- Cisco Network Plug and Play Dashboard
- Creating a Project
- Adding a Device
- Deploying Devices
- Claiming the Device
- Ignoring Unclaimed Devices
- Viewing the Cisco APIC-EM Certificate
- Deploying Third-Party CA-Signed Certificate on Cisco APIC-EM
- Updating the Trustpool Bundle
- Creating an Installer Role
- Collecting the Cisco Network Plug and Play Logs
- Reviewing the Status of the Preprovisioned Projects
Configuring Cisco Network Plug and Play
This document provides an overview of the Cisco Network Plug and Play solution and explains the process for pre-provisioning projects and managing unplanned devices in the network.
This chapter includes the following topics:
Cisco Network Plug and Play Overview
The Cisco Network Plug and Play solution provides a simple, secure, unified, and integrated offering for enterprise network customers to ease new branch or campus rollouts, or for provisioning updates to an existing network. The solution provides a unified approach to provision enterprise networks comprised of Cisco routers, switches, and wireless devices with a near zero touch deployment experience. For more information on the Cisco Network Plug and Play solution, see Solution Guide for Cisco Network Plug and Play.
The Cisco Network Plug and Play application allows you to pre-provision the remote project or claim unplanned devices. When you provision a large project, you can use the Cisco Network Plug and Play application to pre-provision the project and add devices to the project. This includes entering device information and setting up a bootstrap configuration, full configuration, and Cisco device image for each device to be installed. The bootstrap configuration enables the Plug and Play Agent, specifies the device interface to be used, and configures a static IP address for it.
When you create small projects where pre-provisioning is not required, devices can be deployed without prior set up on the Cisco Network Plug and Play application and then claimed. When the device installer installs and powers up the Cisco network device, the device auto-discovers the Cisco APIC-EM controller by using the DHCP or DNS. After the auto-discovery process is complete, the device is listed as an unplanned device in the Cisco Network Plug and Play application. You can use the Cisco Network Plug and Play application to claim the unplanned device and configure it with a new configuration and Cisco device image.
Cisco Network Plug and Play Organization
The Cisco Network Plug and Play web interface is organized into a workflow that includes the high-level task areas described in following table. The Cisco Network Plug and Play application is used by the network engineers to pre-provision the remote site and claim the unplanned devices. This document follows the same general organization.
Table 1. Cisco Network Plug and Play OrganizationTask Area
Description
Allows you to view dashboard, which provides you a quick view of the projects and unplanned devices information. For more information, see Cisco Network Plug and Play Dashboard.
Projects (Project Pre-provisioning Workflow)
Allows you to create and pre-provision the project. You can use the Add Device option to add a new device to the project. For more information, see Project Pre-provisioning Workflow.
Devices (Unplanned Devices Workflow)
Allows you to claim the unplanned devices. You can claim, ignore, or delete the unplanned device.
Allows you to upload images from your local machine and associate the default image to the device. For more information, see Associating the Default Image to the Device .
Allows you to upload the configuration and bootstrap file from your local machine. You can view or delete the configuration file from the list.
Allows you to upload the templates from your local machine. You can view or delete the template from the list.
Allows you to download a template that you can use to create your own bulk-import file. To download a template, click the Sample button in the Bulk Import section of the Network Plug and Play application.
Settings (Cisco Smart Account)
Cisco Smart Account feature allows you to integrate the on- prem Cisco Plug and Play server in APIC-EM controller and the smart account enabled PNP cloud redirection service for automating the device provisioning. For more information, see Configuring Cisco Smart Account
Settings (Global Settings on APIC-EM)
The Settings option is available at the top-right corner of the Cisco APIC-EM global toolbar. Allows you to create administrator and operator roles and manage the security settings.
The Logs option is available at the top-right corner of the global toolbar. Allows you to collect the logs pertaining to Cisco Network Plug and Play application. For more information, see Collecting the Cisco Network Plug and Play Logs.
