Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Zero Touch Provisioning

 

Zero Touch Provisioning installs or upgrades the software automatically on your new Juniper Networks devices with minimal manual intervention.

Zero Touch Provisioning Overview

Zero Touch Provisioning (ZTP) allows you to provision new Juniper Networks devices in your network automatically, with minimal manual intervention. You can use either management ports or network ports on your switch to connect to the network. When you physically connect a device to the network and boot it with a default factory configuration, the device upgrades (or downgrades) the Junos OS release and autoinstalls a configuration file from the network. To locate the necessary software image and configuration files on the network, the device uses information that you have configured on a Dynamic Host Configuration Protocol (DHCP) server. If you do not configure the DHCP server to provide this information, the device boots with the preinstalled software and default factory configuration.

On switches running Enhanced Layer 2 Software, Junos Extended Dynamic Host Configuration Protocol (JDHCP) is used instead of legacy DHCP. JDHCP supports the same functionality as DHCP, and all configuration options remain the same. JDHCP is an enhanced version of legacy DHCP software. If you are performing ZTP with a Junos OS image that contains enhanced automation for the QFX5100 switch, you can use DHCP option 43 suboption 01 to run script files, not just load configuration files. Using scripts, you can create device-specific configuration files and perform HTTP request operations to web servers to download specific configuration files or Junos OS releases.

Note

For Junos OS Evolved, there is no JDHCP. Junos OS Evolved uses the Linux DHCP client.

Originally (as of Junos OS release 12.2), the only devices that supported ZTP (or EZ Touchless Provisioning as it was previously known) were EX Series switches and only configuration files could be used to provision configuration.

Over subsequent Junos OS releases, ZTP support has expanded:

  • Starting in Junos OS Release 15.1, you can provision by using a script to be executed or a configuration file to be loaded.

  • Starting in Junos OS Release 15.2, you can provision any supported device (router or switch) by using either a script to be executed or a file to be loaded.

  • Starting in Junos OS Release 17.2R1, ZTP can automate the provisioning of the device configuration and software image on VM host platforms that use PTX1000 routers.

  • Starting in Junos OS Release 18.1R1, ZTP can automate the provisioning of the device configuration and software image on VM host platforms that use QFX10002-60C switches.

  • Starting in Junos OS Release 18.2R1, ZTP can automate the provisioning of the device configuration and software image on VM host platforms that use PTX5000, PTX3000, PTX10008, PTX10016, PTX10002-60C routers.

  • Starting in Junos OS Release 18.2R1, ZTP can automate the provisioning of the device configuration and software image on VM host platforms that use QFX10008 and QFX10016 switches.

  • Starting in Junos OS Release 18.3R1, ZTP, which automates the provisioning of the device configuration and software image with minimal manual intervention, is supported on MX Series VM hosts.

  • Starting in Junos OS Release 19.2R1, ZTP can automate the provisioning of the device configuration and software image on management interface emo for ACX5448 switches.

    Starting in Junos OS Evolved Release 19.1R1, ZTP can automate the provisioning of the device configuration and software image on the management interface for QFX5220 and PTX10003 devices. The management interfaces for PTX10003 devices are vmb0 and vmb1. The management interface for QFX5220 devices is vmb0.

Note

To see which platforms support ZTP, in a browser, go to Feature Explorer. In the Explore Features section of the Feature Explorer page, select All Features. In the Features Grouped by Feature Family box, select Zero Touch Provisioning. You can also type the name of the feature in the Search for Features edit box.

See the following subsections for more information on the ZTP feature:

Executing a Script

When you connect and boot a new networking device, if Junos OS detects a file on the DHCP server, the first line of the file is examined. If Junos OS finds the characters #! followed by an interpreter path, it treats the file as a script file and executes the script with the interpreter mentioned. If the script returns an error (that is, a nonzero value), the ZTP state machine refetches the script and attempts to execute the script again. This continues until the script executes successfully. The script can be, for example, a shell script (#!/bin/sh), a slax script (#!/usr/libexec/ui/cscript), or a python script (#!/usr/bin/python).

If Junos OS does not find the characters #! followed by an interpreter path, it treats the file as a Junos OS configuration in text format and loads the file.

