How to use Zero-Touch SmartInstall

Document

Mon, 07/06/2015 - 07:07
Jul 5th, 2012

Before we begin, I’ve segmented this document into three subnets.  They are: 

1) Introduction section  2) Troubleshooting section.  3) WTF section (I’ll explain later).

Introduction

What does this do?

Let’s say that you have a pile of switches you need to deploy soon-ish.  Now, your stack will “mostly” have the same configuration except the IP Addresses and Hostname.  Let’s say that your switch configurations are composed of two parts:  Dynamic (unique information such as IP Addresses) or Static (or fixed information).

Before the advent of Zero-Touch, one would sit down behind the pile switches and configure them one by one, very monotonous and very repetitive. 

With Zero-Touch, all one has to do is connect a new switch’s Ethernet or Management Port to the switch “Director” Ethernet port (explained later) using an Ethernet cable.  Power up  the new switch and once the boot-up process completes the new switch will receive a Static Configuration and an IOS upgrade/downgrade from the Director. 

Now, for safety reason, you have to manually configure what kind of switch you want to enable.  And when I say “what kind of switch”, I meant SPECIFIC models.  This feature will be able to determine if your switch is a 24- or 48-port, whether you switch has 2- or 4- SFP ports, etc.  For short, very platform-specific. 

Zero-Touch uses VLAN 1 and Cisco Discovery Protocol (CDP).  Zero-Touch requires VLAN 1 because a new factory-fresh switch does not have any other VLANs other than VLAN 1.  Ok so far?

Zero-Touch also uses CDP to “interrogate” the client switch.  Zero-Touch takes the CDP value and pulls the “platform” information to know what kind of appliance wants “in” to the Zero-Touch and whether or not there are settings.   Because of this, the director will NOT push the IOS and/or the static configuration to, say a 2960 switch to a 3560 (unless you incorrectly configured it to do so).   If it’s not in the list, then the Director will not action. 

What appliances are supported?

Table 1 Supported Switches

SwitchDirectorClient

Catalyst 3750-X                                               

YesYes

Catalyst 3750-E

YesYes
Cisco 3750YesYes

Cisco 3560-X

YesYes

Cisco 3560-E

YesYes

Cisco 3560-C

NoYes

Cisco 3560

YesYes

Catalyst 2960-S

NoYes

Catalyst 2960-C

NoYes

Catalyst 2960

NoYes

Catalyst 2975

NoYes

SM-ES2-16-P

NoYes

SM-ES3 SKUs

NoYes

NME-16ES-1G-P

Noyes

NM-16-ESW

YesNo

Table 2 Supported Routers

RouterDirectorClient
Cisco 3900 Series Integrated Services Routers G2YesNo
Cisco 2900 Series Integrated Services Routers G2YesNo
Cisco 1900 Series Integrated Services Routers G2YesNo
Cisco 3800 Series Integrated Services RoutersYesNo
Cisco 2800 Series Integrated Services RoutersYesNo
Cisco 1800 Series Integrated Services RoutersYesNo

Note: If your switch appliance (like 3560CG or ME-3800X) is not in this list, boy, do I have a joke for you!  Read on!

So what do I need?

No biggie. You need a TFTP server of course.  A 3560 or 3750 switch running at least IOS version 12.2(55)SE1 IP Base which will act as a Director.  Cisco documentation will state that Zero-Touch SmartPort was introduced starting with IOS 12.2(55)SE but Cisco insiders recommend using the SE1 rebuild because of “improvements” (aka bug fixes).

Network Diagram

server-1.png

That’s simple. 

Anything else?

Of course you need the IOS TAR files of the switches involved.  You also need to create a few text files.  They are:

  • config template – The text file is the configuration template for a specific model of switch.   Syntax or naming convention would be anything of your choice.
  • imagelist  - This file contains only one string:  The complete IOS filename (example:  c2960s-universalk9-tar.122-58.SE1.tar).  The naming convention is a wee bit “strange”.  The naming convention is based on the built-in group (or profile) when configuring the VStack.  For example, for a 2960 LAN Lite the filename is “2960-24-8poe-lanlite-imagelist.txt”.  For a 2960S-24PD the filename is called “2960s-24-2sfp-poe-imagelist.txt” and for a 2960S-48LPS the filename is called “2960s-48-4sfp-poe-imagelist.txt”. 

Gotchas?

  • During the entire process, if you do anything, like hit any keyboard while consoled into the client switch (accidentally) the process will stop (hence the term Zero-Touch).
  • VLAN 1 is mandatory.  This is because when you get a switch out of the box VLAN 1 is the only VLAN available.  
  • This feature does NOT like the “/” or “\” symbols.  For example, when you are specifying where the IOS image and/or config template file is located it will only accept this form of syntax:  tftp://IP Address of TFTP server/IOS file.tar

    The syntax of tftp://IP Address of TFTP server/subdirectory/IOS file.tar  is going to cause issues and best be avoided.

