Cisco Crosswork Zero Touch Provisioning 2.0 Release Notes
This document provides an overview of Cisco Crosswork Zero Touch Provisioning, its new features, and any limitations for this release.
Overview of Cisco Crosswork Zero Touch Provisioning
Cisco customer businesses are growing, and their network footprint is expanding at very fast rates. This puts an increasing strain on customer deployment teams as they run into an ever-increasing backlog of work to keep up with all the activity.
A key customer request has been to automate the onboarding of new devices into their network, reducing the need to send deployment teams on site for provisioning and onboarding and increasing the speed at which the equipment becomes available for use. Cisco Crosswork Zero-Touch Provisioning (ZTP) allows customers to provision and onboard new Cisco® IOS-XR devices automatically. Using a common GUI and API via the Crosswork Infrastructure, the network administrator can define policies for the provisioning of new devices. The result is a simplified onboarding process translating to significant time and cost savings by automating the process across many devices.
The Cisco Crosswork ZTP app provides an integrated turnkey solution to onboard a range of XR devices and enable faster time to deploy new hardware at a lower operating cost.
When a new device is powered-up, ZTP provides the automated ability to download and apply the initial software load and configuration to complete the provisioning of this device. After applying the configuration, the app allows for downloading and executing additional scripts on the device. These scripts enable the operator to fetch additional RPMs (linux binary packages) from the controller ZTP simplifies the process of deploying a new device with Day 0 configuration and bringing it up to the desired state in an automated manner.
The fully integrated solution combines core capabilities from multiple innovative, industry-leading products—Cisco Network Services Orchestrator (NSO), Cisco Prime Network Registrar, and the Cisco Crosswork suite of applications—with common API and integrates with a common UI, providing control via a single pane of glass.
With the Cisco Crosswork ZTP application, customers can realize these outcomes:
-
Bring up the device with customer-certified software or image and obtain its IP address from a DHCP server such as Cisco Prime Network Registrar.
-
Download and apply an initial configuration.
-
Download and execute a shell script.
-
Manage the device family profile, device config, image, and scripts so that they are applied to the onboarded equipment in a unified manner based on customer preference.
-
Automatically onboard the new devices to Crosswork Device Lifecyle Manager for Day 1 operation.
-
Provide a turnkey automation solution to offer faster deployment of new devices, yielding ever-improving mean time to use as the savings compound across larger numbers of devices over time.
The result? Increased profitability through faster deployment, optimized investments, and better OpEx utilization.
What's New in Cisco Crosswork Zero Touch Provisioning 2.0
This section lists new features and changes delivered in Cisco Crosswork Zero Touch Provisioning 2.0. For compatibility information, see the Cisco Crosswork Infrastructure 4.0 and Applications Installation Guide.
Secure ZTP Implementation
Cisco Crosswork ZTP Release 2.0 introduces Secure ZTP, implementing a fully compliant version of Secure ZTP RFC8572. When Secure ZTP is enabled, a certificate exchange mechanism is used to validate server and device certificates before the image and configuration are downloaded over a secure HTTPS/TLS channel.
During processing, the server and devices use the following certificate types:
|
Name |
Description |
Type |
Profile |
|---|---|---|---|
|
Owner certificate |
Customer domain CA certificate |
Secure ZTP Provisioning |
Trust profile |
|
Pinned domain certificate (PDC) |
Trusted pinned domain certificate |
Secure ZTP Provisioning |
Trust profile |
|
Owner private key |
Intermediate key for signing owner certificate |
Secure ZTP Provisioning |
Trust profile |
|
Crosswork TLS certificate |
Crosswork CA certificate (self-signed with Crosswork as CA) |
Secure ZTP TLS |
ZTP server profile |
|
Cisco M2 CA certificate |
Parent of all device SUDI certificates |
Secure ZTP TLS |
ZTP server profile |
The following diagram illustrates the Secure ZTP workflow:
Secure ZTP provisioning proceeds as follows:
-
The device sends its SUDI certificate and the ZTP server validates the device with the SUDI root. The server responds with the ownership voucher. The device verifies the ownership voucher and extracts the PDC. This establishes a way for the device to trust the bootstrap data.
-
The device and server establish a trusted HTTPS/TLS connection using the owner certificate. The Crosswork ZTP service generates a bootstrap response identifying the download URL, and the image and script files to be downloaded.
-
On receiving the bootstrap response, the device requests and downloads the image, pre-configuration, day-zero, and post-configuration scripts over HTTPS/TLS. All artifacts shared through the secure connection are also encoded with the ownership voucher.
-
The device reboots and applies the image, along with the pre-configuration, day-zero configuration, and post-configuration scripts.
-
This device is now fully provisioned: imaged and configured, and connected to the network. It reports its new status to Cisco Crosswork.
-
Cisco Crosswork adds the newly provisioned device to inventory.
Support for Secure ZTP is provided in addition to the Classic ZTP mode provided in release 1.0.