Note

On EX4300 and QFX5100 switches running Enhanced Layer 2 Software, and QFX5100 switches running a Junos OS image that contains enhanced automation, you can specify the name of a script file or a configuration file in suboption 01. ZTP determines if the file is a script file based on the first line that is included in the file. If the first line contains #! characters followed by an interpreter path— for example, #!/usr/libexec/ui/cscript— ZTP determines that the file is a script file, and executes the script file with the specified interpreter path. If the script returns an error, ZTP will fetch the script file and execute the script file until the script executes successfully. If the file does not contain special characters or an interpreter path, ZTP determines that the file is a configuration file.

Note

Python scripts are not supported during ZTP on the following devices:

  • PTX10001-20C

  • PTX10002-60C

  • QFX10002-60C

  • PTX1000

  • ACX5448

Zero Touch Provisioning Restart Process Triggers

ZTP restarts when any of the following events occur:

  • Request for configuration file, script file, or image file fails.

  • Configuration file is incorrect, and commit fails.

  • No configuration file and no image file is available.

  • Image file is corrupted, and installation fails.

  • No file server information is available.

  • DHCP client does not have valid ZTP parameters configured.

  • When none of the DHCP client interfaces goes to a bound state.

  • ZTP transaction fails after six attempts to fetch configuration file or image file.

When any of these events occur, ZTP resets the DHCP client state machine on all of the DHCP client-configured interfaces (management and network) and then restarts the state machine. Restarting the state machine enables the DHCP client to get the latest DHCP server-configured parameters.

Before ZTP restarts, approximately 15 to 30 seconds must elapse to allow enough time to build a list of bound and unbound DHCP client interfaces.

The list of bound and unbound DHCP client interfaces can contain:

  • No entries.

  • Multiple DHCP client interfaces.

    Priority is given to the DHCP client interfaces that have received all ZTP parameters (software image file, configuration file, and file server information) from the DHCP server.

After the lists of bound and unbound client interfaces are created, and a DHCP client gets selected for ZTP activity, any existing default route is deleted and the DHCP client interface that was selected adds a new default route. In order to add a new default route, only one ZTP instance can be active.

After ZTP restarts, the DHCP client attempts fetching files from the DHCP server for up to six times, with ten to fifteen seconds elapsing between attempts. Every attempt, whether successful or not, is logged and can be seen on the console.

If there is a failure, or the number of attempts exceeds the limit, ZTP stops. ZTP then clears the DHCP client bindings and restarts state machine on the DHCP-configured interfaces.

The ZTP restart process continues until there is either a successful software upgrade, or an operator manually commits a user configuration and deletes the ZTP configuration.

Caveats Relating to ZTP

There are two downgrade limitations for EX Series switches:

  • If you downgrade to a software version earlier than Junos OS Release 12.2, in which ZTP is not supported, the configuration file autoinstall phase of the zero touch provisioning process does not happen.

  • To downgrade to a software version that does not support resilient dual-root partitions (Junos OS Release 10.4R2 or earlier), you must perform some manual work on the switch. For more information, see Configuring Dual-Root Partitions.

The following are caveats for QFX Series switches:

  • On QFX3500 and QFX3600 switches running the original CLI, you cannot use ZTP to upgrade from Junos OS Release 12.2 or later to Junos OS Release 13.2X51-D15 or later.

  • QFX5200 switches only work with HTTP in 15.1X53-D30. FTP and TFTP protocols are not supported.

  • On QFX3500 and QFX3600 switches running the original CLI, you cannot use ZTP to upgrade from Junos OS Release 12.2 or later to Junos OS Release 13.2X51-D15 or later.

  • If you are performing Zero Touch Provisioning (ZTP) with a Junos OS image that contains enhanced automation for the QFX5100 switch, configure root authentication, and the provider name, license type, and deployment scope for Chef and Puppet at the [edit system] hierarchy in the configuration file that is fetched from the server:

    { master:0}
    root# set root-authentication (encrypted-password password | plain-text-password password | ssh-dsa public-key | ssh-rsa public-key)
    root# set extensions providers juniper license-type customer deployment-scope commercial
    root# set extensions providers chef license-type customer deployment-scope commercial

In Junos OS Release 18.1R1, if you are upgrading the software, you must perform a full software upgrade. A full upgrade includes upgrading both the Junos OS software and the host software packages.

