Is it possible to write to startup-config when doing ZTP?

falkowich commented 6 years ago

Hi,

This is not an issue or an request, it's a more of a question :) I have looked into cisco ztp docs, but there are really little documented about writing config to startup-config when doing a ztp?

Any ideas here?

-- Regards Falk

derek-shnosh commented 6 years ago

I'm using an EEM applet in the template to accomplish this. The applet can be triggered by a syslog message of your choosing and can perform commands (and other things) depending on your needs/configuration.

There should be a %SYS-5-CONFIG_I syslog message for the configuration change via TFTP.

Our 3650's show the following: %SYS-5-CONFIG_I: Configured from tftp://255.255.255.255/ZTP-23C907A492-confg by console

I have an EEM applet called post_ztp that watches for this syslog message and then performs configuration commands;

Adds a few lines of config that smart-install seems to ignore from the template.
Generates a 2048 crypto key.
Deletes itself (the EEM applet).
Writes the configuration.
Pushes the running configuration back to the FreeZTP server via TFTP.

Notes/Considerations

tftp_addr is configured and assigned in the template, but could also be in your keystore. _To set in the J2 template, use !{% set tftp_addr = "1.2.3.4" %} where 1.2.3.4 is the address of your TFTP server; e.g. FreeZTP or some other server reachable on the network._

hostname and keystore_id are pulled from the external-keystore (CSV file) we're using.

You'll need to have file prompt quiet in your template/config for the TFTP copy to work, either that or add a couple "" action cli commands after the copy command to emulate hitting enter twice.

I created a subdirectory in FreeZTP's tftproot directory to push configs to; i.e. /etc/ztp/tftproot/provisioned. The final configuration is pushed as /etc/ztp/tftproot/provisioned/hostname_serialno.cfg.

Configuration (EEM Applet)

Example config that can be tweaked and added to your template if desired.

!{% set tftp_addr = "1.2.3.4" %}
!
file prompt quiet
!
event manager applet post_ztp
 event syslog occurs 1 pattern "%SYS-5-CONFIG_I: Configured from tftp" maxrun 300
 action 001 wait 30
 action 002 cli command "enable"
 action 005 cli command "conf t"
 action 010.1 cli command "no vstack"
 action 010.2 cli command "no ip http ser"
 action 010.3 cli command "no ip http secure-s"
 action 010.4 cli command "no ip http authen"
 action 010.5 cli command "cry key gen rsa mod 2048"
 action 010.6 cli command "no event man app post_ztp"
 action 015 cli command "do write mem"
 action 020 cli command ""
 action 025 cli command "copy run tftp://{{ tftp_addr }}/{{ hostname }}_{{ keystore_id }}.cfg"

To verify/troubleshoot via console connection, add the following to the applet; note the action sequence numbers and insert accordingly.

action 003 cli command "debug event man act cli"
...
action 030 cli command "undebug all"

TLDR

Put this in your switch template.

event manager applet post_ztp
 event syslog occurs 1 pattern "%SYS-5-CONFIG_I: Configured from tftp" maxrun 300
 action 001 wait 30
 action 002 cli command "enable"
 action 003 cli command "conf t"
 action 004 cli command "no event man app post_ztp"
 action 005 cli command "do write mem"
 action 006 cli command ""

PackeTsar commented 5 years ago

The best way (currently) is the solution from @derek-shnosh. Eventually I will build in a feature to run a script upon the completion of a provisioning action. This could be used to log in and save the config.

Closing this issue

PackeTsar / freeztp