On board Devices Using Three-Step Validation
The Cisco IOS XR software implements the secure zero touch provisioning capabilities as described in RFC 8572. Secure ZTP uses a three-step validation process to on board the remote devices securely:
-
Router Validation: The ZTP server authenticates the router before providing bootstrapping data using the Trust Anchor Certificate (SUDI certificate). Ensure that you have preinstalled the CA certificate chain for Cisco, as this is a prerequisite for the Cisco CA on ZTP server to verify the client/router SUDI certificates. The required certificates are:
-
subject=O = Cisco, CN = ACT2 SUDI CA
-
subject=O = Cisco Systems, CN = Cisco Root CA 2048
-
subject=CN = High Assurance SUDI CA, O = Cisco
-
subject=O = Cisco, CN = Cisco Root CA 2099
-
-
Server Validation: The router device in turn validates the ZTP server to make sure that the on board happens to the correct network. Upon completion, the ZTP server sends the bootstrapping data (for example, a YANG data model) or artifact to the router. See Secure ZTP Components.
-
Artifact Validation: The configuration validates the bootstrapping data or artifact that is received from the ZTP server.
Secure ZTP Components
Let's first understand the components required for secure ZTP.
Components |
Description |
||
---|---|---|---|
Onboarding Device (Router) |
The router is a Cisco device that you want to provision and connect to your network. Secure ZTP is supported only on platforms that have Hardware TAM support. Routers with HW TAM have the SUDI embedded in TAM. |
||
DHCP Server |
The secure ZTP process relies on the DHCP server to provide the URL to access the bootstrapping information. |
||
ZTP Server |
A ZTP server is any server used as a source of secure ZTP bootstrapping data and can be a RESTCONF or HTTPs server.
The ZTP server contains the following artifacts:
|
||
Bootstrapping Data |
Bootstrapping data is the collection of data that the router obtains from the ZTP server during the secure ZTP process. You must create and upload the bootstrapping data in the ZTP server. For more information, refer RFC 8572.
|
||
Report Progress |
When the device obtains the onboarding information from a ZTP server, the router reports the bootstrapping progress to the ZTP server using the API calls. See RFC 8572 for the detailed report-progress messages that can be sent to the ZTP server. The following is the structure of the
The following example illustrates a device using the Yang module to post a progress report to a ZTP server with a
|