Installation Requirements

This section contains the following topics:

Network Requirements

This figure shows the network components and connections needed to install and use Cisco Crosswork Change Automation and Health Insights.

Figure 1. Crosswork Change Automation and Health Insights Network

Cisco Crosswork Change Automation and Health Insights Virtual Machine (VM)

The Cisco Crosswork Change Automation and Health Insights VM has the following vNICs:

  • Management NIC (eth0)—Used for traffic management to all Crosswork applications via the API or UI.

  • Data NIC (eth1)—Used for Crosswork applications to reach devices and Cisco Crosswork Data Gateway (northbound).

Cisco Crosswork Data Gateway VM

The Cisco Crosswork Data Gateway VM has the following vNICs:

  • Management NIC (eth0)—Provides control plane communication between Cisco Crosswork Data Gateway and Crosswork VM.

  • Southbound Data NIC (eth1)—Used for Cisco Crosswork Data Gateway collectors to reach devices.

  • Northbound Data NIC (eth2)—Sends data collected from devices to Crosswork applications or external data sinks (Kafka or gRPC receiver).

Cisco Network Services Orchestrator (NSO) VM

The NSO VM has the following vNICs:

  • Management NIC (eth0): Used for Crosswork applications to reach NSO.

  • Southbound data NIC (eth1): Used for NSO to reach devices (southbound) or RFS NSO.


Note

Multiple NICs are not required for any of the VMs. However, it is recommended to have separate vNICs so that security policies can be applied (virtually or physically on the switch) if needed.

Routed and Device Networks

Connectivity between the various components should be accomplished via an external routing entity (shown as 'Routed Network' in the figure). The figure shows various line styles suggesting possible routing domains within the Routed Network.

  • Solid—Management routing domain.

  • Dotted—Cisco Crosswork Data Gateway northbound data routing domain (towards Crosswork/External data sink).

  • Dashes—Device access routing domain (from Cisco Crosswork Data Gateway and NSO).

The IP/subnet addressing scheme on each of these domains depend on the type of deployment.

Routing between domains is needed for Crosswork and NSO to reach the devices. However, proper firewall rules need to be in place to allow only select sources (for example, Crosswork and NSO) to reach the devices.

If you plan to access devices via host name, be sure that host names are registered with your deployment’s DNS server.

On the Device network, devices may be reached in-band or via out-of-band management interfaces depending on the local security policies of each deployment.

An SR-PCE is both a device and an SDN controller. Some deployments may want to treat an SR-PCE as a device, in which case they would need access via the device network. Some deployments may want to treat an SR-PCE as an SDN controller and access it on the Management routing domain. Both of these models are supported.

To enable Crosswork access to an SR-PCE as an SDN controller on the management domain (shown in the figure), just add an SR-PCE as a provider.

To enable Crosswork access to an SR-PCE as a device on the device network (not shown in figure), add an SR-PCE as a provider with an additional property: outgoing-interface:eth1.

If you plan to use Zero Touch Provisioning, the device network needs to be equipped with a DHCP server.

Cisco Crosswork Change Automation and Health Insights Installation Requirements

Cisco Crosswork Change Automation and Health Insights deployment requirements vary, depending on which of the platform's components are installed together and the number of hosts. This section provides general guidelines and minimum requirements for installing Cisco Crosswork Change Automation and Health Insights on a single host, unless otherwise specified.

This section contains the following topics:

Virtual Machine (VM) Requirements

You can deploy Cisco Crosswork Change Automation and Health Insights as a VM on a host that meets the following minimum requirements.


Note

Upgrading Cisco Crosswork Change Automation and Health Insights generally requires additional storage apart from the following minimum requirements. For more information, see Upgrade Cisco Crosswork Change Automation and Health Insights.
Table 1.

Requirement

Description

Hypervisor and vCenter

  • VMware vCenter Server 6.7 Update 3b or later (ESXi 6.7 Update 1 installed on hosts).

