Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Zero Touch Provisioning

 

Zero Touch Provisioning installs or upgrades the software automatically on your new Juniper Networks devices with minimal manual intervention.

Zero Touch Provisioning Overview

Zero Touch Provisioning (ZTP) allows you to provision new Juniper Networks devices in your network automatically, with minimal manual intervention. You can use either management ports or network ports, depending on your device, to connect to the network. When you physically connect a device to the network and boot it with a default factory configuration, the device upgrades (or downgrades) the Junos OS release and autoinstalls a configuration file from the network. The configuration file can be a Junos OS configuration or a script. Using scripts, you can create device-specific configuration files and perform HTTP request operations to web servers to download specific configuration files or Junos OS releases.

To locate the necessary software image and configuration files on the network, the device uses information that you have configured on a Dynamic Host Configuration Protocol (DHCP) server. If you do not configure the DHCP server to provide this information, the device boots with the preinstalled software and default factory configuration.

Originally (as of Junos OS release 12.2), the only devices that supported ZTP (or EZ Touchless Provisioning as it was previously known) were EX Series switches and only configuration files could be used to provision configuration.

Over subsequent Junos OS releases, ZTP support has expanded:

  • Starting in Junos OS Release 16.1R1, you can provision supported devices by using either a script to be executed or a configuration file to be loaded.

  • Starting in Junos OS Release 17.2R1, ZTP can automate the provisioning of the device configuration and software image on VM host platforms that use PTX1000 routers.

  • Starting in Junos OS Release 18.1R1, ZTP can automate the provisioning of the device configuration and software image on VM host platforms that use QFX10002-60C switches.

  • Starting in Junos OS Release 18.2R1, ZTP can automate the provisioning of the device configuration and software image on VM host platforms that use PTX5000, PTX3000, PTX10008, PTX10016, PTX10002-60C routers.

  • Starting in Junos OS Release 18.2R1, ZTP can automate the provisioning of the device configuration and software image on VM host platforms that use QFX10008 and QFX10016 switches.

  • Starting in Junos OS Release 18.3R1, ZTP, which automates the provisioning of the device configuration and software image with minimal manual intervention, is supported on MX Series VM hosts.

  • Starting in Junos OS Release 19.2R1, ZTP can automate the provisioning of the device configuration and software image on management interface emo for ACX5448 switches.

    Starting in Junos OS Evolved Release 19.1R1, ZTP can automate the provisioning of the device configuration and software image on the management interface for QFX5220 and PTX10003 devices. The management interfaces for PTX10003 devices are re0:mgmt-0 and re0:mgmt-1. The management interface for QFX5220 devices is vmb0.

  • Starting in Junos OS Release 19.4R1, ZTP can automate the provisioning of the device configuration and software image on Juniper Route Reflector (JRR). ZTP supports self image upgrades and automatic configuration updates using ZTP DHCP options. In this release, ZTP supports revenue ports em2 thru em9, in addition to management port em0 which is supported in Junos OS Releases before 19.4R1.

  • Starting in Junos OS Evolved Release 20.1R1 on PTX10003 devices, Zero Touch Provisioning (ZTP) dynamically detects the port speed of WAN interfaces and uses this information to create ZTP server ports with the same speed.

  • Starting in Junos OS Evolved Release 20.1R1, PTX10008 devices support automation of the device configuration and software upgrade over the management interface of Routing Engine 0 (RE0).

  • Starting in Junos OS Release 20.2R1-S1 on the MX-Series, EX3400, EX4300, QFX5100, and QFX5200 devices, ZTP supports the DHCPv6 client. During the bootstrap process, the device first uses the DHCPv4 client to request for information regarding image and configuration file from the DHCP server. The device checks the DHCPv4 bindings sequentially. If there is a failure with one of the DHCPv4 bindings, the device will continue to check for bindings until provisioning is successful. If there are no DHCPv4 bindings, however, the device will check for DHCPv6 bindings and follow the same process as for DHCPv4 until the device can be provisioned successfully. The DHCP server uses DHCPv6 options 59 and 17 and applicable sub-options to exchange ZTP-related information between itself and the DHCP client.

  • Starting in Junos OS Release 20.2R1 on SRX300, SRX320, SRX340, SRX345, SRX550 HM, and SRX1500 devices, you can use Zero Touch Provisioning with DHCP options or the phone-home client to provision your device.

