Crosswork Data Gateway

Cisco Crosswork Data Gateway is initially deployed as a VM called Base VM that contains only enough software to enroll itself with Crosswork Cloud. Once the Crosswork Data Gateway is registered with Crosswork Cloud, Crosswork Cloud pushes the collection job configuration down to the Crosswork Data Gateway, enabling it to gather the data it needs from the network devices.

The following steps are done outside of Crosswork Cloud.

1

Confirm Crosswork Data Gateway requirements.

Installation Requirements

2

Gather information needed during Crosswork Data Gateway installation. Make sure you have the following:

• A network where Crosswork Data Gateway can connect to Crosswork Cloud (Management Interface)

• A network where Crosswork Data Gateway can connect to the devices (optional Southbound Interface)

• IP address information for each interface

• A proxy, if it is required to connect to the internet

Deployment Parameters and Scenarios

3

• For Crosswork Data Gateway 6.0.1 or later:

  Create and copy an enrollment token (.json registration file) to use during Crosswork Data Gateway installation. The .json registration file contains unique digital certificates that are used to enroll Crosswork Data Gateway into Crosswork Data Gateway.

• For Crosswork Data Gateway versions earlier than 6.0.1, follow the steps described in Manually Add Crosswork Data Gateway Information, then go to Step 6.

Add Crosswork Data Gateway Information

For Crosswork Data Gateway 6.0.1 or later:

1. Crosswork Data Gateway > Data Gateways > Use Enrollment Token

2. Create or select an enrollment token.

3. Copy the enrollment token somewhere so that it is readily available when you install Crosswork Data Gateway.

During Crosswork Data Gateway installation, you will need to paste the enrollment token in the following platforms:

• VMware

  • vCenter vSphere Client—Paste the token text into the Auto Enrollment Package Transfer > Enrollment Token UI field

  • OVF Tool—Locate the script and under the ## Enrollment Token for Crosswork Cloud section, paste the token text after CloudEnrollmentToken=

• OpenStack—Locate the config.txt file and under the ## Enrollment Token for Crosswork Cloud section, paste the token text after CloudEnrollmentToken=

• Amazon EC2—Paste the token in the CloudFormation template or as part of the user data after CloudEnrollmentToken=

Install Crosswork Data Gateway

Authorize Crosswork Data Gateway access to Crosswork Cloud Trust Insights.

1. > Data Gateways > Use Enrollment Token

2. Click Next. The newly installed Crosswork Data Gateway should appear with then Enrollment State as Pending.

3. Click Allow to authorize the Crosswork Data Gateway access.

6

Confirm you have all the Cisco IOS XR supported images, enrollment keys, certificates, and requirements needed for Crosswork Cloud Trust Insights.

• Cisco IOS XR Supported Images

• Verify Router Configuration

7

Configure a user with limited access to devices for Crosswork Trust Insights to prevent unauthorized operational or configuration changes to your Cisco IOS XR routers.

Configure Limited Privilege User

8

Add device credential profiles to be used when adding devices.

Create Credentials

> Configure > Credentials > Add Credential

9

Add devices.

• Add Devices

  Devices > Add Device

• Confirm all connections are up.

  Devices > device_name > Status tab

10

Give it some time to collect data, then verify that the device data collection was successful.

> Monitor > Devices > device-name Trust Insights tab

11

Initiate a dossier collection to get the latest device information

Collect Data for Trust Insights Device Dossier

> Configure > Devices > device-name > Trust Insights > Collect Dossier

12

View and create policies to monitor device integrity.

Policies

> Configure > Policies

13

Verify software and view runtime signature analytics.

• Does the software inventory reflect correct IOS XR inventory on a device?

• Do software packages show verified software signatures (IMA “Observed Running”)

• Are software patches (SMU) successfully deployed across production systems?

• Is software in compliance?

> Monitor >Devices > device-name Trust Insights tab

14

Verify hardware inventory.

View Device Inventory

> Monitor > Devices > device-name Trust Insights tab. Click the Inventory tab.

15

View historical changes observed in systems.

• Confirm a scheduled maintenance has been completed.

• Further investigate known network issues

• View device reboots or configuration changes

• Is software in compliance?

View Device Changes

> Monitor > Devices > device-name Trust Insights tab. Click the Changes tab.

16

Compare device configurations where a single device is chosen to be used as a baseline. Identify differences in installed software packages on similar devices deployed within production environments.

Generate a “Punch List” of recommended changes to bring deviant devices into compliance.

Device Comparison

> Tools > Device Comparison