  • The three files (IOS TAR file, config template.txt file and imagelist.txt file) must be located in the default folder of the TFTP server. 
  • If your switch has a Management Port you can use this as well as any switch port. 

Configuration time!

It’s simple. 

  1. Interface configuration for the clients AND the TFTP server:

    interface GigabitEthernet <BLAH>
    description Build LAN
    switchport mode access
    switchport access VLAN 1    [IMPORTANT]
    load-interval 30        [OPTIONAL]
    spanning-tree portfast

  2. Enable VLAN 1:

    Director# configure terminal
    Director(config)# interface vlan 1
    Director(config)# no shutdown
    Director(config)# ip address 1.1.1.254 255.0.0.0

  3. Enable SmartInstall on the Director:

    Director(config)# vstack director 1.1.1.254
    Director(config)# vstack basic

  4. Configure a DHCP scope for client switches:
    Note:  TFTP server IP address is 1.1.1.1/8 for the sake of the demonstration

    Director(config)#  vstack dhcp-localserver badda-bing
    Director(config)#  address-pool 1.1.1.0 255.0.0.0
    Director(config)#  file-server 1.1.1.1
    Director(config)#  default-router 1.1.1.254

    Connect the link between your Director and the TFTP server into a port configured as VLAN 1.

  5. Configure Built-In Groups (or profiles) and specify the location of the IOS image and the config template file:

    Director(config)# vstack group built-in 2960 24-8poe-lanlite
    Director(config)# image tftp://1.1.1.1/c2960-lanlitek9-tar.122-58.SE1.tar
    Director(config)# config tftp://1.1.1.1/2960lite_config.txt

    Optional:  What if I want to create a few more of these so-called built-in groups because I have a number of different models, for example, 2960S-24-PLD:

    Director(config)# vstack group built-in 2960s 24-2sfp-poe
    Director(config)# image tftp://1.1.1.1/c2960s-universalk9-tar.122-58.SE1.tar
    Director(config)# config tftp://1.1.1.1/2960s_config.txt

  6. Connect a new switch to the Director port configured as VLAN 1.  Make sure the switch does not have any config.  If unsure, console into the switch and erase the configuration (wr erase) and reboot (reload).

How does it look like?

Press RETURN to get started!

*Mar  1 00:00:44.048: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1,
changed state to downAuth Manager registration failed

*Mar  1 00:00:45.231: %SPANTREE-5-EXTENDED_SYSID: Extended SysId enabled
for type vlan

*Mar  1 00:01:06.756: %SYS-5-RESTART: System restarted --

Cisco IOS Software, C2960 Software (C2960-LANLITEK9-M), Version 12.2(58)SE1,
RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2011 by Cisco Systems, Inc.

Compiled Thu 05-May-11 02:53 by prod_rel_team

*Mar  1 00:01:13.677: %LINK-3-UPDOWN: Interface GigabitEthernet0/2,
changed state to up

*Mar  1 00:01:14.683: %LINEPROTO-5-UPDOWN: Line protocol on Interface
GigabitEthernet0/2, changed state to up

*Mar  1 00:01:41.703: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Vlan1, changed state to up

!!!! Gets a valid IP Address

*Mar  1 00:01:59.764: AUTOINSTALL: Vlan1 is assigned 1.0.0.9 got vend id
vend spec. info ret: succeed got vend id vend spec. info ret: succeed

!!!! Don’t worry about the word “Aborted” because the “AUTOINSTALL” is part of the feature.

*Mar  1 00:02:20.416: %SMI-6-AUTOINSTALL: Aborted AUTOINSTALL

*Mar  1 00:02:20.416: AUTOINSTALL: Aborted

!!!! Downloads the config template file into the startup-config.

*Mar  1 00:02:20.416: %SMI-6-UPGRD_STARTED: Device (IP address: 1.0.0.9)
startup-config upgrade has started

Loading 2960lite_config.txt from 1.1.1.1 (via Vlan1): !

[OK - 1324 bytes]

*Mar  1 00:02:38.502: %SYS-5-CONFIG_NV_I: Nonvolatile storage configured
from tftp://1.1.1.1/2960lite_config.txt by console

*Mar  1 00:02:39.517: %SMI-6-UPGRD_SUCCESS: Device (IP address: 1.0.0.9)
startup-config has upgraded successfully

*Mar  1 00:02:39.526: %SMI-6-UPGRD_STARTED: Device (IP address: 1.0.0.9)
image upgrade has started


!!!! Next the IOS image list is being verified to know what file is to be used.

Loading 2960-24-8poe-lanlite-imagelist.txt from 1.1.1.1 (via Vlan1): !

[OK - 34 bytes]

!!!! Don’t worry about the “could not buffer”.  Happens all the time.


Could not buffer tarfile...using multiple downloads

examining image...

extracting info (107 bytes)

!!!! IOS is being downloaded and extracted to the new switch

System Type:             0x00000000

  Ios Image File Size:   0x009DFA00

  Total Image File Size: 0x00DC0200

  Minimum Dram required: 0x04000000

  Image Suffix:          lanlitek9-122-58.SE1

  Image Directory:       c2960-lanlitek9-mz.122-58.SE1

  Image Name:            c2960-lanlitek9-mz.122-58.SE1.bin

  Image Feature:         LAYER_2|SSH|3DES|MIN_DRAM_MEG=64

Old image for switch 1: same as image to overwrite

  Image to be installed already exists...will be removed before download.