Note

To see which platforms support ZTP, in a browser, go to Feature Explorer. In the Explore Features section of the Feature Explorer page, select All Features. In the Features Grouped by Feature Family box, select Zero Touch Provisioning. You can also type the name of the feature in the Search for Features edit box.

See the following subsections for more information on the ZTP feature:

ZTP Workflow

When a device boots up with the default configuration, the following events take place:

  1. DHCP client is enabled on supported interfaces.

  2. DHCP server provisions an IP address and includes several DHCP options in the reply related to the ZTP process.

  3. The device processes the DHCP options and locates configuration files, executes scripts, and upgrades and/or downgrades software.

  4. If both the image and configuration files are present, the image is installed and the configuration is applied.

  5. If only the image file is present, the image is installed on the device.

  6. If the image is the same as the image already installed on the device, ZTP continues and skips the installation step.

  7. If the image was unable to be fetched by the device, ZTP will try to fetch the image again.

  8. If the image is corrupted, installation fails.

    If installation fails for any reason, the ZTP will restart.

  9. If only the configuration file is present, the configuration is downloaded.

    If the first line of the file consists of the #! characters followed by an interpreter path, then the file is considered a script, and the script is executed by the interpreter. If the script returns an error, the ZTP state machine will refetch the script and attempt to execute the script again.

    If the configuration file is unable to be downloaded, the ZTP process will try to download it again.

    If the configuration file is corrupted, has syntax errors, or includes commands that are unsupported by the device, the device will be unable to commit, and the retry mechanism will restart.

  10. If there is no image or configuration file, the ZTP process starts again.

  11. If there is no file server information, the ZTP process starts again.

  12. Once the configuration is committed, the ZTP process is deemed successful and terminates.

Provisioning a Device Using a Script

During the ZTP process, when you connect and boot a new networking device, the device requests an IP address from the DHCP server. The server provides the IP address, and if configured, the filenames and locations for the software image and configuration file for the device. The configuration file can be a Junos OS configuration or a script.

If a configuration file is provided, Junos OS determines if the file is a script based on the first line of the file. If the first line contains the characters #! followed by an interpreter path, Junos OS treats the file as a script and executes it with the specified interpreter. If the script returns an error (that is, a nonzero value), the ZTP state machine refetches the script and attempts to execute it again. This continues until the script executes successfully.

Table 1 outlines the supported script types, the corresponding interpreter path, and the platforms that support that script type during the ZTP process.

Table 1: Scripts Supported During ZTP

Script Type

Interpreter Path

Platform Support

Shell script

#!/bin/sh

All devices

SLAX script

#!/usr/libexec/ui/cscript

All devices

Python script

#!/usr/bin/python

Devices running Junos OS with Enhanced Automation

Devices running Junos OS Evolved

Note

For security reasons, Junos OS has strict requirements for running unsigned Python scripts on devices running Junos OS. Only devices running Junos OS with Enhanced Automation and devices running Junos OS Evolved support using unsigned Python scripts in DHCP option 43 suboption 01.

If Junos OS does not find the characters #! followed by an interpreter path, it treats the file as a Junos OS configuration in text format and loads the configuration on the device.

Zero Touch Provisioning Restart Process Triggers

ZTP restarts when any of the following events occur:

  • Request for configuration file, script file, or image file fails.

  • Configuration file is incorrect, and commit fails.

  • No configuration file and no image file is available.

  • Image file is corrupted, and installation fails.

  • No file server information is available.

  • DHCP server does not have valid ZTP parameters configured.

  • When none of the DHCP client interfaces goes to a bound state.

  • ZTP transaction fails after six attempts to fetch configuration file or image file.

    Note

    On devices running Junos OS Evolved, if downloading a file fails, ZTP restarts.

When any of these events occur, ZTP resets the DHCP client state machine on all of the DHCP client-configured interfaces (management and network) and then restarts the state machine. Restarting the state machine enables the DHCP client to get the latest DHCP server-configured parameters.

Before ZTP restarts, approximately 15 to 30 seconds must elapse to allow enough time to build a list of bound and unbound DHCP client interfaces.

The list of bound and unbound DHCP client interfaces can contain:

  • No entries.

  • Multiple DHCP client interfaces.

    Priority is given to the DHCP client interfaces that have received all ZTP parameters (software image file, configuration file, and file server information) from the DHCP server.

After the lists of bound and unbound client interfaces are created, and a DHCP client gets selected for ZTP activity, any existing default route is deleted and the DHCP client interface that was selected adds a new default route. In order to add a new default route, only one ZTP instance can be active.