Cisco Network Plug and Play Dashboard
The Cisco Network Plug and Play Dashboard displays at-a-glance views of the most important data in your network. The graphical representation of the dashboard provides the list of pre-provisioned, in-progress, provisioned, and project with errors information. Also, it displays the unclaimed, claimed, and ignored devices. You can quickly scan the information by clicking on the links next to each pie-chart and access the list of relevant projects or devices. To see the details of the specific project or device, click on the project or device name in the first column and take action based on the information (see Figure 1).
The Dashboard page contain the following options:
- Search Projects—Allows you to search the list of projects and load the project.
- Search Device—Allows you to search the device based on the name, serial number, and MAC address.
Project Pre-provisioning Workflow
Cisco Network Plug and Play allows you to pre-provision and plan for new projects. When you create a new project, Cisco Network Plug and Play enables you to pre-provision the configuration file, image file, and device ID certificate for the selected platform. This simplifies and accelerates the time that it takes to get a site fully functional.
To pre-provision a project on your network, perform these steps:
Procedure
Create a new project (see Creating a Project).
Add the device to the project (see Adding a Device).
Creating a Project
The Cisco Network Plug and Play (PnP) application eases the creation of new IWAN sites by providing project-based management of the resources required to create such projects. These resources include configuration files, image files, and device ID certificates. A Cisco Network PnP project is a unique entity that gathers device-related information and helps in pre-provisioning a specific IWAN site in the Cisco APIC-EM IWAN application. To reuse project information and resources for provisioning a different project, you can clone an existing project into a new one that has a unique project name. You can then use the Projects tab to edit the new project as necessary.
To create a project, perform these steps:
Procedure
Choose Network Plug and Play > Projects.
Click Add, the Add Project dialog box appears.
In the Add Project dialog box, enter a name for the new project.
Enter the TFTP server IP address/URL if you want to use the TFTP server option by specifying the full pathname of the file. The configuration or image file is downloaded to the device from the specified location instead of from the APIC-EM controller.
When you do not have the option to download the configuration and the image file from the Cisco APIC-EM server, you can deploy the configuration and Cisco device Image file from an external TFTP server.
Click on Installer Notes icon and add notes about the reference documents. It supports text files, Image files (GIF, Bitmap, and JPEG) and Microsoft PowerPoint formats. These notes are available to an installer who is using the Cisco PnP mobile app to deploy the devices.
Click Create to create the new project (see Figure 2).
Claiming the Device
The device is added to the unclaimed device list when the device uses the call-home agent capability to connect to the server, before it is provisioned by Cisco APIC-EM, or when the Cisco APIC-EM is not able to match the device against the existing configuration.
To claim the device, perform these steps:
Procedure
Choose Network Plug and Play > Devices.
Select the device from the list, and click Claim. The Claim Device dialog box appears.
You can either reuse an existing Cisco device image from the list, or apply a new image file to the device.
- To load an existing Cisco device image on the device, click on the text box and select an image file from the drop-down list.
- Click the Upload icon and choose a Cisco device image file to apply to the device.
- Enter the TFTP server IP address if you want to use the TFTP server option by specifying the full pathname of the file. The image file is downloaded to the device from the specified location instead of from the APIC-EM controller
You can either reuse the existing configuration file or template from the list, or apply the new configuration file or template to the device.
-
To apply either a configuration file or a template to the device that is already uploaded to the Cisco APIC-EM controller, select the appropriate radio button and select the configuration file or template from the drop-down list. For more information on configruation template, see Using Configuration Templates.
| Note | This configuration files has AAA authorisation commands. To use the aaa authorisation command, provide the device credentials and the device should have the minimum IOS version that is recommended. |
(Optional) Enter the project name to add the device to a project. The device is added to the selected project.
Check the Device Certificate check box to apply the device certificate on the device. Cisco Network Plug and Play automatically generates and deploys the PKCS12 device ID certificate. This configuration is not required for access point.
To add the configuration credentials, click on the Credentials Configurations (+) button and specify the required information (see,Configuring AAA on the Device).
To enable Stack Switch Configuration, click on the Plus (+) button and specify the following information:
- License—Select the license from the drop-down list to ensure that all members of the stack have the selected license.