Deleting `flash:c2960-lanlitek9-mz.122-58.SE1' to create required space

Extracting images from archive into flash...

c2960-lanlitek9-mz.122-58.SE1/ (directory)

c2960-lanlitek9-mz.122-58.SE1/html/ (directory)

--- CUT ---

extracting c2960-lanlitek9-mz.122-58.SE1/info (427 bytes)

extracting info (107 bytes)

Installing (renaming): `flash:update/c2960-lanlitek9-mz.122-58.SE1' ->

                                       `flash:/c2960-lanlitek9-mz.122-58.SE1'

New software image installed in flash:/c2960-lanlitek9-mz.122-58.SE1

!!!! Finish

All software images installed.

Requested system reload in progress...

*Mar  1 00:12:16.586: %SYS-5-RELOAD: Reload requested by SMI IBC client process.
Reload Reason: Switch upgraded through Smart Install.

How long does it take?

Depending on the model of your switch between 10 to 15 minutes from the time the “client” is seen by the VStack Director.

Troubleshooting Section

The most useful command I’ve used is the “sh vstack status”. 

SmartInstall:  ENABLED

Status: Device_type Health_status Join-window_status Upgrade_status

Device_type:  S - Smart install N - Non smart install P - Pending

Health_status:  A - Active I - Inactive

Join-window_Status:  a - Allowed  h - On-hold   d - Denied

Image Upgrade:   i - in progress     I - done           X - failed

Config Upgrade:  c - in progress     C - done           x - failed

Director Database:

DevNo  MAC Address     Product-ID         IP_addr          Hostname    Status

=====  ==============  =================  ===============  ==========  =========

0      001e.490e.7600  WS-C3750G-24PS     192.168.1.2      Director    Director

Pay close attention to the output under the “Status” section.  This will tell you the progress of the Zero-Touch based on each “DevNo” or Index Number (first column). 

There are two commands that the original Cisco documentation will tell you.  They are:

  • vstack download-config [tftp://<TFTP IP address> or DevNo] Client_IP_Address PASSWORD startup
    This command will tell the Director to manually push the Static configuration to the switch.

  • vstack download-image [tftp://<TFTP IP address> or DevNo] Client_IP_Address PASSWORD reload
    This command will tell the Director to manually push the IOS to the switch and overwrite previous version.

I have a 50% success rate when using these two commands.  Let me explain: 

The Zero-Touch works great.  Most of the time when I run into trouble, the most common issue I would see are is the switch would fail to download the config, download the IOS, reboot and attempt (but fail) to download the config.  Sometimes it won’t even download the IOS. 

Like I’ve mentioned before the two commands that Cisco recommends on using doesn’t work all the time.  I would resort to power down the offending client, count to five, and powering up the client.  Now THIS process works for me 100% of the time. 

WTF Section

This section is called the WTF section.  Why? 

Let’s say that you read Table 1 and saw that you have a number of switch models that are NOT in the table, for example a Cisco 3560CG-8PC (in the list but this model is not available in the configuration) or Cisco ME-3800X-24FS.   Well, in the back of your mind, you’d probably thinking that if you are reading this section, then something can be done to enable these unsupported models to work with Zero-Touch.  Well?  Can you?

And the short answer is?  YES (if you use the magic word). 

WTF, How-Did-You-Get-This-To-Work Section

     a)    Same rules apply for the Switch Director: 

    • 3560/G/E/X or 3750/G/E/X;
    • Minimum IOS 12.2(55)SE1 or later; and
    • VLAN 1 only to the clients and to the TFTP server
    • CDP must be enabled.

b)    You need the IOS TAR file of the switches

c)    You need to create a Static Configuration file per switch; and

d)    You need to create an image file

In my case, I had to deploy 3560CG-8PC and ME-3800X-24FS.  So my image filename has to be exact.   For the 3560CG-8PC has to be exact “3560CG-8PC-imagelist.txt” and the ME-3800 is called “ME3800X-imagelist.txt”.

3560CG-8PC Configuration

Director(config)#  vstack group custom <Enter any value> product-id

Director(config)#  image tftp://<TFTP IP Address>/<IOS_filename>.TAR

Director(config)#  config tftp://<TFTP IP Address>/<Config_filename>.txt

!!!! The magic word is “match”.

Director(config)#  match WS-C3560CG-8PC-S

ME-3800X-24FS Configuration

Director(config)#  vstack group custom <Enter any value> product-id

Director(config)#  image tftp://<TFTP IP Address>/<IOS_filename>.TAR

Director(config)#  config tftp://<TFTP IP Address>/<Config_filename>.txt

!!!! The magic word is “match”.