  • VMware vCenter Server 6.5 Update 2d or later (ESXi 6.5 Update 2 installed on hosts)

Memory

96 GB

Storage

Storage requirements vary based on factors such as the number of devices being supported, amount of KPI data being collected, and the type of deployment selected.

For demos and lab environments, Cisco recommends the thin provision format as it requires the least amount of storage on the host machine. This deployment configuration uses roughly 23 GB of storage.

For live systems, Cisco recommends the Thick provision eager zeroed format which allocates 1 TB of storage by default. This should be sufficient for most customer use cases. Due to their performance, solid state drives (SSD) are preferred over traditional hard disk drives (HDD). If you are using HDD, the minimum speed should be 10,000 RPM.

For more information, see the volume requirements displayed in the VMware GUI when configuring disk space, as shown in Install Cisco Crosswork Change Automation and Health Insights Via vCenter.

vCPU

16 vCPUs

Network Connections

For live deployments, Cisco recommends using dual interfaces, one for the management network and one for the data network between Cisco Crosswork Change Automation and Health Insights and Cisco Crosswork Data Gateway.

For demos and lab deployments you can choose between using a single interface or dual interfaces.

IP Addresses

Two IP addresses (IPv4 or IPv6): One public IP for the Management Network virtual interface and one public or private IP for the Data Network virtual interface.

NTP Servers

The IPv4/IPv6 addresses or host names of the NTP servers you plan to use. If you want to enter multiple NTP servers, separate them with spaces. These should be the same NTP servers you use to synchronize devices, clients, and servers across your network. Confirm that the NTP servers are reachable on the network before attempting the install. The install will fail if the servers cannot be reached.

DNS Servers

The IPv4/IPv6 addresses of the DNS servers you plan to use. These should be the same DNS servers you use to resolve host names across your network. Confirm that the DNS servers are reachable on the network before attempting the install. The install will fail if the servers cannot be reached.

DNS Search Domain

The search domain you want to use with the DNS servers (for example, cisco.com). You can only have one search domain.

Disclaimer

The text of the legal disclaimer displayed to clients accessing the VM via the command line. Consult your organization's IT or legal department for the content of this text.

Important Notes

  • The VM runs Ubuntu Server 18.04.1 (ubuntu-18.04.1-server).

  • Kubernetes runs within the Cisco Crosswork Change Automation and Health Insights VM and uses Docker for containerization. The number of containers varies as applications are added or deleted.

Platform Support for Telemetry

Cisco Crosswork Change Automation and Health Insights supports model-driven telemetry (MDT), SNMP and CLI protocols on the following platforms.

OS Platform Software Version1 Collection Protocol Encoding Transport

Cisco IOS-XR

Cisco ASR 9K (ASR 9001, ASR 9004)

6.4.1, 6.5.1, 6.5.2, 6.5.3, 6.6.2

MDT

KVGPB

 TCP

Cisco NCS 5500

6.4.1, 6.5.3, 6.6.2

Cisco XRV9K

6.5.1, 6.5.2, 6.5.3, 6.6.2

Cisco NCS 6000

6.4.1, 6.4.2

Cisco NCS 1K (NCS 1004)

7.0.1

Cisco CRS (CRS 1K, CRS 3K)

6.4.2

Cisco IOS-XE

Cisco CSR 1Kv

16.10

SNMP

CLI

Cisco ASR 1K (ASR 1006)

16.9.2, 16.10

Cisco NX-OS

Cisco Nexus 9K

7.0(3).7(2)

Cisco Nexus 7K

8.4(0).SK(1)
1 Includes any later version that is backward-compatible with the 6.2.1 (device-native) or 6.1.4 XR CLI YANG model (as appropriate). Before attempting to deploy with a particular later version, please check for compatibility with your Cisco Customer Experience team.

Note

Cisco Crosswork Change Automation and Health Insights version 3.2 does not support ASR 9901 version 7.0.1 due to platform issues.