After ZTP restarts, the DHCP client attempts fetching files from the DHCP server for up to six times, with ten to fifteen seconds elapsing between attempts. Every attempt, whether successful or not, is logged and can be seen on the console.

If there is a failure, or the number of attempts exceeds the limit, ZTP stops. ZTP then clears the DHCP client bindings and restarts state machine on the DHCP-configured interfaces.

The ZTP restart process continues until there is either a successful software upgrade, or an operator manually commits a user configuration and deletes the ZTP configuration.

Caveats Relating to ZTP

There are two downgrade limitations for EX Series switches:

  • If you downgrade to a software version earlier than Junos OS Release 12.2, in which ZTP is not supported, the configuration file autoinstall phase of the zero touch provisioning process does not happen.

  • To downgrade to a software version that does not support resilient dual-root partitions (Junos OS Release 10.4R2 or earlier), you must perform some manual work on the device. For more information, see Configuring Dual-Root Partitions.

The following are caveats for QFX Series switches:

  • On QFX3500 and QFX3600 switches running the original CLI, you cannot use ZTP to upgrade from Junos OS Release 12.2 or later to Junos OS Release 13.2X51-D15 or later.

  • QFX5200 switches only work with HTTP in 15.1X53-D30. FTP and TFTP protocols are not supported.

  • If you are performing Zero Touch Provisioning (ZTP) with a Junos OS image that contains enhanced automation for the QFX5100 switch, configure root authentication, and the provider name, license type, and deployment scope for Chef and Puppet at the [edit system] hierarchy in the configuration file that is fetched from the server:

    { master:0}
    root# set root-authentication (encrypted-password password | plain-text-password password | ssh-dsa public-key | ssh-rsa public-key)
    root# set extensions providers juniper license-type customer deployment-scope commercial
    root# set extensions providers chef license-type customer deployment-scope commercial
  • In Junos OS Release 18.1R1, if you are upgrading the software, you must perform a full software upgrade. A full upgrade includes upgrading both the Junos OS software and the host software packages.

There are no caveats for Junos OS Evolved platforms.

Zero Touch Provisioning Using WAN Interfaces on PTX1000 Routers

Zero Touch Provisioning (ZTP) allows you to provision your router in your network automatically, with minimal manual intervention. Starting in Junos OS Release 19.3R1, you can use either WAN interfaces or management interfaces, to automatically download and install the appropriate software and the configuration file on your router during the ZTP bootstrap process.

When you connect the router to the network at the first time, you can choose any available WAN port on the router to connect the optics. The ZTP automatically configures WAN interfaces based on the optics type, and then connects your device to the Dynamic Host Configuration Protocol (DHCP) server to perform the bootstrap process.

The WAN interfaces created based on the optics type you connected to the device and the WAN interface speed auto-transitions through all possible supported port speeds until the ZTP gets completed successfully. The speed auto-transition ensures to establish physical link of the WAN port with the optics you connected and the peer end device connectivity to the DHCP server.

PTX1000 Port Mapping shows the available combinations for the ports on the PTX1000 routers.

Zero Touch Provisioning on PTX10008 Routers

Zero Touch Provisioning (ZTP) allows you to provision your router in your network automatically, with minimal manual intervention. Starting in Junos OS Evolved Release 20.1R1, the PTX10008 devices support automation of the device configuration and software upgrade over the management interface of Routing Engine 0 (RE0).

ZTP is enabled on the PTX10008 device in the factory default mode. You can connect the management interface (re0:mgmt-0) to a network with a Dynamic Host Configuration Protocol (DHCP) server, and then add ZTP configuration to the DHCP server. Use the show interfaces re0:mgmt-0 command on the PTX10008 device to find the MAC address of the interface to use on the DHCP server configuration.

When the PTX10008 device is able to contact the DHCP server and retrieve ZTP parameters, it performs the following ZTP operations based on these parameters:

  1. Fetches the specified image and/or configuration file using the specified protocol.

  2. If an image is specified, ZTP installs the image on both Routing Engines and reboots the device.

  3. If a configuration file is specified:

    • If the file is a Junos configuration, ZTP applies the configuration on the device.

    • If the file is a script, ZTP execute the script on the device.

Zero Touch Provisioning Using DHCP Options

Zero Touch Provisioning (ZTP) allows for automatic provisioning of Juniper Network devices that you add to your network. You can provision any supported device by using either a script to be executed or a configuration file to be loaded. You will also need to configure a DHCP server with required information, which is provided in this procedure, to use ZTP.