There are no caveats for Junos OS Evolved platforms.

Configuring Zero Touch Provisioning

Configuring Zero Touch Provisioning (ZTP) allows for automatic provisioning of Juniper Network devices that you add to your network. You can provision any supported device by using either a script to be executed or a configuration file to be loaded.

To use ZTP, you configure a DHCP server to provide the required information. If you do not configure the DHCP server to provide this information, the device boots with the preinstalled software and default factory configuration. To make sure you have the default factory configuration loaded on the device, issue the request system zeroize command on the device you want to provision.

Note

The request system zeroize command is not supported on PTX1000, PTX10001-20C, QFX10002-60C, PTX10002-60C devices. You must issue the request vmhost zeroize command (instead of request system zeroize) for factory default configuration on PTX1000 routers.

Note

On PTX10001-20C devices, after you issue the the request vmhost zeroize command, you will see the following message twice: VMHost Zeroization : Erase all data, including configuration and log files ? [yes,no] (no) yes

warning: Vmhost will reboot and may not boot without configuration

Erase all data, including configuration and log files? [yes,no] (no) yes

Before you begin:

  • Ensure that the switch or router has access to the following network resources:

    • The DHCP server that provides the location of the software image and configuration files on the network

      Refer to your DHCP server documentation for configuration instructions.

    • The File Transfer Protocol (anonymous FTP), Hypertext Transfer Protocol (HTTP), or Trivial File Transfer Protocol (TFTP) server on which the software image and configuration files are stored

      Note

      Although TFTP is supported, we recommend that you use FTP or HTTP instead, because these transport protocols are more reliable.

      Caution

      HTTP URLs are limited to 256 characters in length.

    • (Does not apply to Junos OS Evolved) A Domain Name System (DNS) server to perform reverse DNS lookup (not supported on Junos OS Evolved)

    • (Optional) An NTP server to perform time synchronization on the network

    • (Optional) A system log (syslog) server to manage system log messages and alerts

  • Locate and record the MAC address printed on the switch or router chassis.

Caution

You cannot commit a configuration while the switch or router is performing the software update process. If you commit a configuration while the switch or router is performing the configuration file autoinstallation process, the process stops, and the configuration file is not downloaded from the network.

To configure zero touch provisioning for a switch or router:

  1. Boot the device.
  2. Make sure the switch or router has the default factory configuration installed.

    Issue the request system zeroize command on the switch or router that you want to provision.

    Note

    The request system zeroize command is not supported on PTX1000 routers. You must issue the request vmhost zeroize command (instead of request system zeroize) for factory default configuration on PTX1000 routers.

  3. Download the software image file and the configuration file to the FTP, HTTP, or TFTP server from which the switch or router will download these files.

    You can download either one or both of these files.

    Note

    If you are performing zero touch provisioning with a Junos OS image that contains enhanced automation for the QFX5100 device, configure root authentication and the provider name, license type, and deployment scope for Chef and Puppet at the [edit system] hierarchy in the configuration file that is fetched from the server:

    { master:0}
    root# set root-authentication (encrypted-password password | plain-text-password password | ssh-dsa public-key | ssh-rsa public-key)
    root# set extensions providers juniper license-type customer deployment-scope commercial
    root# set extensions providers chef license-type customer deployment-scope commercial
  4. Configure the DHCP server to provide the necessary information to the switch or router.

    Configure IP address assignment.

    You can configure dynamic or static IP address assignment for the management address of the switch or router. To determine the management MAC address for static IP address mapping, add 1 to the last byte of the MAC address of the switch or router, which you noted before you began this procedure.

  5. Define the format of the vendor-specific information for DHCP option 43 in the dhcpd.conf file.

    Here is an example of an ISC DHCP 4.2 server dhcpd.conf file:

    Note

    Starting in Junos OS Release 18.2R1, a new DHCP option is introduced to set the timeout value for the file downloads over FTP. If the transfer-mode is set as FTP, the default value for the timeout is automatically set as 120 minutes, that is, in case the FTP session gets interrupted due to loss of connectivity in the middle of a file transfer, it will timeout after 120 minutes and ZTP will attempt to retry the file fetching process. This value can be overridden using the DHCP option as follows:

    where “val” is the user configurable timeout value in seconds and must be provided within quotes (like, "val”).