- Accept EULA—Check the Accept EULA check box.
Click Claim to claim the device.
To delete a device that was added in error, click Delete. It resets the device to the factory state and you can add it again.
Ignoring Unclaimed Devices
You can move the device to ignore status when you do not want to claim the device. Later, if you decide to reclaim the device, you can move the device back to the unclaimed device list and claim it. To ignore an unclaimed device, perform these steps:
Procedure
Choose Network Plug and Play > Devices.
To ignore a device, select the device from the list and click Ignore.
The device is moved to the Ignored page.
In the Ignored page, select the device and click Unignore if you want to move the device back to the unclaimed device list.
Uploading the Cisco Device Image File
This option allow you to upload the Cisco device image file from your local machine. It supports .tar, .bin, and .T formats (see Figure 4). To upload the Cisco device image file, perform these steps:
Procedure
Choose Network Plug and Play > Images.
Click Upload and browse to the location where you have saved the Cisco device image file. Select the Cisco device image file, and click Open to upload the file. You can also drag and drop the Cisco device image file to this screen.
To delete an image file from the list, select the file and click Delete.
If you begin multiple image file uploads that are in progress simultaneously and you receive network errors, it may be due to network congestion or too many parallel uploads. In this case, upload one image file at a time.
Associating the Default Image to the Device
Cisco Network Plug and Play allows you to associate the Cisco device image as a default image to a set of platforms. When you set the Cisco device image as a default image for a set of platforms, the Image is automatically associated with the device. When you use this option, you do not have to manually assign the image to the platforms when you add the device to the project.
To associate the Cisco IOS image as the default image, perform these steps:
Procedure
Choose Network Plug and Play > Images.
Click on the Image link and select the Platform from the drop-down list.
Select the Product ID from the list, and check the Use this image as Default Image check box to associate the image to the platform.
You can associate the Cisco device image as a default image to a specific platform or multiple product IDs within the same platform (see Figure 5).
You can modify the default image settings on the platform. To modify the default settings, repeat the Step 1 through Step 3.
Click Yes to save the changes.
Uploading the Configuration File
This option allows you to upload the configuration file from your local machine and supports text format. It supports JSON format files with *.json extension for access point devices. To upload the configuration file, perform these steps:
Procedure
Choose Network Plug and Play > Configurations.
Click Upload and browse to the location where you have saved the configuration file. Select the configuration file, and click Open to upload the file.
To view the content of the uploaded configuration file, click on the name of the configuration file . This displays the content of the selected configuration file.
You cannot delete the configuration file that is being used in any device. To delete the configuration file from the list, select the configuration file and click Delete.
Uploading Templates
This option allows you to upload the configuration template from your local machine. To upload the template, perform these steps:
Procedure
Choose Network Plug and Play > Templates.
Click Upload and browse to the location where you have saved the template. Select the template and click Open to upload the template.
When you use a template, you can either select the default values or specify the customized values for a specific device.
To provide a customized values for a specific devcie, click on the template and enter the values in the template editor.
To view the content of the uploaded template, click on the name of the template. This displays the content of the selected template file.
You cannot delete the template that is being used in any device. To delete the template from the list, select the template and click Delete.
Bulk Import Projects and Devices
You can use the bulk import feature to import a CSV file that contains the projects and devices attributes (see Figure 6). To perform a bulk import of projects and provisioned devices, perform these steps:
Procedure
Choose Network Plug and Play>Bulk Import.
Click Sample to download the sample file, and add the projects and provisioned devices information.
Click Import and browse to navigate to the appropriate file.
Select the file and click Open to import the CSV file.
To export the devices information, click Export. The devices information is exported in a CSV format. Use this information to analyze the devices status.
Note:If you bulk import a device that is already on the unclaimed list, the device will be claimed and moved to the specified project.
Configuring Cisco Smart Account
Cisco Smart Account feature allows you to integrate the on- prem Cisco Plug and Play server in APIC-EM controller and the smart account enabled PnP Connect for automating the device provisioning.
