Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
766
Views
5
Helpful
8
Replies

Need Help with secure ZTP process - catalyst 9300/9500

sindhujit
Level 1
Level 1

‎07-25-2023 02:29 PM

I need some help with setting up the bootstrap servers for doing secure ZTP through automation. I have found a few articles :

To create the Bootstrap server: https://www.rfc-editor.org/rfc/rfc8572.html#section-4.4
But this example does not do a live demo of the step by step process.

There is another link : 

https://github.com/opiproject/sztp

But I mainly stuck with the overall process. A walk through would be good.

Labels:
0 Helpful
8 Replies 8

Flavio Miranda
VIP
VIP

‎07-25-2023 03:53 PM

Hi @sindhujit 

 those links does not work but that´s ok. Basically what you need is provide DHCP for the switch on the management interface.

On this 2 lnks below there will be many examples of DHCP configuration.  They will provide to the switch the IP address of the DNAC server. 

 After the discovery the switch and provisioning, you need to change the cable from management interface to another interface.

 

https://content.cisco.com/chapter.sjs?uri=/searchable/chapter/content/en/us/td/docs/switches/lan/catalyst9300/software/release/16-5/configuration_guide/prog/b_165_prog_9300_cg/zero_touch_provisioning.html.xml

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/prog/configuration/1611/b_1611_programmability_cg/zero_touch_provisioning.html

 

sindhujit
Level 1
Level 1
In response to Flavio Miranda

‎07-25-2023 04:05 PM

The links open for me. I am talking specifically about the secureZTP, not ZTP. sZTp includes setting up a bootstrap server, connecting with MASA server, etc..

Theres no real documentation on the config needed for the bootstrap server.

0 Helpful

MHM Cisco World
VIP
VIP
In response to sindhujit

‎07-25-2023 04:36 PM - edited ‎07-25-2023 04:37 PM

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/prog/configuration/1711/b_1711_programmability_cg/m_1711_prog_ztp.html

This guide for secure ztp and ztp.

Check example in end of this doc.

sindhujit
Level 1
Level 1
In response to MHM Cisco World

‎07-25-2023 10:33 PM

Not much help on how to set up bootstrap server

0 Helpful

Rich R
VIP
VIP
In response to sindhujit

‎07-27-2023 05:23 AM

@sindhujit the links open for you because they're obviously intended for use inside your corporate network only!
Your hyperlinks:
https://isolate.menlosecurity.com/1/3735928037/https:/www.rfc-editor.org/rfc/rfc8572.html#section-4.4
https://isolate.menlosecurity.com/1/3735928037/https:/github.com/opiproject/sztp
Obviously intended to be:
https://www.rfc-editor.org/rfc/rfc8572.html#section-4.4
https://github.com/opiproject/sztp


------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful

MHM Cisco World
VIP
VIP

‎07-25-2023 03:59 PM

https://m.youtube.com/watch?v=sPGHvtK6M4g&pp=ygUJOTMwMCB6dHAg

 

Zero-Touch Provisioning
Zero-Touch Provisioning
m.youtube.com/watch?v=sPGHvtK6M4g&pp=ygUJOTMwMC...
Zero-Touch Provisioning provides open bootstrap interfaces to automate network device provisioning in heterogeneous network environments. When a device that supports Zero-Touch Provisioning boots up, and does not find the startup configuration (during initial installation), the device enters the ...

sindhujit
Level 1
Level 1
In response to MHM Cisco World

‎07-25-2023 04:09 PM

I am talking specifically about the secureZTP process for catalyst 9300/9500, not ZTP. sZTp includes setting up a bootstrap server, connecting with MASA server, etc..

Theres no real documentation on the config needed for the bootstrap server.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card