  6. Configure the following DHCP option 43 suboptions:Note

    DHCP option 43 suboptions 05 through 255 are reserved.

    • Suboption 00: The name of the software image file to install.

      Note

      When the DHCP server cannot use suboption 00, configure the software image filename using suboption 04. If both suboption 00 and suboption 4 are defined, suboption 04 is ignored.

    • Suboption 01: The name of the script or configuration file to install.

      Note

      On EX4300 and QFX5100 devices running Enhanced Layer 2 Software, and QFX5100 devices running a Junos OS image that contains enhanced automation, you can specify the name of a script file or a configuration file. ZTP determines if the file is a script file based on the first line that is included in the file. If the first line contains #! characters followed by an interpreter path, ZTP determines that the file is a script file, and executes the script file with the specified interpreter path. In order for a script to execute, the script file must provide the ability to fetch and load a valid configuration file on the device during the ZTP process.

      The following list provides the types of scripts and their associated interpreter paths:

      • Shell script interpreter path: #!/bin/sh

      • SLAX script interpreter path: #!/usr/libexec/ui/cscript

      • Python script interpreter path: #!/usr/bin/python

        Unsigned Python scripts are only supported on limited platforms, such as the QFX5100 device. If you try to execute unsigned Python scripts on devices that do not provide support, error messages will be issued.

      If the file does not contain special characters (#!) , ZTP determines that the file is a configuration file and loads the configuration file.

    • Suboption 02: The symbolic link to the software image file to install.

      Note

      If you do not specify suboption 2, the ZTP process handles the software image as a filename, not a symbolic link.

    • Suboption 03: The transfer mode that the switch or router uses to access the TFTP, FTP, or HTTP server. If you select FTP as the transfer mode, Junos OS uses the anonymous FTP login to download files from the FTP server.

      Note

      If suboption 03 is not configured, TFTP becomes the transfer mode by default.

    • Suboption 04: The name of the software image file to install.

      Note

      When the DHCP server cannot use suboption 00, configure the image file using suboption 04. If both suboption 00 and suboption 4 are defined, suboption 04 is ignored.

    • Suboption 05: The HTTP port that the device uses to download either the image or configuration file or both instead of the default HTTP port.

  7. (Mandatory) Configure either option 150 or option 66.Note

    You must configure either option 150 or option 66. If you configure both option 150 and option 66, option 150 takes precedence, and option 66 is ignored. Also, make sure you specify an IP address, not a hostname, because name resolution is not supported.

    • Configure DHCP option 150 to specify the IP address of the FTP, HTTP, or TFTP server.

    • Configure DHCP option 66 to specify the IP address of the FTP, HTTP, or TFTP server.

  8. (Optional) Configure DHCP option 7 to specify one or more system log (syslog) servers.
  9. (Optional) Configure DHCP option 42 to specify one or more NTP servers.
  10. (Optional) Configure DHCP option 12 to specify the hostname of the switch or router.

    The following sample configuration shows the DHCP options you just configured:

    Based on the DHCP options you just configured, the following statements are appended to the Junos OS configuration file (for example, jn-switch35.config):

  11. Connect the switch or router to the network that includes the DHCP server and the FTP, HTTP, or TFTP server.
  12. Boot the switch or router with the default configuration.
  13. Monitor the ZTP process by looking at the following log files. Note

    When SLAX (live operating system based on Linux) scripts are issued, the op-script.log and event-script.log files are produced.

    • /var/log/dhcp_logfile

    • /var/log/event-script.log

    • /var/log/image_load_log

    • /var/log/messages

    • /var/log/op-script.log

    • /var/log/script_output

    You can also monitor the ZTP process by looking at error messages and issuing operational commands. See Monitoring Zero Touch Provisioning for more information.

Configuring Zero-Touch Provisioning on an SRX Series Device

This section provides step-by-step instructions on how to use ZTP on an SRX Series device for initial provisioning of the device.

Before you begin:

  • Unpack the device, install it, complete the necessary cabling, connect a laptop or any other terminal device, and power on the device. See the Hardware installation Guide for your device more information.