You can create a default controller profile using Cisco Smart Account. Register the instance of APIC-EM controller as a default controller in the Cisco PnP Connect for all redirection services. Also, synchronize the device inventory from Cisco PnP Connect to this on-prem controller for automated deployment. If your organization does not have a smart account, you can request for a new smart account from the following link.
To register your Cisco Smart Account, perform these steps:
Procedure
Choose Network Plug and Play > Settings > Smart Account Settings.
Enter the Username and Password, and click Authenticate.
In the Smart Account Settings section, choose the Smart Account and Virtual Account name from the drop-down list.
When you have multiple virtual accounts within that smart account, then choose the one you want to use from the virtual account list.
In the APIC-EM Controller Profile Settings section, check the Register this controller under default profile check box.
Select the Controller IP Address from the drop-down list and click Save to save the information and register the APIC-EM controller profile in the Smart Account portal.
To synchronize and download the devices that are registered in the smart account portal into the Cisco Plug and Play application, go to the Devices > Cloud Synced tab. Click on the Sync button to retrieve the list of devices from the smart account. The list of devices that are registered in the smart account portal appears.
Select the device from the list and move it to Projects for provisioning the device.
Setting the Timeout for Image Provisioning
You can configure the timeout limits for an image provisioning, which ends your user session automatically when you exceed the timeout. It is enabled by default and is set to 40 minutes.
To set the timeout for an image provisioning, perform these steps:
Procedure
Choose Network Plug and Play > Settings > Image Provisioning.
In the Image Provisioning page, choose the timeout limits from the drop-down list.
Click Save. You will need to log out and log back in for this change to take effect.
Click Revert to Default to reset to the default timeout settings
Setting the Timeout for Configuration Provisioning
You can configure the timeout limits for configuration provisioning, which ends your user session automatically when you exceed the timeout. It is enabled by default and is set to 40 minutes.
To set the timeout for configuration provisioning, perform these steps:
Procedure
Choose Network Plug and Play > Settings > Config Provisioning.
In the Config Provisioning page, choose the timeout limits from the drop-down list.
Click Save. You will need to log out and log back in for this change to take effect.
Click Revert to Default to reset to the default timeout settings
Security Workflow
This section describes the methods that are used to secure the PnP agent-server communication in various scenarios. It explains the methods provided by the PnP agent, which can be used by the PnP server to secure the client-server communication, after the completing the discovery process.
Viewing the Cisco APIC-EM Certificate
To view the Cisco APIC-EM certificate, perform these steps:
Procedure
In the Home page, click the Settings icon at the top-right corner of the screen.
In the Network Settings navigation pane, click Certificate to view the current certificate.
In the Certificate page, view the current certificate data.
The current certificate data that is displayed is the controller's self-signed certificate. The self-signed certificate's Expiration Date and Time is displayed as a Coordinated Universal Time (UTC ) value. A system notification will be displayed two months before the expiration date and time of the certificate.
Deploying Third-Party CA-Signed Certificate on Cisco APIC-EM
You can also install a proxy certificate. It is for devices that cannot communicate directly with the APIC-EM controller. To deploy the CA-signed certificate on Cisco APIC-EM, perform these steps:
Procedure
In the Home page, click the Settings icon at the top-right corner of the screen.
In the Network Settings navigation pane, click Certificate to view the current certificate. You must have role Admin to access the network settings pane.
In the Certificate page, click Replace Certificate.
In the Certificate page, choose the file format type of the certificate: PEM or PKCS12.
If you choose PEM, then do the following:
- Import the PEM file by dragging and dropping the file into the Drag n' Drop a File Here area. The file should have a valid PEM format extension (.pem, .cert, .crt). The maximum file size for the certificate is 10 KB.
- Import the private key by dragging and dropping the file into the Drag n' Drop a File Here area. Choose the encryption option from the Encrypted drop-down menu for the private key, and enter the passphrasre. The file should have a valid private key format extension (.pem, .cert).
If you choose PKCS, then do the following:
- Import the PKCS file by dragging and dropping the file into the Drag n' Drop a File Here area. The file should have a valid PKCS format extension (.pfx, .p12).