Director(config)#  match ME-3800X-24FS-M

The value after the “match” statement is very specific.  The value comes out of the client’s Product ID (PID) and must be entered in ALL-CAPS.   The Zero-Touch function will not work if this value is expressed in any other mean. 

So all un-supported appliance now supported?

Unfortunately, the answer is NO. 

I’ve tried using a 2950 and it won’t work.  I don’t have the resources to test but if a switch (like the 3550 or the 2970) can run IOS version 12.2 then it could work using the “match” statement. 

Leo Laohoo Sun, 08/26/2012 - 20:24

Image filename syntax for ME-3800X-24FS-M is "ME3800X-imagelist.txt".

Image filename syntax for WS-C3560CG-8PC is "3560CG-8PC-imagelist.txt".

Leo Laohoo Mon, 08/27/2012 - 21:55

Update (28-August 2012)

I've just upgraded the IOS of my VStack Director to 15.0(2)SE.

Guess what?  Someone's built some SMARTS!

Unlike previous versions where when a new "client" is connected to the VStack, the IOS is pushed to the new client regardless if the IOS is EQUAL to the specified IOS version in the configuration.

With 15.0(2)SE, when a new client is plugged in the VStack Director will evaluate and compare the IOS version of the client and the version that's in the configuration. If the IOS version is the same, the VStack Director will "skip" this process. 

Leo Laohoo Wed, 11/14/2012 - 14:33

ZeroTouch (Director only) is now supported on the Sup2T running IOS version 15.1(1)SY.

Unfortunately, the documentation is very vague about VS-Sup720 (as you can load this IOS into the VS-Sup720). 

badelson Fri, 03/01/2013 - 04:02

Do you know if it is possible to have two clients inline utilizing Zero touch (i dont want to create reservations of hard code the switch configurations).  For example:

The topopgraphy would be:  Cisco 2951 (Director) -> Cisco 2960 (Switch1) -> Cisco 2960 (Switch2).

Both of the switches would be identical models, but also will have different configurations.  The switches would be daisy chained off each other. 

I believe this would work utilizing the "vstack group match" if I was able to specify the IP address of Switch1 and the interface that connects switch2, but since Switch1 is a Zero touch client as well, I wont have this to start, and I didnt want to make IP reservations. 

thanks in advance...

Leo Laohoo Fri, 03/01/2013 - 16:14

Now I haven't tried that scenario.  But I believe this is possible as long as the link between the two switches have VLAN 1 enabled and the ports where you want to hang switches off have VLAN 1 enabled.

The reason why I say that this is possible because this is another feature that some clients have discovered.

Let's say that you have a remote site and one switch there has failed.  Traditionally, you would get the replacement unit shipped to your Head Office (1 day), configure and ship (1 day) and when it arrives there, organize someone to install the switch (1 day).  All in all, you've wasted about 3 days.

With ZeroTouch, you get the replacement shipped to the remote site (1 day) and then you "drop" the enable ZeroTouch at the remote site (you do not want to do ZeroTouch from across the WAN.  Trust me, you don't), copy the three files mentioned and get your on-site tech to connect the replacement appliance to the port of your choosing (VLAN 1 enabled and nothing else).  The IOS get's upgraded and the config gets transferred without any intervention.  Once this is done, the tech can install the switch.  All done and you've used up less than 1 day.

badelson Fri, 03/01/2013 - 16:23

I agree. I guess the question is if you have all the same models, from day one is this practical, or are you just bringing up the first switch, waiting for it to fully come online.  Getting the IP address, putting it in the director with the match and port and then connecting the 2nd switch. I see the benefits, but I am also looking at using this for a greenfield deployment with unskilled labor :)

Leo Laohoo Sat, 03/02/2013 - 17:47

If you have two switches to "build" then don't let them hang one over the other.  Plug both of them to the an etherswitch module, if possible.

Otherwise you can do this:  Router (Director) --- Production Switch -- FastEthernet 1 (VLAN 1 ONLY) --- Switch 1

                                                                                                  -- FastEthernet 2 (VLAN 2 ONLY) --- Switch 2.

Unskilled labor?  No problem.  As long as they plug they know how to connect the switches together.

badelson Sat, 03/02/2013 - 17:53

Thanks. The physical layout of the buildings won't allow for direct connections to the routers. Thanks anyway.

It looks promising, but might not be a fit for what I need.

Leo Laohoo Sat, 03/02/2013 - 23:25

Ok.  No it won't as it may complicate matters.  Let me explain ...

I haven't tried that scenario but I don't think it will work properly because the first switch will be undergoing ZT and the second one will be too.  But when the first switch reboots, the second switch may not be finish and the ZT download may get interrupted.

Is there a place in your remote site to plug the switches directly to another switch?

henrik-stryhn Tue, 04/02/2013 - 03:30

What if the switch boots in VLAN1 and receives it's default configuration where the management Vlan is VLAN2, how does that work? Connection is lost and the switch where it is connected, must be reconfigured to match VLAN2? Or?