  • For SRX300, SRX320, SRX340, SRX345, and SRX550M devices, connect the management device and access the J-Web interface.

    For more information, see Quick Start guides of respective devices at SRX300  , SRX320  , SRX340  , SRX345  , and SRX550M  .

    You are provided with an option to use ZTP; you can use this option or skip it and continue with J-Web wizards.

  • For SRX1500 devices, before you can use J-Web to configure your device, you must access the CLI to configure the root authentication and the management interface. For more information, see How to Set Up Your SRX1500 Services Gateway  .

To provision an SRX Series device by using ZTP:

  1. Connect a management device (PC or laptop) to any front panel Ethernet port (WAN port) of the SRX Series device.
  2. Launch a Web browser from the management device and enter the authentication code in the webpage as shown in Figure 1.
    Figure 1: Entering Activation Code for ZTP
     Entering
Activation Code for ZTP

    After the device is successfully authenticated, it starts downloading the software image and initial configuration from the server as shown in Figure 2.

    Figure 2: Initiating ZTP Process (Software Image Downloading)
    Initiating
ZTP Process (Software Image Downloading)

    At this step:

    • The activation code is sent to the server, and if the authentication is successful, the server pushes the initial configuration to the device. If the authentication is unsuccessful, you are asked to provide the correct code.

    • The server can optionally pushes a new software image on the SRX Series device. In that case, the new image is installed first and then the initial configuration is applied and committed on the device.

    The new image is installed and then the initial configuration is applied and committed on the device. When the process is complete, a confirmation message is displayed, as shown in Figure 3.

    Figure 3: Completing ZTP Process
    Completing
ZTP Process
  3. Click Logs to display details of the bootstrapping process.

After successfully installing the new software image and configuration on the system, the client sends the bootstrap-complete notification to the server that provided the image and the configuration. After the notification is sent, the configuration that includes the names of servers is deleted from the system. When you use ZTP the next time, you must explicitly configure the URL of the redirect server.

Note

In case of failure at any stage, the procedure is started all over again.

Note

The ZTP process either upgrades or downgrades the Junos OS version. During a downgrade on an SRX Series device, if you downgrade to a software version earlier than Junos OS Release 15.1X49-D100, in which ZTP is not supported, the autoinstallation phase of the ZTP process does not happen.

For SRX300, SRX320, SRX340, SRX345, and SRX550M devices, ZTP is the default method for provisioning the devices. However, if you want to use J-Web-based provisioning (J-Web setup wizards supported for the SRX300 line of devices and SRX550M devices), then instead of ZTP, you can use the option provided in the client portal to skip to J-Web setup wizards for performing the initial software configuration of your device.

If you select the Skip to JWeb option, you must configure the system root authentication password as shown in Figure 4.

Figure 4: Configuring System Root-Authentication Password
Configuring
System Root-Authentication Password
Note

For SRX1500 devices, the Skip to JWeb option is not supported. To access J-Web, the ZTP client configuration must be deleted during the initial setup of SRX1500 through CLI.

Monitoring Zero Touch Provisioning

Starting in Junos OS Release 12.2, you can use the console and operational commands to monitor Zero Touch Provisioning.

Starting in Junos OS Evolved Release 19.1R1, to monitor zero touch provisioning on Junos OS Evolved, use the show system ztp command.

  1. Using the Console to Monitor Zero Touch Provisioning

  2. Using System Log Alerts to Monitor Zero Touch Provisioning

  3. Using Error Messages to Monitor Zero Touch Provisioning

  4. Using System Log Files to Monitor Zero Touch Provisioning

  5. Using the show dhcp client binding Command

  6. Using the show dhcp client statistics Command

Using the Console to Monitor Zero Touch Provisioning

The following Zero Touch Provisioning (ZTP) activities are displayed on the console during the ZTP process:

  • Starting and ending times of ZTP process.

  • Lists of bound and unbound DHCP client interfaces.

  • DHCP options that DHCP servers send to DHCP clients.

  • Logs indicating which interfaces are used for ZTP.

  • ZTP parameters that DHCP clients obtain from DHCP servers.

  • Filenames of configuration and image files, names of file servers, protocols used to fetch files, and times when DHCP servers fetch configuration and image files.

