Zero Touch Provisioning

 

Zero touch provisioning (ZTP) allows you to provision new Juniper Networks devices in your network automatically, with minimal manual intervention. You can use either management ports or network ports on your switch to connect to the network. When you physically connect a device to the network and boot it with a default factory configuration, the device upgrades (or downgrades) the Junos OS release and autoinstalls a configuration file from the network. To locate the necessary software image and configuration files on the network, the device uses information that you have configured on a Dynamic Host Configuration Protocol (DHCP) server. If you do not configure the DHCP server to provide this information, the device boots with the preinstalled software and default factory configuration.

On switches running Enhanced Layer 2 Software, Junos Extended Dynamic Host Configuration Protocol (JDHCP) is used instead of legacy DHCP. JDHCP supports the same functionality as DHCP, and all configuration options remain the same. JDHCP is an enhanced version of legacy DHCP software. If you are performing ZTP with a Junos OS image that contains enhanced automation for the QFX5100 switch, you can use DHCP option 43 suboption 01 to run script files, not just load configuration files. Using scripts, you can create device-specific configuration files and perform HTTP request operations to web servers to download specific configuration files or Junos OS releases.

Originally (as of Junos OS release 12.2), the only devices that supported ZTP (or EZ Touchless Provisioning as it was previously known) were EX Series switches and only configuration files could be used to provision configuration.

Over subsequent Junos OS releases, ZTP support has expanded:

  • Starting in Junos OS Release 15.1, you can provision by using a script to be executed or a configuration file to be loaded.

  • Starting in Junos OS Release 15.2, you can provision any supported device (router or switch) by using either a script to be executed or a file to be loaded.

  • Starting in Junos OS Release 18.1R1, ZTP can automate the provisioning of the device configuration and software image on VM host platforms that use QFX10002-60C switches.

  • Starting in Junos OS Release 18.2R1, ZTP can automate the provisioning of the device configuration and software image on VM host platforms that use PTX5000, PTX3000, PTX10008, PTX10016, PTX10002-60C routers.

  • Starting in Junos OS Release 18.2R1, ZTP can automate the provisioning of the device configuration and software image on VM host platforms that use QFX10008 and QFX10016 switches.

Note

To see which platforms support ZTP, in a browser, go to Feature Explorer. In the Explore Features section of the Feature Explorer page, select All Features. In the Features Grouped by Feature Family box, select Zero Touch Provisioning. You can also type the name of the feature in the Search for Features edit box.

See the following subsections for more information on the ZTP feature:

Executing a Script

When you connect and boot a new networking device, if Junos OS detects a file on the DHCP server, the first line of the file is examined. If Junos OS finds the characters #! followed by an interpreter path, it treats the file as a script file and executes the script with the interpreter mentioned. If the script returns an error (that is, a nonzero value), the ZTP state machine refetches the script and attempts to execute the script again. This continues until the script executes successfully. The script can be, for example, a shell script (#!/bin/sh), a slax script (#!/usr/libexec/ui/cscript), or a python script (#!/usr/bin/python).

If Junos OS does not find the characters #! followed by an interpreter path, it treats the file as a Junos OS configuration in text format and loads the file.

Note

On EX4300 and QFX5100 switches running Enhanced Layer 2 Software, and QFX5100 switches running a Junos OS image that contains enhanced automation, you can specify the name of a script file or a configuration file in suboption 01. ZTP determines if the file is a script file based on the first line that is included in the file. If the first line contains #! characters followed by an interpreter path— for example, #!/usr/libexec/ui/cscript— ZTP determines that the file is a script file, and executes the script file with the specified interpreter path. If the script returns an error, ZTP will fetch the script file and execute the script file until the script executes successfully. If the file does not contain special characters or an interpreter path, ZTP determines that the file is a configuration file.

Note

Python scripts are not supported during ZTP on the following devices:

  • PTX10001-20C

  • PTX10002-60C

  • QFX10002-60C

  • PTX1000

Zero Touch Provisioning Restart Process Triggers

ZTP restarts when any of the following events occur:

  • Request for configuration file, script file, or image file fails.

