Secure Provisioning
Secure Provisioning for NetOps is a configuration storage, distribution and provisioning system. It does not generate, test or validate device configuration. Instead, it is focused on provisioning remote resources with user-supplied configuration and device OS images, automatically, remotely and securely, no matter where those devices are and no matter what the state of the network is.
The Secure Provisioning license is installed on Lighthouse and contains a preset number of available node activations. Each node activated for Secure Provisioning consumes an available activation; Lighthouse itself does not consume an activation.
Using Secure Provisioning for NetOps, network turn up no longer requires network engineering staff to perform initial configuration tasks on site, even when there is no existing LAN or WAN in place. Remote hands rack, stack and cable the infrastructure, then Secure Provisioning for NetOps Automation automates the rest of the turn up process.
The Secure Provisioning module leverages these technologies:
-
ZTP (Zero Touch Provisioning): The process by which resources in their unconfigured state request and are delivered initial setup resources over the local management network.
-
Human-readable YAML language: Provides simplified configuration of resource ZTP configuration parameters.
-
Git source control: resource resources such as initial configuration files and OS images are automatically stored in a versioned, auditable repository.
-
Ansible automation framework: Automatically propagates device resources and configures on-site ZTP services.
The Secure Provisioning module combines a centrally orchestrated, vendor-neutral ZTP service with on-site node LAN and WAN connectivity, to automate the provisioning process end to end.
Secure Provisioning Configuration Management
Secure Provisioning always applies device configuration in its entirety and does not support applying config patches or deltas to a provisioned device (for example, adding a few lines to running config, to enable a specific feature).
Stateless File Management
Secure Provisioning supports a DevOps-style approach which collapses initial provisioning, disaster recovery and ongoing maintenance workflows into the one workflow:
Using this approach, the config patch is applied in Lighthouse to the central configuration template via git, which renders the configuration file in its entirety and pushes to the OM node. The device is factory reset and pulls the new configuration as if it were being provisioned for the first time.
| Pros | Cons |
|---|---|
| Eliminates config drift. | Requires a longer maintenance window as the device is reset and reboots. |
| Enforces config reproducibility. | Patches cannot be applied to running configuration. |
| Central audit trail of all configuration changes. | |
| Disaster recovery becomes as simple as resetting all devices to reprovision. |
Stateful Device Management Gateway
The NetOps Automation platform provides a management fabric from remote devices to your central management network via Lighthouse VPN and/or the cellular WWAN.
There are many tools and protocols purpose-built for stateful configuration management, such as Cisco NSO and SolarWinds NCM, and NETCONF and gRPC (OpenConfig).
NetOps can be leveraged by these tools as a secure, resilient management path, both extending their reach to the out-of-band management network, and ensuring reachability during outages.