cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Setting up NSO PnP server with ISR

1655
Views
10
Helpful
7
Comments
Cisco Employee

Introduction

This blog is a quick note how to setup NSO PnP server with a physical ISR device to demonstrate ZTP.

Following is summary of the demo:

  1. Restart ISR with an empty config
  2. ISR obtains IP address by DHCP option 43
  3. ISR connects to NSO via PnP
  4. NSO configures ISR with day 0 config through PnP
  5. NSO adds device, fetches SSH key and does sync-from

Note, this document covers day 0 config only (not day 1 by using reactive FASTMAP).

Topology

ztp-topo.png

Tested with NSO 4.4.2.1 and cisco-pnp-project-1.9.0.

Get a serial number

NSO identifies each device by its serial number.

Because of that, you must know a serial number by "show version" command.

In following case, serial number is FGL27131376.

ISR891#show ver

Cisco IOS Software, C800 Software (C800-UNIVERSALK9-M), Version 15.6(3)M1, RELEASE SOFTWARE (fc2)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2016 by Cisco Systems, Inc.

Compiled Fri 02-Dec-16 15:28 by prod_rel_team

(snip)

-------------------------------------------------

Device#  PID SN

-------------------------------------------------

*1    C891FJ-K9             FGL27131376   

Configurations

A Cisco router, act as DHCP server, has following configuration.

ip dhcp excluded-address 10.0.1.1 10.0.1.100

!

ip dhcp pool nso

network 10.0.1.0 255.255.255.0

domain-name cisco.com

option 43 ascii 5A1N;K4;B2;I10.0.1.20;J9191

Option 43 string means following.

5A1N;K4;B2;I10.0.1.20;J9191

5 - DHCP sub-option. PnP is five.

A - Active, means client must connect to PnP server. This must be Active.

1 - Version 1

N - Debug off

; - delimiter

K4 - Use HTTP

B2 - Use IPv4

I10.0.1.20 - IP address of PnP server. NSO IP address.

J9191 - NSO port

NSO must have at least Cisco NED and PnP package.

To install PnP on NSO, download ncs-4.4.2.2-cisco-pnp-project-1.9.0.tar.gz from CCO.

It contains following files.

  • doc
  • init_data
  • packages
  • project-meta-data.xml

Under packages directory, find ncs-4.4.2.2-cisco-pnp-1.9.0.tar.gz and untar the file to your packages directory.

After doing "packages reload" on NSO, configure follwiing PnP configurations.

admin@ncs# show running-config pnp                

pnp server ip-address 10.0.1.20                   

pnp server port 9191                              

pnp server use-ssl false                          

pnp logging serial all                            

!                                                 

pnp map FGL27131376                               

device-name  ISR891                              

username     cisco                               

password     $8$nV2GkQf9XvBPbsPhasJWVjWxYxiU1gF1KCFKzec/bvU=

sec-password $8$tfJCjJhVLzayEVr+U3Ee1AxWtaAeX6a9N0EtgU4vWYs=

device-type  cli                                 

ned-id       cisco-ios                           

port         22                                  

day0-file    ISR891.txt

cfg-properties variable HOSTNAME

  value ISR891

Following is output of ISR891.txt under packages/cisco-pnp/cfg directory.

hostname $HOSTNAME

!

enable password cisco

ip domain name cisco.com

!

username cisco password 0 cisco

!

ip ssh version 2

!

line vty 0 4

login local

transport input all

!

crypto key generate rsa  modulus 2048

Don't forget the last line which is necessary to generate an SSH key.

Let's do the demo

Now, all you need to do is erase all config in ISR and reboot.

ISR891#write erase

Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]

[OK]

Erase of nvram: complete

SIR891#reload

System configuration has been modified. Save? [yes/no]:  (no)

Proceed with reload? [confirm]

If everything goes well, device is configured, added to NSO and synced as follows.

admin@ncs# show pnp list

SERIAL       IP ADDRESS  CONFIGURED  ADDED  SYNCED  LAST CONTACT

-------------------------------------------------------------------------

FGL27131376  10.0.1.131  true        true   true    2017-09-01 02:04:55

admin@ncs# show devices list

NAME    ADDRESS     DESCRIPTION  NED ID     ADMIN STATE

-------------------------------------------------------

ISR891  10.0.1.131  -            cisco-ios  unlocked     

admin@ncs#

7 Comments
Cisco Employee

How do you get the Serial Number of the ISR?

Cisco Employee

Good question. You can get a serial number by "show version" command.

In following example, serial number is FGL27131376.

ISR891#show ver

Cisco IOS Software, C800 Software (C800-UNIVERSALK9-M), Version 15.6(3)M1, RELEASE SOFTWARE (fc2)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2016 by Cisco Systems, Inc.

Compiled Fri 02-Dec-16 15:28 by prod_rel_team

(snip)

-------------------------------------------------

Device#  PID SN

-------------------------------------------------

*1    C891FJ-K9             FGL27131376    

Let me update the document.

Thank you for the comment.

Best regards,

Hiro

Cisco Employee

this can be simplified (or an alternative) as follows:

gregg-xtr#show ver | inc Proc

Processor board ID FHK142873Y0

gregg-xtr#

Cisco Employee

Brilliant! Thanks for sharing, Gregg.

Best regards,

Hiro

Cisco Employee

Can you please provide the information of how to setup https configurations between NSO and pnp (using rsa keys) ?

Cisco Employee

Hello rajkraje,

 

I never tried https, but could you enable SSL in ncs.conf as follows and try "transport https..." in IOS-XE?

 

Screen Shot 2018-08-31 at 2.25.54 PM.png

 

Best regards,

Hiro

Cisco Employee

Hi Hiro,

 

This document is very helpful since I am setting up PnP first time.  It save me a lot of time.  I would like to have one suggestion.  In the contents, there is no much detail about how to get PnP package into package folder (location).  I was confused that installation folder "nso-471" and installed folder "ncs-run" for other doc.    Both of them have package folders. I was installed PnP package wrongly in "nso-471", so package reload does not work.   

 

And, it took me some time to found that actually "cisco-pnp" is actual pnp package after tar twice.

 

Regards,

-Stephen