  • Configuration file is incorrect, and commit fails.

  • No configuration file and no image file is available.

  • Image file is corrupted, and installation fails.

  • No file server information is available.

  • DHCP client does not have valid ZTP parameters configured.

  • When none of the DHCP client interfaces goes to a bound state.

  • ZTP transaction fails after six attempts to fetch configuration file or image file.

When any of these events occur, ZTP resets the DHCP client state machine on all of the DHCP client-configured interfaces (management and network) and then restarts the state machine. Restarting the state machine enables the DHCP client to get the latest DHCP server-configured parameters.

Before ZTP restarts, approximately 15 to 30 seconds must elapse to allow enough time to build a list of bound and unbound DHCP client interfaces.

The list of bound and unbound DHCP client interfaces can contain:

  • No entries.

  • Multiple DHCP client interfaces.

    Priority is given to the DHCP client interfaces that have received all ZTP parameters (software image file, configuration file, and file server information) from the DHCP server.

After the lists of bound and unbound client interfaces are created, and a DHCP client gets selected for ZTP activity, any existing default route is deleted and the DHCP client interface that was selected adds a new default route. In order to add a new default route, only one ZTP instance can be active.

After ZTP restarts, the DHCP client attempts fetching files from the DHCP server for up to six times, with ten to fifteen seconds elapsing between attempts. Every attempt, whether successful or not, is logged and can be seen on the console.

If there is a failure, or the number of attempts exceeds the limit, ZTP stops. ZTP then clears the DHCP client bindings and restarts state machine on the DHCP-configured interfaces.

The ZTP restart process continues until there is either a successful software upgrade, or an operator manually commits a user configuration and deletes the ZTP configuration.

Caveats Relating to ZTP

There are two downgrade limitations for EX Series switches:

  • If you downgrade to a software version earlier than Junos OS Release 12.2, in which ZTP is not supported, the configuration file autoinstall phase of the zero touch provisioning process does not happen.

  • To downgrade to a software version that does not support resilient dual-root partitions (Junos OS Release 10.4R2 or earlier), you must perform some manual work on the switch. For more information, see Configuring Dual-Root Partitions.

The following are caveats for QFX Series switches:

  • On QFX3500 and QFX3600 switches running the original CLI, you cannot use ZTP to upgrade from Junos OS Release 12.2 or later to Junos OS Release 13.2X51-D15 or later.

  • QFX5200 switches only work with HTTP in 15.1X53-D30. FTP and TFTP protocols are not supported.

  • On QFX3500 and QFX3600 switches running the original CLI, you cannot use ZTP to upgrade from Junos OS Release 12.2 or later to Junos OS Release 13.2X51-D15 or later.

  • If you are performing Zero Touch Provisioning (ZTP) with a Junos OS image that contains enhanced automation for the QFX5100 switch, configure root authentication, and the provider name, license type, and deployment scope for Chef and Puppet at the [edit system] hierarchy in the configuration file that is fetched from the server:

    { master:0}
    root# set root-authentication (encrypted-password password | plain-text-password password | ssh-dsa public-key | ssh-rsa public-key)
    root# set extensions providers juniper license-type customer deployment-scope commercial
    root# set extensions providers chef license-type customer deployment-scope commercial

In Junos OS Release 18.1R1, if you are upgrading the software, you must perform a full software upgrade. A full upgrade includes upgrading both the Junos OS software and the host software packages.

Configuring Zero Touch Provisioning

Configuring zero touch provisioning (ZTP) allows for automatic provisioning of Juniper Network devices that you add to your network. You can provision any supported device by using either a script to be executed or a configuration file to be loaded.

To use ZTP, you configure a DHCP server to provide the required information. If you do not configure the DHCP server to provide this information, the device boots with the preinstalled software and default factory configuration. To make sure you have the default factory configuration loaded on the device, issue the request system zeroize command on the device you want to provision.