Leo Laohoo Wed, 04/03/2013 - 02:46

Hi Henrik,

Yes.  This is possible.  Y'know why?

How does the switch know about other VLANs?  It is through the configuration templates.

Ok, let's say that the switch boots in VLAN 1, because it's default.  The switch then listens out for ZeroTouch to load.  You have the right configuration to push the IOS but it also pushes the configuration templates that you have specified.  And in this template, you will say that your management VLAN is VLAN 2.  You can also say that VLAN 2 will have an IP address based off DHCP.

So yes, this scenario can be done.  As a matter of fact, I've been building switches this way.

henrik-stryhn Wed, 04/03/2013 - 03:24

I know how VLANs work and I have tried the same scenario as you, booting in VLAN1 with the Smart Install DHCP configuration, which works fine. But when the switch boots with new config where VLAN1 is shutdown and VLAN2 is active, also set to use DHCP addressing, the switch never gets an IP address. Interfaces is configured as trunks, all VLANs is created and active with DHCP, but nothing never gets to the switch. The only IP that gets served, is from the Smart Install pool during the first boot.

Leo Laohoo Wed, 04/03/2013 - 14:34

Somethings not right here.

My config template dictates that upon the completion of the ZeroTouch, VLAN 1 is "shutdown".

So if your switch downloads the config template and IOS, reboots and cannot get an IP address for VLAN 2, then in your configuration template, does VLAN 2 look like this:

interface VLAN 2

ip address dhcp

STEFFEN NEUSER Fri, 12/13/2013 - 06:43

for the final dhcp pool in vlan-2, what kind of IOS dhcp server command do you use?

"ip dhcp pool" or

"vstack dhcp-localserver"

Is it possible to pre bind the IP in vlan-2 to the switch MAC to the intended one for later management?

Leo Laohoo Fri, 12/13/2013 - 16:12

Can you use VLAN 2?  Yes you can.  Newer IOS, if I remembered correctly it is 15.0(2)SE2 and later, will support VLANs other than 1. 

What happens is it will talk in VLAN 1 and tell the client to create and use other VLANs other than 1.  I've never tried it because VLAN 1 is never being used in our network other than this one-and-only setup. 

STEFFEN NEUSER Sun, 12/15/2013 - 10:34

The question was not whether can use vlan-2, but more about the kind of the dhcp server command.

Vlan-1 is the zero-touch vlan – nobody keeps this in production, vlan-2 or x for whatever the later productive one for the switches.

Leo Laohoo Mon, 12/16/2013 - 17:59

Sorry, Steffen.  I'm getting confused. 

You want to know what DHCP server command so only VStack switches will get an IP address?  Is this what you are trying to determine?

STEFFEN NEUSER Mon, 12/16/2013 - 20:11

No probem, Leo: I tried it out now and it doesnt any matter which of bother dhcp-server configurations to be used for vlan-2 pool.

But with vlan-2 I recognized the problem, that many persons complain about the reconnect to the SI-client in vlan-2 isnt working after SI has been finished:VLAN-2 will not be created at the SI clients, because VLAN creation is part of the binary vlan.dat not beeing considered in the SI concept even we add the command

"vlan 2

name si_prod" in the config templates to be rollout using SI.

Any ideas?

regarding vlan's differnt from 1: how is the concept in SI, if the customer uses VTP also for vstack switches? and if the native vlan's in trunks is also away from #1 because of security reasons?

Leo Laohoo Mon, 12/16/2013 - 22:50

Steffen,

The DHCP configuration for SmartInstall is very different to configuration for clients.  Clients, like PCs, would not be able to get the IP address even if they are in the same VLAN. 

Remember that ZeroTouch SmartInstall is used primary to build your switches.  It's not designed for production.  You cannot stack switches and use ZeroTouch because there is an maximum MAC limit (if I remembered correctly it's 18 MACs).  Once 18 MACs have been reached you reboot the VStack master.

STEFFEN NEUSER Tue, 12/17/2013 - 22:03

OK, for vlan-2 that become real working its importent to have

vtp mode transparent

in your config template placed on the tftp server since vtp mode server is the factory default of a cisco switch.

It seams to be: With vtp mode apart from transparent the switch will ignore the vlan config statements from the given startup or running config and will read the vlan config from the vlan.dat onl, vlan.dat not beeing part of the SI concept.

Another question: Is SI also working with Layer-3 connection between SI Director and Clients having DHCP helper to a centralized DHCP server?

Leo Laohoo Fri, 12/20/2013 - 03:30

Is SI also working with Layer-3 connection between SI Director and Clients having DHCP helper to a centralized DHCP server?

What clients?  PCs and printers, as an example, won't join ZeroTouch SmartInstall because they don't understand it.  This feature is currently available for some selected Cisco switches.  And it requires that the master be enabled.  So trying to get it through a Layer 3 network (site to site) is not recommendable.

STEFFEN NEUSER Fri, 12/20/2013 - 03:58

no PC, L3 between SI-director and SI-client, i never meant pc or anything else than SI supported cisco switches to clearyfy any comments before.

