Overveiw
In this post I am going to share my experience about automating Cisco ISE installation on VMware vCenter.
Let’s begin with these questions:
- Why do we need automating in installation?
- How it is possible?
- Which tools we are going to use?
Although this automating routine and repetitive tasks is a time saver for those who have to install Cisco ISE on a daily or weekly basis, for others who support or maintain Cisco ISE, this solution is helpful. Why? Based on the best practices and regarding the High Availability, Also for the small implantations, at least two Cisco ISE nodes require. In addition, we should consider upgrading Cisco ISE nodes. In this scenario, the Cisco recommendation method is “Backup and Restore” That means we have to install at least two Cisco ISE nodes every time Cisco announces a new suggested version. Every time Cisco suggests a new version for ISE, you can see one or two patches have already been released. As conclusion we have to install Cisco ISE, then install the latest patch at least two times for each new suggested version. In my opinion with automation, we can avoid repeating tasks, also reducing human errors such as typo issues while typing IP address or domain name.
Automating this process is divided in two parts. Cisco ISE deployment on VMware vCenter and answering questions such as IP address, Subnet MASK, and domain name we will be asked during deployment.
For the first process, I am using terraform; it is possible to use Ansible too. If you haven’t used Terraform, don’t worry I’ve prepared all requirement and I’m going to explain how you can use it.
For the second process I’m going to use Zero Touch Provisioning file.
So, What is the Zero Touch Provisioning? Since ISE version 3.1 Cisco has introduced a Zero Touch Provisioning or ZTP option. Actually, ZTP is like an answer file which includes parameters Cisco ISE needs
Zero Touch Provisioning (ZTP)
For creating the ZTP file, a script is available on Cisco’s website. I will show you what are those later, don’t worry. This script is working on specific Linux distributions (Ubuntu).
#!/bin/bash
###########################################################
# This script is used to generate ise ztp image with ztp
# configuration file.
#
# Need to pass ztp configuration file as input.
#
# Copyright (c) 2021 by Cisco Systems, Inc.
# All rights reserved.
# Note:
# To mount the image use below command
# mount ise_ztp_config.img /ztp
# To mount the image from cdrom
# mount -o ro /dev/sr1 /ztp
#############################################################
if [ -z "$1" ];then
echo "Usage:$0 <ise-ztp.conf> [out-ztp.img]"
exit 1
elif [ ! -f $1 ];then
echo "file $1 not exist"
exit 1
else
conf_file=$1
fi
if [ -z "$2" ] ;then
image=ise_config.img
else
image=$2
fi
mountpath=/tmp/ise_ztp
ztplabel=ISE-ZTP
rm -fr $mountpath
mkdir -p $mountpath
dd if=/dev/zero of=$image bs=1k count=1440 > /dev/null 2>&1
if [ `echo $?` -ne 0 ];then
echo "Image creation failed\n"
exit 1
fi
mkfs.ext4 $image -L $ztplabel -F > /dev/null 2>&1
mount -o rw,loop $image $mountpath
cp $conf_file $mountpath/ise-ztp.conf
sync
umount $mountpath
sleep 1
# Check for automount and unmount
automountpath=$(mount | grep $ztplabel | awk '{print $3}')
if [ -n "$automountpath" ];then
umount $automountpath
fi
echo "Image created $image"To using this script, you should copy it and past it to a file with .sh suffix.Then with the “chmod” command make this file executable.
sudo chmod -x filename.sh Now you should prepare config file. You need to create a file with .conf extension, and past the below parameters in the file. Feel free to update parameters based on your requirements.
*Notes:
- Some of the parameters work with ISE 3.2 and later.
- You can comment out those you don’t need.
hostname=<hostname of Cisco ISE> ipv4_addr=<IPv4 address> ipv4_mask=<IPv4 subnet> ipv4_default_gw=<IPv4 gateway address> #IPv6 optional #ipv6_addr=<IPv6 address> #ipv6_default_gw=<IPv6 gateway address> domain=<cisco.com> primary_nameserver=<IPv4 address> #secondary and tertiary are optional secondary_nameserver=<IPv4 address> tertiary_nameserver=<IPv4 address> primary_ntpserver=<IPv4 address or FQDN of the NTP server> #secondary and tertiary are optional secondary_ntpserver=<IPv4 address or FQDN of the NTP server> tertiary_ntpserver=<IPv4 address or FQDN of the NTP server> timezone=<timezone> ssh=<true/false> username=<admin> <--admin is the default for on-prem installations password=<password> #Public Key Authentication configuration is optional <-- Available for ISE 3.2 and later public_key=<Public Key> #Repository Configuration are optional repository_name=<repository name> repository_protocol=<repository protocol> repository_server_name=<IPv4 address> repository_path=<repository path> #Patch Information - optional patch=<patch filename> #HotPatches Information - optional hotpatches=<hotpatch filename,comma separated list> #services - optional ers=<true/false> openapi=<true/false> pxgrid=<true/false> pxGrid_Cloud=<true/false> #Skipping specific checks <-- Available for ISE 3.2 and later SkipIcmpChecks=<true/false> SkipDnsChecks=<true/false> SkipNtpChecks=<true/false>
Now we are able to create the Zero Touch Provision (ZTP) file for Cisco ISE installation with the command below.
sudo filename.sh configfile.conf output.imgAt this point you can use this file within your installation by Cisco ISE’s ISO file like . Just remember during the boot procedure you need to press “Enter” otherwise it doesn’t work by itself.
Using ZTP Separately
Automating ISE Deployment Using Terraform
For automating Cisco ISE VM creation, you need to install ‘terraform’ on your system. You can find it by this link. Terraform has different editions, however Self-managed edition is free and efficient for us. Please click on download and choose the version which is compatible with your operation system and install it.
It is not possible to going through the terraform explanation because it is out of the scope of this video, however I’ll describe parameters that you need.
You need two files (main.tf and variables.tf), and they must located in a same folder. You can download these files from my Github. Basically main.tf controls the connection to vCenter and send parameters for creating the VM, and variables.tf is the place you put your information such as:
- vCenter Address
- Credential
variable "vsphere_user" {
type = string
default = "[email protected]" #vCenter Username
}
variable "vsphere_password" {
type = string
default = "*********" #vCenter Password
}
variable "vsphere_server" {
type = string
default = "vcenter.nssnot.com" #vCenter address
}
variable "datacenter_name" {
type = string
default = "LAB" # Datacenter Name
}
variable "datastore_name" {
type = string
default = "DS1" # Datasotre name in vCenter
}
variable "cluster_name" {
type = string
default = "Cluster-production" # Not mandatory
}
variable "host_address" {
type = string
default = "esx01.nssnote.com" # It can be hostname or IP address
}
variable "portgroup_name" {
type = string
default = "VLAN10" # It can be a Distributed Switch or Standard Sitch
}
variable "deployment_size" {
type = string
default = "medium" # Valid deployment optionks -> Eval, PSN_Lite, small, medium, large.
}
variable "cdrom_path" {
type = string
default = "ISO/pan01-ztp.img"
}
variable "ise_node_name" {
type = string
default = "pan01"
}
variable "local_ovf_path" {
type = string
default = "/Users/ISE-3.2.0.542a-virtual-SNS3615-SNS3655-300.ova" # Path to Cisco ISE OVA on your local system
}
variable "disk_provisioning" {
type = string
default = "thin" # Valid options: thin, thick, flat
}
After you have updated variables with your information you need to run these commands in the Terminal / Power-shell / CMD. Make sure that you are in the same directory where your terraform files are.
Terraform init
Terraform applyAfter terraform apply you can see the progress of deployment a virtual machine on your vCenter.