Note

The request system zeroize command is not supported on PTX1000, PTX10001-20C, QFX10002-60C, PTX10002-60C devices. You must issue the request vmhost zeroize command (instead of request system zeroize) for factory default configuration on PTX1000 routers.

Note

On PTX10001-20C devices, after you issue the the request vmhost zeroize command, you will see the following message twice: VMHost Zeroization : Erase all data, including configuration and log files ? [yes,no] (no) yes

warning: Vmhost will reboot and may not boot without configuration

Erase all data, including configuration and log files? [yes,no] (no) yes

Before you begin:

  • Ensure that the switch or router has access to the following network resources:

    • The DHCP server that provides the location of the software image and configuration files on the network

      Refer to your DHCP server documentation for configuration instructions.

    • The File Transfer Protocol (anonymous FTP), Hypertext Transfer Protocol (HTTP), or Trivial File Transfer Protocol (TFTP) server on which the software image and configuration files are stored

      Note

      Although TFTP is supported, we recommend that you use FTP or HTTP instead, because these transport protocols are more reliable.

      Caution

      HTTP URLs are limited to 256 characters in length.

    • A Domain Name System (DNS) server to perform reverse DNS lookup

    • (Optional) An NTP server to perform time synchronization on the network

    • (Optional) A system log (syslog) server to manage system log messages and alerts

  • Locate and record the MAC address printed on the switch or router chassis.

Caution

You cannot commit a configuration while the switch or router is performing the software update process. If you commit a configuration while the switch or router is performing the configuration file autoinstallation process, the process stops, and the configuration file is not downloaded from the network.

To configure zero touch provisioning for a switch or router:

  1. Boot the device.
  2. Make sure the switch or router has the default factory configuration installed.

    Issue the request system zeroize command on the switch or router that you want to provision.

    Note

    The request system zeroize command is not supported on PTX1000 routers. You must issue the request vmhost zeroize command (instead of request system zeroize) for factory default configuration on PTX1000 routers.

  3. Download the software image file and the configuration file to the FTP, HTTP, or TFTP server from which the switch or router will download these files.

    You can download either one or both of these files.

    Note

    If you are performing zero touch provisioning with a Junos OS image that contains enhanced automation for the QFX5100 device, configure root authentication and the provider name, license type, and deployment scope for Chef and Puppet at the [edit system] hierarchy in the configuration file that is fetched from the server:

    { master:0}
    root# set root-authentication (encrypted-password password | plain-text-password password | ssh-dsa public-key | ssh-rsa public-key)
    root# set extensions providers juniper license-type customer deployment-scope commercial
    root# set extensions providers chef license-type customer deployment-scope commercial
  4. Configure the DHCP server to provide the necessary information to the switch or router.

    Configure IP address assignment.

    You can configure dynamic or static IP address assignment for the management address of the switch or router. To determine the management MAC address for static IP address mapping, add 1 to the last byte of the MAC address of the switch or router, which you noted before you began this procedure.

  5. Define the format of the vendor-specific information for DHCP option 43 in the dhcpd.conf file.

    Here is an example of an ISC DHCP 4.2 server dhcpd.conf file:

    Note

    Starting in Junos OS Release 18.2R1, a new DHCP option is introduced to set the timeout value for the file downloads over FTP. If the transfer-mode is set as FTP, the default value for the timeout is automatically set as 120 minutes, that is, in case the FTP session gets interrupted due to loss of connectivity in the middle of a file transfer, it will timeout after 120 minutes and ZTP will attempt to retry the file fetching process. This value can be overridden using the DHCP option as follows:

    where “val” is the user configurable timeout value in seconds and must be provided within quotes (like, "val”).

  6. Configure the following DHCP option 43 suboptions:Note

    DHCP option 43 suboptions 05 through 255 are reserved.

    • Suboption 00: The name of the software image file to install.

      Note

      When the DHCP server cannot use suboption 00, configure the software image filename using suboption 04. If both suboption 00 and suboption 4 are defined, suboption 04 is ignored.

    • Suboption 01: The name of the script or configuration file to install.