Leo Laohoo Fri, 12/20/2013 - 23:37

If that is the case, then it doesn't make any sense and it's not the way ZeroTouch SmartInstall is meant to be. 

If you have a Layer 3 network, then you configure a new VStack Director at the remote end. 

Torrance Zeiler Tue, 08/26/2014 - 12:52

I'm trying to do the same thing as Henrik and was able to get as far as he described. I'm not sure I follow the process completely though.

If the vstack director's switchport configuration (access vlan 1) is not changed, and the configuration template sent to the vstack client changes the uplink access port to vlan 2, how do the two switches communicate without getting native vlan mismatch errors? Either way I think about it, some type of extra switchport configuration needs to be done on the director.

I know I'm missing a middle step here. Your guide was well written and covers just about everything, thanks for putting in the time to write it up.

Leo Laohoo Tue, 08/26/2014 - 15:09
If the vstack director's switchport configuration (access vlan 1) is not changed, and the configuration template sent to the vstack client changes the uplink access port to vlan 2, how do the two switches communicate without getting native vlan mismatch errors? Either way I think about it, some type of extra switchport configuration needs to be done on the director.

Ok ... Here's how this entire process works.  

 

1.  New client attaches to the director. 

2.  Director "interrogates" the new client switch.  Is the EXACT model in my list or not.  If not, go away.  If you are, then proceed. 

3.  Director sends the specified configuration template to the client.  This configuration template is save into the STARTUP-CONFIG of the client (and not in the running-config).  This means, the client can continue with the process without any worrying anything about "what VLAN am I in". 

 

Does this answer your question?  

 

If it does answer your question, then I'd like to throw some "curve ball" in your direction.  

 

I believe in subsequent IOS release, I believe 15.2(1)E, a new command was added to this feature.  The command is "vstack vlan <NUMBER>".  The concept (or logic) is that not everyone disables VLAN 1 (i.  e.  a lot of networks out there still use VLAN 1 in production).  The command instructs the Director to use a different VLAN as part of the process.  If you use "vstack vlan <NUMBER>" then all your switchport (that is part of this process) needs to be a member of this VLAN (instead of VLAN 1).  In my above example, I've put/assigned the Director management IP address in VLAN 1.  With the "vstack vlan <NUMBER>" the management VLAN of the Director is reflected in the new VLAN interface.  Example, instead of VLAN 1, I want to use VLAN 999.  So my configuration goes like this: 

vlan 999
 name VStack
 exit
!
vstack vlan 999
!
interface vlan 999
 ip address 1.1.1.254 255.0.0.0
 no shutdown
!
interface range Gi 1/0/1 - 12
 switchport access vlan 999
 exit
!
vstack director 1.1.1.1
vstack basic

Of course, after the "vstack basic", you put your built-in groups, custom groups, etc.

 

Hope this helps.

Torrance Zeiler Wed, 08/27/2014 - 05:56

I see, thanks for the excellent explanation. The solution I'm trying to solve for actually comes in the next step, when the switch reboots. I'd like to have Prime Infrastructure be able to discover the smart-installed switch after it boots with the pushed configuration template (so using your example, it would need to be on vlan999). My issue is that the switch becomes unreachable after the configuration push and reboot so Prime can never get its hands on it. It sounds like this 'vstack vlan' command may be the ticket to do this so hopefully that's supported. I read about this command in some Cisco documentation and gave it a shot (didn't get it to work) but it was probably a misconfiguration. I'm running a 3650 as director with identical 3650's as clients, all running 03.03.03SE.

Thank you again for still supporting this thread >2 years after the original post.

abdul_samee11 Sat, 06/13/2015 - 15:26

Hello,

 

Can you please help me?

I have 3750 switch and 2960 client. i need to set it up IOS and configuration in client.

I didnt get the txt file [art? what i have to do ?

Leo Laohoo Sat, 06/13/2015 - 16:55
I didnt get the txt file [art? what i have to do ?

Open a new thread and post the configuration of your 3750 and the output to the command "sh version".

abdul_samee11 Mon, 06/15/2015 - 09:40

I have 3750 as a Director

Hostname: Director

Config t

vstack director 192.168.1.10

vstack basic

vstack dhcp-localsever pool1

address-pool 192.168.1.0 255.255.255.0

default-router 192.168.1.1

file-server 192.168.1.40

exit

ip dhcp remember

end

 

Configuration for IOS

Config terminal

vstack director 1.1.1.10

vstack basic

vstack image tftp://192.168.1.40/c2960-lanbasek9-mz.150-2.SE8.bin

vstack config tftp://192.168.1.40/c2960-lanbasek9-config.txt    (Can I know what this one do ?)

vstack script tftp://192.168.1.40/2960 lanbase_post_install.txt     (Is this important to type this command?)

end

Is this good? By doing applying this configuration will upgrade my IOS for client switch?

Thank you

- See more at: https://supportforums.cisco.com/document/12533561/configuration-good-upgrade-ios-2960-switch-3750-switch#sthash.LbCqDclV.dpuf

abdul_samee11 Wed, 06/17/2015 - 09:43

I tried but my client switch is not getting anything.