Platform Support
Cisco Crosswork Zero Touch Provisioning platform support varies with the type of ZTP processing the user chooses, as shown in the tables below.
| Product family | Platforms supported | IOS images (feature sets) supported |
|---|---|---|
| NCS | 8000, 5001, 5002, 5501, 5502, 5504, 5508, 5516, 55A1, 55A2, 540 | XR 7.3.1 or higher |
| Cisco 8000 Series | 8800 Fixed Mode supports both Secure ZTP and Classic ZTP | |
| DDI | Solution tested using the PNR DHCP server from Cisco | Version 10.1 or higher |
| Product family | Platforms supported | IOS images (feature sets) supported |
|---|---|---|
| ASR | 9001, 9901, 9904, 9906, 9912, 9922 | XR 6.6.3, 7.0.1, 7.0.2, 7.0.12 or higher |
| Cisco 8000 Series | 8800 distributed mode only supports Classic ZTP | |
| DDI | Solution tested using the PNR DHCP server from Cisco | Version 10.1 or higher |
Installation
Cisco Crosswork Zero Touch Provisioning is now installed as an application on top of Cisco Crosswork Infrastructure (Cisco Crosswork). Cisco Crosswork is a microservices-based platform that employs a cluster architecture to be extensible, scalable, and highly available. It retrieves real-time information from the network, analyzes the data, and provides both template-driven and automated tools to apply changes to the network. For more information, see the Cisco Crosswork Infrastructure 4.0 and Applications Installation Guide.
User Interface (UI)
The following updates have been made in the UI:
-
The Cisco Crosswork UI and navigation menus have been updated.
-
The Home page displays a new dashboard which provides an at-a-glance summary of the devices onboarded using Zero Touch Provisioning and their current status. For more information, see "Zero Touch Provisioning" in the Cisco Crosswork Infrastructure 4.0 and Applications Administration Guide.
APIs
The following updates have been made in the Cisco Crosswork Zero Touch Provisioning APIs:
-
Import, export, and manage serial numbers used in both Classic and Secure ZTP, and the ownership vouchers used in Secure ZTP
-
Get the total number of devices in a selected ZTP status
-
Get counts of configuration files
For more information, see the Cisco Crosswork Network Automation API Documentation on Cisco DevNet. For licensing and ordering information, see the Cisco Crosswork Zero Touch Provisioning product page (accessible to Cisco Partners) or contact your Cisco Sales representative.
Open Bugs in Cisco Crosswork
If you encounter problems while working with Cisco Crosswork, please check this list of open bugs. Each bug ID in the list links to a more detailed description and workaround.
You can use the Cisco Bug Search Tool to search for a specific bug or to search for all bugs in a release.
-
Go to the Cisco Bug Search Tool.
-
Enter your registered Cisco.com username and password, and click Log In.
The Bug Search page opens.
Note -
Use any of these options to search for bugs, and then press Enter (Return) to initiate the search:
— To search for a specific bug, enter the bug ID in the Search For field.
— To search for bugs based on specific criteria, enter search criteria, such as a problem description, a feature, or a product name, in the Search For field.
— To search for bugs based on products, enter or choose the product from the Product list. For example, enter Cisco Crosswork Zero Touch Provisioning.
— To search for bugs based on releases, in the Releases list choose whether to search for bugs affecting a specific release, bugs that were fixed in a specific release, or both. Then enter one or more release numbers in the Releases field.
-
When the search results are displayed, use the filter tools to narrow the results. You can filter the bugs by status, severity, and so on.
 Tip |
To export the results to a spreadsheet, click Export Results to Excel. |
Cisco Crosswork Zero Touch Provisioning Documentation
The following table lists the guides that Cisco provides for Cisco Crosswork Zero Touch Provisioning 2.0. You can access all Cisco Crosswork end user documentation at https://www.cisco.com/c/en/us/support/cloud-systems-management/crosswork-network-automation/series.html#~tab-documents.
|
Documentation Title |
What is Included |
|---|---|
|
This document |
|
|
Cisco Crosswork Infrastructure 4.0 and Applications Installation Guide |
Shared installation guide for all of the Cisco Crosswork applications and their common infrastructure. In addition to information on how to install the Zero Touch Provisioning application, the guide covers:
|
|
Shared administration guide for all the Cisco Crosswork applications and their common infrastructure. In addition to the chapter covering Zero Touch Provisioning, the guide covers:
|
|
|
Lists of licenses and notices for open source software used in Cisco Crosswork, including Zero Touch Provisioning. |
Additional Related Documentation
This section provides links to documentation for products related to Cisco Crosswork Zero Touch Provisioning 2.0:
You can access documentation for all Cisco Crosswork products at https://www.cisco.com/c/en/us/support/cloud-systems-management/crosswork-network-automation/tsd-products-support-series-home.html
Cisco Crosswork Network Automation API Documentation
Advanced users can integrate other Crosswork applications and third-party applications with Crosswork Zero Touch Provisioning functions by using application programming interfaces (APIs) delivering new capabilities into their network operations.
For more information, see the Cisco Crosswork Network Automation API Documentation on Cisco DevNet.
Accessibility Features
For a list of accessibility features in Cisco Crosswork Zero Touch Provisioning, visit https://www.cisco.com/c/en/us/about/accessibility/voluntary-product-accessibility-templates.html (VPAT) website, or contact accessibility@cisco.com.
All product documents except for some images, graphics, and charts are accessible. If you would like to receive the product documentation in audio format, braille, or large print, contact accessibility@cisco.com.
Feedback