ZTP requires that your device is in a factory default state. The device from the factory boots with preinstalled software and factory default configuration. On a device that does not currently have the factory default configuration, you can issue the request system zeroize command.

Note

The request system zeroize command is not supported on PTX1000, PTX10001-20C, QFX10002-60C, PTX10002-60C devices. You must issue the request vmhost zeroize command (instead of request system zeroize) for factory default configuration on PTX1000 routers.

Note

On PTX10001-20C devices, after you issue the the request vmhost zeroize command, you will see the following message twice: VMHost Zeroization : Erase all data, including configuration and log files ? [yes,no] (no) yes

warning: Vmhost will reboot and may not boot without configuration

Erase all data, including configuration and log files? [yes,no] (no) yes

Before you begin:

  • Ensure that the device has access to the following network resources:

    • The DHCP server that provides the location of the software image and configuration files on the network

      Refer to your DHCP server documentation for configuration instructions.

    • The File Transfer Protocol (anonymous FTP), Hypertext Transfer Protocol (HTTP), or Trivial File Transfer Protocol (TFTP) server on which the software image and configuration files are stored

      Note

      Although TFTP is supported, we recommend that you use FTP or HTTP instead, because these transport protocols are more reliable.

      Caution

      HTTP URLs are limited to 256 characters in length.

    • A Domain Name System (DNS) server to perform reverse DNS lookup (not supported).

    • (Optional) An NTP server to perform time synchronization on the network

    • (Optional) A system log (syslog) server to manage system log messages and alerts.

      Syslog messages will be forwarded to this syslog server during ZTP.

  • Locate and record the MAC address for your device.

    On PTX10008 devices, the management MAC addresses are located on routing engines.

Caution

You cannot commit a configuration while the device is performing the software update process. If you commit a configuration while the device is performing the configuration file autoinstallation process, the process stops, and the configuration file is not downloaded from the network.

To enable zero touch provisioning for a device using DHCP options:

  1. Boot the device.
  2. Make sure the device has the default factory configuration installed.

    Issue the request system zeroize command on the device that you want to provision.

    Note

    The request system zeroize command is not supported on PTX1000 devices. You must issue the request vmhost zeroize command (instead of request system zeroize) for factory default configuration on PTX1000 devices.

    Starting in Junos OS Evolved Release 19.3R1, on QFX5220-128C device, in Zero Touch Provisioning (ZTP), you can use either WAN interfaces or management interfaces, to automatically download and install the appropriate software and the configuration file on your device during the bootstrap process. ZTP automatically configures on WAN port that has default port speed of 100-Gbps, and then connects your device to the Dynamic Host Configuration Protocol (DHCP) server to perform the bootstrap process:

    • If multiple DHCP replies arrive, the ZTP chooses the best set of arguments.

    • If multiple interfaces provide the same arguments, ZTP chooses one of the interfaces.

    • If there is an error while connecting to DHCP server, ZTP retry to connect DHCP server, and if multiple interfaces again provide same arguments, ZTP choose one of the interfaces.

    We recommend you to provision the DHCP server and save the software and configuration file in the specified DHCP server path on the file server.

  3. Download the software image file and/or the configuration file to the FTP, HTTP, or TFTP server from which the device will download these files.Note

    If you are performing zero touch provisioning with a Junos OS image that contains enhanced automation for the QFX5100 device, configure root authentication and the provider name, license type, and deployment scope for Chef and Puppet at the [edit system] hierarchy in the configuration file that is fetched from the server:

    { master:0}
    root# set root-authentication (encrypted-password password | plain-text-password password | ssh-dsa public-key | ssh-rsa public-key)
    root# set extensions providers juniper license-type customer deployment-scope commercial
    root# set extensions providers chef license-type customer deployment-scope commercial
  4. Configure the DHCP server to provide the necessary information to the device.

    Configure IP address assignment.

    You can configure dynamic or static IP address assignment for the management address of the device. To determine the management MAC address for static IP address mapping, add 1 to the last byte of the MAC address of the device, which you noted before you began this procedure.

    Note

    This address can be any address from the pool.