Note
The platform support information is provided with the assumption that you plan to stream telemetry in band with other traffic. If you want to stream telemetry via a separate management VRF, you must use Cisco IOS XR version 6.2.1 or later.

Cisco NSO and NED Requirements

Software/Driver Version

Cisco Network Services Orchestrator (Cisco NSO)

5.2.03

Cisco IOS XR Network Element Driver (NED)

7.13.9

Cisco IOS Network Element Driver

6.36

Supported Web Browsers

This version of Cisco Crosswork Change Automation and Health Insights supports the web browsers shown in the table below.

Recommended display resolution: 1600 x 900 pixels or higher (minimum: 1366 x 768).

Browser Version

Google Chrome

70 or later

Mozilla Firefox

70 or later

In addition to using a supported browser, all client desktops accessing geographical map information in the Cisco Crosswork Change Automation and Health Insights topology maps must be able to reach the mapbox.com map data URL directly, via the standard HTTPS port 443. Similar guidance may apply if you choose a different map data provider, as explained in "Configure Geographical Map Settings" in the Cisco Crosswork Change Automation and Health Insights User Guide.

Ports Used

As a general policy, any ports that are not needed should be disabled. To view a list of all open listening ports, log in as a Linux CLI admin user and run the netstat -aln command.

The following table lists the external ports that are open on the Cisco Crosswork Change Automation and Health Insights VM.

Table 2. External Ports That Are Open on the VM
Port Protocol Usage

22

TCP

Remote SSH traffic

323

UDP

Network Time Protocol (NTP) listener

30603

TCP

User interface (NGINX server listens for secure connections on port 443)

30607

TCP

To collect vitals from and download images to Cisco Crosswork Data Gateway

30649

TCP

To monitor Cisco Crosswork Data Gateway status.

30993

TCP

Cisco Crosswork Data Gateway sends the collected data to Crosswork Kafka destination.

The following table lists the destination ports on external devices that may be protected by a firewall. Cisco Crosswork Change Automation and Health Insights uses these ports to connect to network devices. You must open the required ports to allow Cisco Crosswork Change Automation and Health Insights to connect to these devices.

Table 3. Destination Ports Used by Cisco Crosswork Change Automation and Health Insights
Port Protocol Usage

7

TCP/UDP

Discover endpoints using ICMP

22

TCP

Initiate SSH connections with managed devices

53

TCP/UDP

Connect to DNS

123

UDP

Network Time Protocol (NTP)

830

TCP

Initiate NETCONF

Cisco Crosswork Data Gateway Installation Requirements

This section provides general guidelines and minimum requirements for installing Cisco Crosswork Data Gateway.

This section contains the following topics:

Virtual Machine (VM) Requirements

You can deploy Cisco Crosswork Data Gateway as a VM on a host that meets the following minimum requirements:

Requirement

Hypervisor

  • VMware vCenter Server 6.7 Update 3b or later (ESXi 6.7 Update 1 installed on hosts)

  • VMware vCenter Server 6.5 Update 2d or later (ESXi 6.5 Update 2 installed on hosts)

Memory

32 GB

Disk space

50 GB

Note 

This is the deployment size only. Once started, VM disk space will increase based on the VMware overhead.

vCPU

8 vCPUs

Interfaces

Three virtual interfaces in the VM:

  • One virtual interface for management network traffic, including SSH access to the VM. The DNS and NTP servers, and the default gateway, must be reachable via this interface.

  • One virtual interface for Northbound data traffic:

    • The Cisco Crosswork Change Automation and Health Insights data interface must be reachable from this interface (routable) to be able to connect to Kafka data destinations.

    • Cisco Crosswork Data Gateway uses this interface to receive collection jobs and send back their statuses to Crosswork.

    • This interface is also used by external applications other than Cisco Crosswork Change Automation and Health Insights.

  • One virtual interface for Southbound data traffic. The devices must be reachable via this interface (routable).

