Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

To address network provisioning challenges, Cisco introduces a Zero-Touch Provisioning model. Zero-Touch Provisioning automates the process of installing or upgrading software images, and installing configuration files on Cisco devices that are deployed in a network for the first time. It reduces manual tasks required to scale the network capacity.

When a device that supports Zero-Touch Provisioning boots up, and does not find the startup configuration (during fresh install on Day Zero), the device enters the Zero-Touch Provisioning mode. The device locates a Dynamic Host Control Protocol (DHCP) server, bootstraps itself with its interface IP address, gateway, and Domain Name System (DNS) server IP address, and enables Guest Shell. The device then obtains the IP address or URL of a TFTP server, and downloads the Python script to configure the device.

Guest Shell provides the environment for the Python script to run. Guest Shell executes the downloaded Python script and configures the device for Day Zero.

After Day Zero provisioning is complete, Guest Shell remains enabled. For more information on Guest Shell, see the following chapter:

• Guest Shell on Catalyst 9500 Series Switches

Note	In case Zero-Touch Provisioning fails, the device falls back to AutoInstall to load configuration files. For more information, see Using AutoInstall and Setup.

In Zero-Touch Provisioning, a DHCP server must be running on the same network as the new device that is being provisioned. Zero-Touch Provisioning is supported on both management ports and in-band ports.

When the new device is switched on, it retrieves the IP address information of the TFTP server where the Python script resides, and the folder path of the Python script from the DHCP server.

For more information on Python Scripts, see the following chapters:

• Python API and Python CLI Module on Catalyst 9500 Series Switches

The DHCP server responds to DHCP discovery events with the following options:

• Option 150—(Optional) Contains a list of IP addresses that points to the TFTP server on the management network that hosts the Python scripts to be run.

• Option 67—Contains the Python script file path on the TFTP server.

After receiving these DHCP options, the device connects to the TFTP server, and downloads the Python script. The device, at this point does not have any route to reach the TFTP server, so it uses the default route provided by the DHCP server.

The following is a sample DHCP server configuration when connected via the management port on a device:

Device> enable
Device# configure terminal
Device(config)# ip dhcp excluded-address 10.1.1.1
Device(config)# ip dhcp excluded-address vrf Mgmt-vrf 10.1.1.1 10.1.1.10
Device(config)# ip dhcp pool pnp_device_pool
Device(config-dhcp)# vrf Mgmt-vrf
Device(config-dhcp)# network 10.1.1.0 255.255.255.0
Device(config-dhcp)# default-router 10.1.1.1 
Device(config-dhcp)# option 150 ip 203.0.113.254 
Device(config-dhcp)# option 67 ascii /sample_python_dir/python_script.py
Device(config-dhcp)# no ip dhcp client request tftp-server-address
Device(config-dhcp)# end

The following sample DHCP server configuration displays that th server is either connected to the management port or forwarding port on a device. The DHCP server is on a box that is running the Linux Ubuntu distribution.

root@ubuntu-server:/etc/dhcp# more dhcpd.conf
subnet 10.1.1.0 netmask 255.255.255.0 {
range 10.1.1.2  10.1.1.255; 
      host 3850 { 
          fixed-address                      10.1.1.246 ; 
          hardware ethernet                  CC:D8:C1:85:6F:00; 
          option bootfile-name !<opt 67>     " /python_dir/python_script.py";
         option tftp-server-name !<opt 150>  "203.0.113.254"; 
      }
  }

Once the DHCP server is running, boot a management-network connected device, and the rest of the configuration is automatic.

The following sample Zero-Touch Provisioning boot log displays that Guest Shell is successfully enabled, the Python script is downloaded to the Guest Shell, and the Guest Shell executes the downloaded Python script and configures the device for Day Zero.

% failed to initialize nvram 
! <This message indicates that the startup configuration 
is absent on the device. This is the first indication that the Day Zero work flow is 
going to start.>

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco ISR4451-X/K9 (2RU) processor with 7941237K/6147K bytes of memory.
Processor board ID FJC1950D091
4 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
16777216K bytes of physical memory.
7341807K bytes of flash memory at bootflash:.
0K bytes of WebUI ODM Files at webui:.

%INIT: waited 0 seconds for NVRAM to be available



         --- System Configuration Dialog ---

Would you like to enter the initial configuration dialog? [yes/no]: % 
!!<DO NOT TOUCH. This is Zero-Touch Provisioning>>
Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 1 seconds)
The process for the command is not responding or is otherwise unavailable
The process for the command is not responding or is otherwise unavailable
The process for the command is not responding or is otherwise unavailable
The process for the command is not responding or is otherwise unavailable
The process for the command is not responding or is otherwise unavailable
The process for the command is not responding or is otherwise unavailable
The process for the command is not responding or is otherwise unavailable
The process for the command is not responding or is otherwise unavailable
The process for the command is not responding or is otherwise unavailable
The process for the command is not responding or is otherwise unavailable
Guestshell enabled successfully


 *** Sample ZTP Day0 Python Script *** 


 *** Configuring a Loopback Interface *** 


Line 1 SUCCESS: interface loop 100
Line 2 SUCCESS: ip address 10.10.10.10 255.255.255.255
Line 3 SUCCESS: end


 *** Executing show ip interface brief  *** 


Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0/0   unassigned      YES unset  down                  down    
GigabitEthernet0/0/1   unassigned      YES unset  down                  down    
GigabitEthernet0/0/2   unassigned      YES unset  down                  down    
GigabitEthernet0/0/3   192.168.1.246   YES DHCP   up                    up      
GigabitEthernet0       192.168.1.246   YES DHCP   up                    up      
Loopback100            10.10.10.10     YES TFTP   up                    up      


 *** ZTP Day0 Python Script Execution Complete *** 




Press RETURN to get started!

The Day Zero provisioning is complete, and the IOS prompt is accessible.