How Secure Provisioning Works

The Secure Provisioning feature centrally orchestrates the distribution of resource configuration files and firmware images, and the node provisioning (ZTP) services required to deliver the files to resources.

Secure Provisioning is configured by defining the resources to provision resources with, and defining how these resources should be distributed around your network.

• Device Resource Bundles contain the files needed to provision one or many resources:

  • Configuration File, Script File and/or Image Files.

  • Each Resource Bundle has a defined Device Type.

  • When a Resource Bundle is distributed to a node, any ZTP request matching the Device Type are provisioned with the bundled resources.

  • This may be restricted to specific devices by specifying one or more device MAC Addresses (range and reverse match supported) or Serial Numbers (not supported by all vendors).

• Resource Distribution policies are defined by Node Inventory Lists:

  • Static Node Inventory List - a predefined, static list of nodes to distribute to.

  • Dynamic Node Inventory List - evaluates a Node Filters each time resources are distributed.

    Tip: The Dynamic Node Inventory List allows you automatically tag certain nodes with Enrollment Bundles, for example, by region or site class, to help automate resource distribution to newly enrolled nodes in that region.

Device Resource Bundle and Resource Distribution configuration are supplied to Lighthouse using the web UI or CLI (git) method. The Web UI configuration method creates an underlying YAML configuration the same as created using the git method, it is effectively a front end to the git method.

A git push to the Lighthouse repository, or clicking the UI Push Now/Push Resources button triggers a resource push:

• A git post-commit hook triggers an Ansible playbook on Lighthouse.

• The playbook copies resources down to nodes, securely over Lighthouse VPN.

• The playbook start or restarts ZTP services on nodes.