      Note

      On EX4300 and QFX5100 devices running Enhanced Layer 2 Software, and QFX5100 devices running a Junos OS image that contains enhanced automation, you can specify the name of a script file or a configuration file. ZTP determines if the file is a script file based on the first line that is included in the file. If the first line contains #! characters followed by an interpreter path, ZTP determines that the file is a script file, and executes the script file with the specified interpreter path. In order for a script to execute, the script file must provide the ability to fetch and load a valid configuration file on the device during the ZTP process.

      The following list provides the types of scripts and their associated interpreter paths:

      • Shell script interpreter path: #!/bin/sh

      • SLAX script interpreter path: #!/usr/libexec/ui/cscript

      • Python script interpreter path: #!/usr/bin/python

        Unsigned Python scripts are only supported on limited platforms, such as the QFX5100 device. If you try to execute unsigned Python scripts on devices that do not provide support, error messages will be issued.

      If the file does not contain special characters (#!) , ZTP determines that the file is a configuration file and loads the configuration file.

    • Suboption 02: The symbolic link to the software image file to install.

      Note

      If you do not specify suboption 2, the ZTP process handles the software image as a filename, not a symbolic link.

    • Suboption 03: The transfer mode that the switch or router uses to access the TFTP, FTP, or HTTP server. If you select FTP as the transfer mode, Junos OS uses the anonymous FTP login to download files from the FTP server.

      Note

      If suboption 03 is not configured, TFTP becomes the transfer mode by default.

    • Suboption 04: The name of the software image file to install.

      Note

      When the DHCP server cannot use suboption 00, configure the image file using suboption 04. If both suboption 00 and suboption 4 are defined, suboption 04 is ignored.

    • Suboption 05: The HTTP port that the device uses to download either the image or configuration file or both instead of the default HTTP port.

  7. (Mandatory) Configure either option 150 or option 66.Note

    You must configure either option 150 or option 66. If you configure both option 150 and option 66, option 150 takes precedence, and option 66 is ignored. Also, make sure you specify an IP address, not a hostname, because name resolution is not supported.

    • Configure DHCP option 150 to specify the IP address of the FTP, HTTP, or TFTP server.

    • Configure DHCP option 66 to specify the IP address of the FTP, HTTP, or TFTP server.

  8. (Optional) Configure DHCP option 7 to specify one or more system log (syslog) servers.
  9. (Optional) Configure DHCP option 42 to specify one or more NTP servers.
  10. (Optional) Configure DHCP option 12 to specify the hostname of the switch or router.

    The following sample configuration shows the DHCP options you just configured:

    Based on the DHCP options you just configured, the following statements are appended to the Junos OS configuration file (for example, jn-switch35.config):

  11. Connect the switch or router to the network that includes the DHCP server and the FTP, HTTP, or TFTP server.
  12. Boot the switch or router with the default configuration.
  13. Monitor the ZTP process by looking at the following log files. Note

    When SLAX (live operating system based on Linux) scripts are issued, the op-script.log and event-script.log files are produced.

    • /var/log/dhcp_logfile

    • /var/log/event-script.log

    • /var/log/image_load_log

    • /var/log/messages

    • /var/log/op-script.log

    • /var/log/script_output

    You can also monitor the ZTP process by looking at error messages and issuing operational commands. See Monitoring Zero Touch Provisioning for more information.

Release History Table
Release
Description
Starting in Junos OS Release 18.2R1, ZTP can automate the provisioning of the device configuration and software image on VM host platforms that use PTX5000, PTX3000, PTX10008, PTX10016, PTX10002-60C routers.
Starting in Junos OS Release 18.2R1, ZTP can automate the provisioning of the device configuration and software image on VM host platforms that use QFX10008 and QFX10016 switches.
Starting in Junos OS Release 18.1R1, ZTP can automate the provisioning of the device configuration and software image on VM host platforms that use QFX10002-60C switches.
Starting in Junos OS Release 15.2, you can provision any supported device (router or switch) by using either a script to be executed or a file to be loaded
Starting in Junos OS Release 15.1, you can provision by using a script to be executed or a configuration file to be loaded.