Configuring the zero-touch rollout

Initial situation

In the case of a rollout to a number of branch sites, the large number of devices means that pre-configuring the LANCOM devices is not a viable option. Instead they should be commissioned after they have retrieved a configuration from a central LSR server, in a similar manner to the "zero-touch management" with a WLC.

Prerequisites

In order for the "zero-touch rollout" by means of the rollout agent in the device to work properly, a number of prerequisites need to be met first:

A central rollout server must be available and the zero-touch devices must be able to contact it via HTTP/HTTPS.
DHCP must be active in the network at the branch. That is,
- a DHCP server is available on the branch network, or
- a DHCP relay server on the branch network exchanges the DHCP data packets between the devices on the branch network and a DHCP server at the main office.
The DHCP server has to be able to deliver the DHCP option 43.

Important: The DHCP server transmits sensitive data such as the rollout password unsecured as a DHCP message. So take care to transport the data only over appropriately secured connections.

Process

The rollout of the configuration proceeds as follows:

The unconfigured device is connected to the branch network.
The device retrieves connection data (such as IP address, gateway, netmask, DNS address, and DHCP option 43) from the DHCP server.
The device uses the DHCP option 43 to decode various pieces of information including the URL of the rollout server and uses this to configure the rollout agent on the device.
The rollout agent then contacts the rollout server and performs the rollout in two steps:
- Firmware-Update
- Configuration update

The rollout agent contacts the rollout server at the configured firmware server URL and retrieves a firmware file in the .upx format, which it is then uses to update the device.

After the firmware update, the device restarts and contacts the rollout server again. The rollout agent checks whether the firmware provided by the rollout server is already installed. This test succeeds if the latest firmware was received by the device in the first step. The rollout agent continues with the configuration update and it downloads script files. It contacts the rollout server at the configured config-server URL and retrieves a script in the .lcs format, which it is then uploaded to the device.

DHCP option 43

DHCP option 43 is vendor-specific, i.e. each vendor is free to decide how to structure this option and what information is coded into it. The option can contain several sub-types, which are used for the detailed structuring of the data.

The following sub-types are specified for the device rollout agent:

Sub-type 1: Config-Server-URL

Server addresses are entered in the following available formats:

HTTP, HTTPS, TFTP
IP address, FQDN

Examples:

https://rollout:443/
tftp://10.1.1.1
http://10.1.1.2/test

It is also possible to specify LCOS variables The rollout agent expects that the rollout server available at this address will respond to its request by sending a configuration script with the extension .lcs.

Note:

If the rollout server is an LSR, the address requires the prefix lsr:, e.g. lsr:https://rollout:443/. The rollout agent then assembles the correct LSR-rollout URL from the sub-type 5 and the following. Accordingly, the sub-types 5 and up are only of importance when using this prefix.

If the rollout server is not an LSR, then specifying the URLs for the config-server and firmware server have to be done by hand with the use of variables.

Sub-type 2: Firmware-Server-URL

As with sub-type 1, the rollout agent expects the rollout server at this address to respond by sending a firmware file with the extension .upx.

Sub-type 3: HTTP-Username

Contains the user name for HTTP authentication in the URL (in the form http://username:password@server)

Sub-type 4: HTTP-Password

Contains the password for HTTP authentication in the URL (in the form http://username:password@server)

Sub-type 5: LSR project number

Contains the project number for the rollout project stored in the rollout server.

Sub-type 6: Additional URL parameters for LSR keyword

The rollout agent appends this content to the constructed LSR URL (e.g. ?approval=yes).

Sub-type 7: Reboot-Time

Specifies the wait time in minutes before the device restarts after the update by the rollout server.

Sub-type 8: Request-Interval

Specifies the interval in minutes in which the rollout agent sends its requests to the rollout server.

Sub-type 9: TAN

This entry contains the rollout TAN.

Sub-type 10: Device number

Contains the device number of the device being updated.

Sub-type 11: Request-Delay

Contains the time in minutes that the rollout agent waits between request 1 and request 2.

Sub-type 12: Request-Random

This setting prevents all of the devices involved in the rollout from requesting a configuration from the LSR server all at the same time. The following entries are allowed:

0: Requests take place after set time delays.
1: With this entry, you specify that the request for a rollout takes place after a random delay.

Sub-type 13: Omit-Certificate-Check

This value determines whether the rollout agent skips the verification of rollout-server certificate.

Note: If this subtype is missing or its content is empty, the rollout agent assumes the value is "0" and carries out a check of the server certificate.

Important: Please note that the configuration received from the rollout server needs to switch off the rollout agent on completion (Operating: no), otherwise the device will reboot after the specified reboot time.

Variables

URLs can contain any of the variables that are available at the LCOS console. These variables can be output by the console by using the command printenv.

The variables are specified in the URL with a leading "$" character (e.g. $__SERIALNO).

Generating DHCP option 43

The DHCP option 43 is generated on the basis of RFC 2132, section 8.4.

The following configuration section can be used to generate the option 43 with the use of an ISC DHCPd DHCP server:

Within the general configuration

option space Rollout;
option Rollout.config-server code 1 = text;
option Rollout.firmware-server code 2 = text;
option Rollout.HTTP-Username code 3 = text;
option Rollout.HTTP-Password code 4 = text;
option Rollout.Projectnumber code 5 = text;
option Rollout.AdditionalParams code 6 = text;
option Rollout.RebootTime code 7 = text;
option Rollout.RequestInterval code 8 = text;
option Rollout.Tan code 9 = text;
option Rollout.Devicenumber code 10 = text;
option Rollout.RequestDelay code 11 = text;
option Rollout.RequestRandom code 12 = text;
option Rollout.OmitCertCheck code 13 = text;

Within the subnet-specific configuration

vendor-option-space Rollout;
	option Rollout.config-server "LSR:https://10.200.50.1:443";
	option Rollout.firmware-server "LSR:https:// 10.200.50.1:443";
	option Rollout.HTTP-Username "RolloutUser";
	option Rollout.HTTP-Password "Secret";
	option Rollout.Projectnumber "1";
	option Rollout.RebootTime "300";
	option Rollout.RequestDelay "20";
	option Rollout.RequestRandom "0";
	option Rollout.OmitCertCheck "2";

Other DHCP servers (such as the Microsoft DHCP server) do not permit the definition of option 43 in the configuration. In this case, the byte sequence that the server is to deliver as option 43 needs to be prefabricated and inserted into the configuration.