Secure Provisioning Configuration

All system configuration is performed via Lighthouse. The configuration necessary to provision a device consists two elements. The basic steps to configure Secure Provisioning are:

  • Create Device Resource Bundles and upload resource files (for example, configuration files or scripts, firmware images) to Lighthouse.

  • Define Node Inventories to distribute the resources to specific nodes, where they will become available for devices to request for provisioning.

Device Resource Bundle

A Device Resource Bundle contains the resource files, such as, a configuration file and OS upgrade image, that are loaded via ZTP (DHCP + TFTP/HTTP) onto the managed device. This may be a full, final configuration, or a baseline configuration to allow the managed device to become managed by an upstream configuration service.

As each vendor's ZTP process is slightly different, Device Resource Bundles allow you to select the Device Type. This generates the appropriate ZTP server configuration (DHCP options), any necessary intermediary provisioning scripts and enables device-specific ZTP features, such as serial number matching.

By default, Device Resource Bundles are targeted to all managed devices of the selected Device Type. Bundles may be targeted to specific managed devices by specifying one or more device MAC addresses (including range and reverse match), or in some case by specifying one or more device serial numbers.

Node Inventory

A Node Inventory is a static or dynamic list of nodes and a corresponding list of Device Resource Bundles. This defines how Device Resource Bundles are distributed around your network.

Resource Bundles may be distributed using one of two methods:

  • Push to a static list of nodes, selected individually by node ID

  • Push to a dynamic list of nodes, linked to a Lighthouse Smart Group of nodes

Note:You may combine distribution methods.

Create Device ConFIguration

To provision a managed device, you must supply device resources. Device resources consist of an initial configuration file for the device to install, and optionally a operating system image for the device to upgrade itself with.

Device resource file formats are specific to the target vendor. Secure Provisioning for NetOps Automation provisions these files, but does not generate them.

For example, a trivial Arista initial configuration file may look like:

demo_arista.cfg

A trivial Cisco IOS XR initial configuration may look like:

Cisco IOS XR initial configuration:

Update Secure Provisioning Subnet

The network range used for Secure Provisioning subnet can be updated via setting a static IPv4 address on the Node’s LAN interface before deploying. This will allow Secure Provisioning to inherit the subnet range from the static addres