  • Failure states caused by files not being on servers, or unreachable servers, and time outs.

  • Number of attempts made, and number of attempts remaining, for retry in current ZTP cycle.

  • Completion of file transfers.

  • Installation, reboot, and state of ZTP process.

  • Internal state errors and termination of ZTP process.

  • Logs for when default routes were added or deleted.

Using System Log Alerts to Monitor Zero Touch Provisioning

Purpose

In this example, the system log alert alerts you that the auto-image upgrade will start.

Action

Use the following system log alert to monitor the auto-image upgrade process.

Meaning

This system log alert indicates that the auto-image upgrade will start, and provides information on how to stop the auto-image upgrade process.

Using Error Messages to Monitor Zero Touch Provisioning

Purpose

Error messages provide information on which DHCP options are not configured.

Action

Use the information in the following error message to find out which DHCP options are not configured.

Meaning

The error message indicates that the DHCP log server, hostname, and NTP server options are not configured.

Using System Log Files to Monitor Zero Touch Provisioning

Purpose

System log files provide information on the state of the auto-upgrade process, lists of bound and unbound DHCP client interfaces, IP addresses of file servers, names and locations of image and configuration files, and successful and failed attempts at fetching configuration and image files.

Action

Use the information in the following system log files to monitor the auto-upgrade process.

Meaning

These system log files indicate that there were six failed attempts to fetch the configuration file from the file server, the IP address of the file server, the DHCP client interface name, and the number of times the retry process occurred.

Using the show dhcp client binding Command

Purpose

Issue the show dhcp client binding command to display DHCP client binding information

Action

Issue the show dhcp client binding command to display the IP address of the DHCP client, the hardware address of the DHCP client, number of seconds in which the DHCP client’s IP address lease expires, state of the DHCP client IP address in the binding table, and the name of the interface that has active client bindings.

show dhcp client binding

user@switch# show dhcp client binding

Meaning

The output of this command shows that there is one client interface that is bound, and that there are three interfaces that are receiving DHCP offers from the DHCP server.

Using the show dhcp client statistics Command

Purpose

Issue the show dhcp client statistics command to display DHCP client statistics.

Action

Issue the show dhcp client statistics command to display DHCP client statistics, such as the number of packets dropped, and the number DHCP and BOOTP messages sent and received.

show dhcp client statistics

user@switch# show dhcp client statistics

Meaning

The output of this command displays how many packets were dropped with errors, the number of BOOTREPLY and DHCPOFFER messages that were received, and the number of BOOTREQUEST and DHCPREQUEST messages that were sent.

Release History Table
Release
Description
Starting in Junos OS Release 15.1, you can provision by using a script to be executed or a configuration file to be loaded.
Starting in Junos OS Release 15.2, you can provision any supported device (router or switch) by using either a script to be executed or a file to be loaded
Starting in Junos OS Release 17.2R1, ZTP can automate the provisioning of the device configuration and software image on VM host platforms that use PTX1000 routers.
Starting in Junos OS Release 18.1R1, ZTP can automate the provisioning of the device configuration and software image on VM host platforms that use QFX10002-60C switches.
Starting in Junos OS Release 18.2R1, ZTP can automate the provisioning of the device configuration and software image on VM host platforms that use PTX5000, PTX3000, PTX10008, PTX10016, PTX10002-60C routers.
Starting in Junos OS Release 18.2R1, ZTP can automate the provisioning of the device configuration and software image on VM host platforms that use QFX10008 and QFX10016 switches.
Starting in Junos OS Release 18.3R1, ZTP, which automates the provisioning of the device configuration and software image with minimal manual intervention, is supported on MX Series VM hosts.
Starting in Junos OS Release 19.2R1, ZTP can automate the provisioning of the device configuration and software image on management interface emo for ACX5448 switches.
Starting in Junos OS Release 12.2, you can use the console and operational commands to monitor Zero Touch Provisioning.
Starting in Junos OS Evolved Release 19.1R1, ZTP can automate the provisioning of the device configuration and software image on the management interface for QFX5220 and PTX10003 devices.
Starting in Junos OS Evolved Release 19.1R1, to monitor zero touch provisioning on Junos OS Evolved, use the show system ztp command.