 

Show version:

director#sh version
Cisco IOS Software, C3750 Software (C3750-IPBASEK9-M), Version 12.2(58)SE2, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Thu 21-Jul-11 01:53 by prod_rel_team

ROM: Bootstrap program is C3750 boot loader
BOOTLDR: C3750 Boot Loader (C3750-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)

director uptime is 1 hour, 11 minutes
System returned to ROM by power-on
System image file is "flash:c3750-ipbasek9-mz.122-58.SE2.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco WS-C3750G-24TS-1U (PowerPC405) processor (revision F0) with 131072K bytes of memory.
Processor board ID FOC1328Y6BM
Last reset from power-on
1 Virtual Ethernet interface
28 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.

512K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address       : 00:26:52:63:FF:00
Motherboard assembly number     : 73-10219-07
Power supply part number        : 341-0098-02
Motherboard serial number       : FOC132920D3
Power supply serial number      : AZS132502L7
Model revision number           : F0
Motherboard revision number     : D0
Model number                    : WS-C3750G-24TS-S1U
System serial number            : FOC1328Y6BM
Top Assembly Part Number        : 800-26859-01
Top Assembly Revision Number    : E0
Version ID                      : V03
CLEI Code Number                : CNMWS00ARC
Hardware Board Revision Number  : 0x09


Switch Ports Model              SW Version            SW Image
------ ----- -----              ----------            ----------
*    1 28    WS-C3750G-24TS-1U  12.2(58)SE2           C3750-IPBASEK9-M

Show run

director#sh run
Building configuration...

Current configuration : 3495 bytes
!
! Last configuration change at 00:24:53 UTC Mon Mar 1 1993
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname director
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
switch 1 provision ws-c3750g-24ts-1u
system mtu routing 1500
!
!
!
!
crypto pki trustpoint TP-self-signed-1382285056
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1382285056
 revocation-check none
 rsakeypair TP-self-signed-1382285056
!
!
crypto pki certificate chain TP-self-signed-1382285056
 certificate self-signed 01
  3082023E 308201A7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31333832 32383530 3536301E 170D3933 30333031 30303032
  33385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 33383232
  38353035 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  810096DD 8C7B29E1 919BA252 CC09EBA8 BD103D11 43B069EE DD1E950B A939B5D8
  E5DE1A28 0A443A85 975C4155 1004EC2D DE4942D7 1341607D EAE0098A 278C08CD
  E53B720B 8B534FDF 4EBFC33F 0A34BE53 FCE99E57 24740C8B D98C61EB 808EFE71
  71B02293 BFB60979 A44A0E60 474F9444 6621A9FD A12FB7E2 C4E58687 38E37080
  F4530203 010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603
  551D1104 0A300882 06537769 74636830 1F060355 1D230418 30168014 2B7FE6A3
  C96AC497 0465EAE2 B53EDFB2 CAB864DA 301D0603 551D0E04 1604142B 7FE6A3C9
  6AC49704 65EAE2B5 3EDFB2CA B864DA30 0D06092A 864886F7 0D010104 05000381
  81008D67 CCE491E7 5A8AA578 74993F8E 3493387D DED36189 9EEC607F 372A9A48
  6ABF4F23 9C76BA3F A626B186 E9EC4400 4C1CB627 95566229 FA2A127C 99371D8B
  942404FA 236C50BE E8434FCF F3FBC555 A7C4CB08 5C275167 7F722121 2C75B9D3
  F946CCB4 B1A109FC 2E258624 83727EBD 50DD3CCD C352ABF1 FC4042C6 40D6C8A1 3416
        quit
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface GigabitEthernet1/0/1
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1
 ip address 1.1.1.254 255.0.0.0
!
ip http server
ip http secure-server
!
!
logging esm config
tftp-server client_cfg.txt
vstack config tftp://1.1.1.1/2960s_config.txt
!
!
vstack dhcp-localserver smart_install
 address-pool 1.1.1.0 255.0.0.0
 file-server 1.1.1.1
 default-router 1.1.1.254
!
vstack director 1.1.1.254
vstack basic
!
line con 0
line vty 0 4
 login
line vty 5 15
 login
!
end

Leo Laohoo Wed, 06/17/2015 - 15:46
vstack config tftp://1.1.1.1/2960s_config.txt
!
vstack dhcp-localserver smart_install
 address-pool 1.1.1.0 255.0.0.0
 file-server 1.1.1.1
 default-router 1.1.1.254
!
vstack director 1.1.1.254
vstack basic

Configuration is missing the vstack built-in group.

abdul_samee11 Thu, 06/25/2015 - 11:43

Thank you very much

I have a question about vlans

After the smart small configuration I saw that my client is not taking vlan 100 and vlan 150. Although I put in my config file these two vlans, Can I know why?

Or smart install will not support other than vlan 1 ?

Leo Laohoo Fri, 06/26/2015 - 01:23
Or smart install will not support other than vlan 1 ?

