Revision control (interfacing PI with SVN)

• Change tracking and approval (interfacing PI with Cisco Process Orchestrator)

• Optimization of configuration creation• Reusable blocks of sub-configurations (templates)

• Object-oriented configuration structure (recursive composite templates)

• CLM generates standard PI templates that can be used by devices (manual push, ZTD, …)

Cisco IT Prime Infrastructure extensions

Prime

Infrastructure

API’s

Production

Golden Config

Subversion Version Control

Cisco Process Orchestrator Approval System

Configuration Lifecycle Management

New Device

New Service

Configuration Update

Development

Config

Opportunity to simplify documentation

• A cookbook is a Word document created per “Place In the Network” (PIN), detailing how to deploy new or existing networks

• Generic PIN Configuration (cutsheets) is embedded in the cookbook

• A cutsheet comprise over half of the 2,000 page Remote Office cookbook

• Cutsheets require most frequent updates

• Compared to rest of cookbook

• Cutsheets are labor intensive, require review/updates to multiple sections

Lessons Learned

Lessons learned

• Simplify the network

• Many standards are difficult to automate!

• Plan hierarchical template structure

• Repeatable content for composite templates

• Simplify and minimize variables

• Work with users to:• Create intuitive labels

• Organize variables for easier data input

• Focus on manipulating data in programmatic manner • CIDR for subnet mask conversion

• Poll DB variables for Day2 template

Demo

Complete Your Online Session Evaluation

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.

• Complete your session surveys though the Cisco Live mobile app or your computer on Cisco Live Connect.

Continue Your Education

• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• Table Topics

• Meet the Engineer 1:1 meetings

• Related sessions

Thank you

Internet of Things (IoT) Cisco Education OfferingsCourse Description Cisco Certification

NEW! CCNA Industrial An associate level instructor led training course designed to prepare you

for the CCNA Industrial certification

CCNA® Industrial

Managing Industrial Networks with

Cisco Networking Technologies (IMINS)

This curriculum addresses foundational skills needed to manage and

administer networked industrial control systems. It provides plant

administrators, control system engineers and traditional network engineers

with an understanding of the networking technologies needed in today's

connected plants and enterprises

Cisco Industrial

Networking Specialist

Control Systems Fundamentals

for Industrial Networking (ICINS)

For IT and Network Engineers, covers basic concepts in Industrial Control

systems including an introduction to automation industry verticals,

automation environment and an overview of industrial control networks

Networking Fundamentals

for Industrial Control Systems (INICS)

For Industrial Engineers and Control System Technicians, covers basic IP

and networking concepts, and introductory overview of Automation

industry Protocols.

For more details, please visit: http://learningnetwork.cisco.com

Questions? Visit the Learning@Cisco Booth or contact ask-edu-pm-dcv@cisco.com

Network Programmability Cisco Education OfferingsCourse Description Cisco Certification

Integrating Business Applications with Network

Programmability (NIPBA);

Integrating Business Applications with Network

Programmability for Cisco ACI (NPIBAACI)

Learn networking concepts, and how to deploy and troubleshoot

programmable network architectures with these self-paced courses.

Cisco Business Application

Engineer Specialist Certification

Developing with Cisco Network Programmability

(NPDEV);

Developing with Cisco Network Programmability

for Cisco ACI (NPDEVACI)

Learn how to build applications for network environments and effectively

bridge the gap between IT professionals and software developers.

Cisco Network Programmability

Developer Specialist Certification

Designing with Cisco Network Programmability

(NPDES);

Designing with Cisco Network Programmability

for Cisco ACI (NPDESACI)

Learn how to expand your skill set from traditional IT infrastructure to

application integration through programmability.

Cisco Network Programmability

Design Specialist Certification

Implementing Cisco Network Programmability

(NPENG);

Implementing Cisco Network Programmability

for Cisco ACI (NPENGACI)

Learn how to implement and troubleshoot open IT infrastructure

technologies.

Cisco Network Programmability

Engineer Specialist Certification

For more details, please visit: http://learningnetwork.cisco.com

Questions? Visit the Learning@Cisco Booth or contact ask-edu-pm-dcv@cisco.com

Cloud Cisco Education OfferingsCourse Description Cisco Certification

Designing the FlexPod Solution (FPDESIGN);

Implementing and Administering the FlexPod

Solution (FPIMPADM)

Learn how to design, implement and administer FlexPod solutions FlexPod Design Specialist;

FlexPod Implementation &

Administration Specialist

UCS Director (UCSDF) Learn how to manage physical and virtual infrastructure using

orchestration and automation functions of UCS Director.

Cisco Prime Service Catalog Learn how to deliver data center, workplace, and application services in an

on-demand, automated, and repeatable method.

Cisco Intercloud Fabric Learn how to implement end-to-end hybrid clouds with Intercloud Fabric

for Business and Intercloud Fabric for Providers.

Cisco Intelligent Automation for Cloud Learn how to implement and manage cloud deployments with Cisco

Intelligent Automation for Cloud

For more details, please visit: http://learningnetwork.cisco.com

Questions? Visit the Learning@Cisco Booth or contact ask-edu-pm-dcv@cisco.com