- For private key, choose the encryption option from the Encrypted drop-down menu for the private key, and enter the passphrase.
Click Upload/Activate to replace the current certificate.
Return to the Certificate page to view the updated certificate data.
The information displayed in the Certificate page reflects the new certificate name, issuer, and certificate authority.
Updating the Trustpool Bundle
The Cisco APIC-EM allows you to import and update the PKI trustpool bundle. This PKI trustpool bundle is used by supported Cisco networking devices to authenticate the Cisco APIC-EM and its applications such as Cisco Network Plug and Play. To update the trustpool bundle, perform these steps:
Procedure
In the Home page, click the Settings icon at the top-right corner of the screen.
In the Network Settings navigation pane, click Trustpool to view the trustpool bundle.
Click Update to update the trustpool bundle.
The PKI trustpool bundle overwrites the preexisting trustpool bundle on the controller.
Creating an Installer Role
The Cisco APIC-EM supports role-based access control (RBAC). RBAC is a method of restricting or authorizing controller access for users based on user roles. A role defines the privileges of a user in the controller. You can create users and assign appropriate roles to the users. The ROLE_ADMIN role allows an installer to use the Cisco Plug and Play Mobile App to access the APIC-EM controller and trigger device deployment, view device status. For more information on the user roles, see the Cisco Application Policy Infrastructure Controller Enterprise Module Deployment Guide. To create an installer role, perform these steps:
Procedure
In the Home page, click the Settings icon at the top-right corner of the screen.
In the Settings navigation pane, click User Settings>Internal Users> Create User.
In theUser dialog box, complete the following fields:
- Username—Enter a username for the new user.
- Password—Enter a password for the new user.
- Confirm Password—Reenter the password to confirm.
- Scope—Scope is set to ALL by default.
- Role—Select ROLE_INSTALLER role for the new user.
Click Save to create the new user with the ROLE_INSTALLER role.
Configuring AAA on the Device
The Cisco APIC-EM supports external authentication and authorization for users from a AAA server. The external authentication and authorization is based upon usernames, passwords, and attributes that already exist on a pre-configured AAA server. With external authentication and authorization, you log into controller with credentials that already exist on the AAA server. The RADIUS protocol is used to connect the controller to the AAA server. For more information on the user roles, see the Cisco Application Policy Infrastructure Controller Enterprise Module Configuration Guide, Release 1.3.x. To add the configuration credentials, perform these steps:
Procedure
To add the configuration credentials for the existing device from the project, check the box next to the device and click Edit. In the Edit Device dialog box, specify the following:
- Username —Enter the username for the configuration.
- Password—Enter the password for the configuration.
- Confirm Password—Confirm the password.
To add the configuration credentials for the unplanned device, choose Network Plug and Play > Devices.
Select the device from the list, and click Claim. The Claim Device dialog box appears.
Click on the Credentials Configurations (+) button and specify the following:
- Username —Enter the username for the configuration.
- Password—Enter the password for the configuration.
- Confirm Password—Confirm the password.
Click Claim to claim the device.
Troubleshooting the Cisco Network Plug and Play
Cisco Network Plug and Play provides the following troubleshooting information for monitoring and troubleshooting the device.
Collecting the Cisco Network Plug and Play Logs
To collect the logs pertaining to Cisco Network Plug and Play, perform these steps:
Procedure
In the Home page, click the Settings icon at the top-right corner of the screen.
In the Settings navigation pane, click System Administration > Services.
In the Services dialog box, select the pnp-services from the Services list. and enter the fields appropriately.
Click tasks to veiw the tasks.
Click Details to view the details of the logs.
Click Instance Logs to view the instance logs.
Click Client Logs to view the client logs.
You can use this log file to analyze the Cisco Network Play and Play events and take appropriate action (see Figure 7).
Reviewing the Status of the Preprovisioned Projects
To review the status of the preprovisioned projects, perform these steps:
Procedure
Choose Network Plug and Play and from the Dashboard, click on the preprovisioned link next to Projects pie chart.
Click on the Project name in the Projects column to check the status of device in that projects.