Depends on the IOS.  Newer IOS will support the command "vstack startup vlan" and enable other VLANs other than VLAN 1.

abdul_samee11 Sun, 06/28/2015 - 10:58

I am using 3750G 12.2(58) in a director. and my client is 2960 8.

Can you please tell me the commands for vlans, what command will work in a director to config vlan 200, 100, and 150 in my client switch.

Thank you very much for your help.

Leo Laohoo Sun, 06/28/2015 - 15:43
I am using 3750G 12.2(58)
Can you please tell me the commands for vlans,

The command "vstack startup-vlan" only appears in 15.0(2)SE.

abdul_samee11 Mon, 06/29/2015 - 10:21

So if I have 6 vlans

the command will be like that in the director

vstack startup-vlan 200

vstack startup-vlan100

vstack startup-vlan150 ???

 

and there will no vlan 1 ?? like interface vlan 1

no shutdown ??

and I also have to configure vlan in my config file too right?

Leo Laohoo Mon, 06/29/2015 - 16:20

Only 1 VLAN will work. 

 

Why would anyone have more than one VStack VLAN in the first place??

abdul_samee11 Tue, 06/30/2015 - 12:42

I am sorry, I think you didn't get the question

I am explaining again.

Here is my Client Configuration file

Enable

config terminal

Hostname Client

enable secret cisco1

line console 0

password cisco1

login

logging synchronous

exec-timeout 30 0

exit

vlan 200

name test

exit

vlan 204

name sam

exit

vlan 20

name guest

exit

interface fa0/2

switchport access vlan 200

switchport mode access

interface fa0/4

switchport access vlan 204

switchport mode access 

interface fa0/2

switchport access vlan 20

switchport mode access

After the smart install this config file and IOS is taking

but when I am doing show vlan in my client switch, Client switch is not showing all this vlans which is in my config file.

My Client switch is taking all configuration expect vlans

Can you tell why is like this?

 

abdul_samee11 Thu, 07/02/2015 - 06:39

Hello Leo,

 

Thank you very much for your reply, If I don't have switches in my location. Actually its in different location and we don't have technical person in that location. Is there any other way to do that without touching my client switch??

Thank you

 

abdul_samee11 Mon, 07/06/2015 - 07:07

Hello Leo,

 

We are not using VTP in our organization. and I don't want to effect our company environment by enable VTP in each of the switches. Can you please tell me other way to enable Vlans in a client?

 

Thank you again

nickmorra Fri, 06/14/2013 - 11:13

Hi There,

First of all, very well written thread. So thank you for taking your time to share your "Smart Install Journey"

I am a little confused here, I haven't been using Vlan 1 as the management Vlan as in my workplace, The default native Vlan is not in use. As such, in my tests, I created a new management Vlan and have had no issues. Well other than the million I had getting everything working, Vlan aside.

A quick question, have you successfully been able to get a 2950 to work as the Client as of yet?

I know in your first post, you mentioned that you had no luck with the 2950. I'm wondering if a later version of IOS has

releaved that problem?

I have been tasked with getting a 2950 working as a client and was thinking you might have some useful input?

If not, no problem.

Thanks again!

Leo Laohoo Mon, 06/17/2013 - 21:13

A quick question, have you successfully been able to get a 2950 to work as the Client as of yet?

I know in your first post, you mentioned that you had no luck with the 2950. I'm wondering if a later version of IOS has releaved that problem?

Hi Nick,

Sorry, but 2950, being that the final IOS is still old, doesn't support ZeroTouch. 

Leo Laohoo Thu, 07/04/2013 - 16:25

UPDATE:  I am testing IOS version 15.0(2)SE4 and I am suspecting ZeroTouch is BROKEN.

Will post more details. 

Leo Laohoo Wed, 12/04/2013 - 01:34

WARNING on IOS version 15.2(1)E and later

If you are using this version, please be aware that Zero-Touch is BROKEN.  If you have a switch client running this version, Zero-Touch will not work.  The appliance will download the config but will be unable to download the IOS.

jonhill Wed, 05/28/2014 - 05:58

Great walkthrough, it worked a treat for our 2960's but when I tried one of our new 2960X's it didn't work.

I'm running 15.0(2)SE4 on the Director which is a 3750G.

The 2960X's don't exist as a vstack group so I've created a custom one, see below but it still doesn't work

vstack group custom 2960X product-id
 image tftp://192.168.1.3/C2960X.bin
 config tftp://192.169.1.3/C2960X.txt
 match WS-C2960X-48LPS-L

The 2960X shows the following message, so I'm assuming its something to do with the vstack group but can't work out what's wrong.

%SMI-3-IMG_CFG_NOT_CONFIGURED: IBC (IP Address :192.168.1.2) : The Director does not have a image file or a configuration file configured for this Product-ID

There's very little available on vstack for the 2960X's and all I can find is autoinstall which isn't the same.

Any help would be much appreciated.

Thanks

Jon

 

 

 

Actions

This Document

Related Content