IP Addresses

Three IPv4 or IPv6 addresses: One public IP for the management network virtual interface and two public or private IPs for the Northbound and Southbound data network virtual interfaces.

The DNS and NTP servers, and the default gateway, must be reachable via the management network IP address. The data destinations must be reachable via Northbound data network IP address. The managed devices and providers must be reachable via Southbound data network IP address.

NTP Servers

The IPv4/IPv6 addresses or host names of the NTP servers you plan to use. If you want to enter multiple NTP servers, separate them with spaces. These should be the same NTP servers you use to synchronize devices, clients, and servers across your network. Confirm that the NTP IP address or host name is reachable on the network or installation will fail.

Also, the ESXi hosts that will run the Cisco Crosswork Change Automation and Health Insights and Cisco Crosswork Data Gateway VM must have NTP configured, or the initial handshake may fail with "certificate not valid" errors.

DNS Servers

The IPv4/IPv6 addresses of the DNS servers you plan to use. These should be the same DNS servers you use to resolve host names across your network.

DNS Search Domain

The search domain you want to use with the DNS servers (for example, cisco.com). You can only have one search domain.

Destination Networks

For live deployments, we recommend one virtual switch for the Data Network (connection between the Cisco Crosswork Change Automation and Health Insights VM and the Cisco Crosswork Data Gateway VM) and second virtual switch for all the management traffic (vms to dns, ntp and the network you will use to access and manage the applications).


Note

The VM runs Ubuntu Server 18.04.1 (ubuntu-18.04.1-server).

Supported Cisco OS


Note

The below table lists only the software versions on which Cisco Crosswork Data Gateway 1.1.2 was tested. Cisco Crosswork Data Gateway allows you to expand device coverage by means of custom packages. See Section Manage Custom Software Packages in Cisco Crosswork Change Automation and Health Insights 3.2 User Guide for information on how to expand the device coverage.

OS Software Version Collection Protocols MDT Encoding
IOS-XR*

6.4.1, 6.4.2

6.5.1, 6.5.2, 6.5.3

6.6.2, 6.6.3

7.0.1

MDT

CLI

SNMP

 KVGPB/TCP
IOS-XE

16.9.2, 16.10

17.1.1

SNMP

CLI

 NA
NX-OS

7.0(3).7(2)

8.4(0).SK(1)

 NA

*For MDT configuration via NSO on IOS-XR, use NSO XR NED 7.13.9.


Note

All collection types support IPv4 and IPv6. For any IPv4/IPv6 and Day0 configs and limitations for different device platforms, please refer your network administrator and platform configuration guide.

Ports Used

As a general policy, any ports that are not needed should be disabled.

The following table shows the minimum set of ports needed for Cisco Crosswork Data Gateway to operate correctly.


Note

SCP port can be tuned.
Table 4. Ports to be Opened on Cisco Crosswork Data Gateway Management Interface

Port

Protocol

Used for...

Direction

22

TCP

SSH server

Inbound

22

TCP

SCP client

Outbound

123

UDP

NTP Client

Outbound

53

UDP

DNS Client

Outbound

30607

TCP

Crosswork Controller

Outbound
Table 5. Ports to be Opened on Cisco Crosswork Data Gateway Northbound Interface

Port

Protocol

Used for...

Direction

30649

TCP

Crosswork Controller

Outbound

30993

TCP

Crosswork Kafka

Outbound

Site Specific

Site Specific

Kafka and gRPC Destination

Outbound

Table 6. Ports to be Opened on Cisco Crosswork Data Gateway Southbound Interface

Port

Protocol

Used for...

Direction

161

UDP

SNMP Collector

Inbound

1062

UDP

SNMP TrapCollector

Inbound

9010

TCP

MDT Collector

Inbound

22

TCP

CLI Collector

Outbound

The Interface role to physical name mapping is:

  • Management Interface: eth0

  • Southbound Data Interface: eth1

  • Northbound Data Interface: eth2