  5. Define the format of the vendor-specific information for DHCP option 43 in the dhcpd.conf file.

    Here is an example of an ISC DHCP 4.2 server dhcpd.conf file:

    Note

    Starting in Junos OS Release 18.2R1, a new DHCP option is introduced to set the timeout value for the file downloads over FTP. If the transfer-mode is set as FTP, the default value for the timeout is automatically set as 120 minutes, that is, in case the FTP session gets interrupted due to loss of connectivity in the middle of a file transfer, it will timeout after 120 minutes and ZTP will attempt to retry the file fetching process. This value can be overridden using the DHCP option as follows:

    where “val” is the user configurable timeout value in seconds and must be provided within quotes (like, "val”).

  6. Configure the following DHCP option 43 suboptions:
    • Suboption 00: The name of the software image file to install.

      Note

      When the DHCP server cannot use suboption 00, configure the software image filename using suboption 04. If both suboption 00 and suboption 4 are defined, suboption 04 is ignored.

    • Suboption 01: The name of the script or configuration file to install.

      Note

      ZTP determines if the file is a script file based on the first line of the file. If the first line contains the characters #! followed by an interpreter path, ZTP treats the file as a script and executes it with the specified interpreter path. In order for a script to execute, the script file must provide the ability to fetch and load a valid configuration file on the device during the ZTP process.

      The following list provides the types of scripts and their associated interpreter paths:

      • Shell script interpreter path: #!/bin/sh

      • SLAX script interpreter path: #!/usr/libexec/ui/cscript

      • Python script interpreter path: #!/usr/bin/python

        For security reasons, Junos OS has strict requirements for running unsigned Python scripts on devices running Junos OS. Only devices running Junos OS with Enhanced Automation and devices running Junos OS Evolved support running unsigned Python scripts as part of the ZTP process.

      If the file does not contain special characters (#!) , ZTP determines that the file is a configuration file and loads the configuration file.

    • Suboption 02: The symbolic link to the software image file to install.

      Note

      If you do not specify suboption 2, the ZTP process handles the image filename as a filename, not a symbolic link.

    • Suboption 03: The transfer mode that the device uses to access the TFTP, FTP, or HTTP server. If you select FTP as the transfer mode, Junos OS uses the anonymous FTP login to download files from the FTP server.

      Note

      If suboption 03 is not configured, TFTP becomes the transfer mode by default.

    • Suboption 04: The name of the software image file to install.

      Note

      If the DHCP server does not support suboption 00, configure the image file using suboption 04. If both suboption 00 and suboption 4 are defined, suboption 04 is ignored.

    • Suboption 05: The HTTP port that the device uses to download either the image or configuration file or both instead of the default HTTP port.

  7. (Mandatory) Configure either option 150 or option 66.Note

    You must configure either option 150 or option 66. If you configure both option 150 and option 66, option 150 takes precedence, and option 66 is ignored. Also, make sure you specify an IP address, not a hostname, because name resolution is not supported.

    • Configure DHCP option 150 to specify the IP address of the FTP, HTTP, or TFTP server.

    • Configure DHCP option 66 to specify the IP address of the FTP, HTTP, or TFTP server.

  8. (Optional) Configure DHCP option 7 to specify one or more system log (syslog) servers.
  9. (Optional) Configure DHCP option 42 to specify one or more NTP servers.

    List each NTP server separated by a space.

  10. (Optional) Configure DHCP option 12 to specify the hostname of the device.

    The following sample configuration shows the DHCP options you just configured in this procedure:

    Based on the DHCP options configured in this example, the following items are added to the [edit system] hierarchy:

  11. Connect the device to the network that includes the DHCP server and the FTP, HTTP, or TFTP server.
  12. Power on the device.
  13. Monitor the ZTP process by looking at the console. Note

    When SLAX scripts are executed, the op-script.log and event-script.log files are produced.

    You can use these log files to troubleshoot in case something goes wrong.

    • /var/log/dhcp_logfile

      Use this file to check DHCP client logs.

    • /var/log/event-script.log

      Use this file to check configuration commit status.

    • /var/log/image_load_log

      Use this file to check software image and configuration file fetch and installation status.

    • /var/log/messages

      Use this file to check system-level logs.

    • /var/log/op-script.log

      Use this file to check configuration commit status.

    • /var/log/script_output

      Use this file to check script execution output.

    For Junos OS Evolved, use the /var/log/ztp.log file to troubleshoot.

    You can also monitor the ZTP process by looking at error messages and issuing operational commands. See Monitoring Zero Touch Provisioning for more information.

Zero Touch Provisioning Using DHCPv6 Options

Zero Touch Provisioning (ZTP) allows for automatic provisioning of Juniper Network devices that you add to your network. You can provision any supported device by using either a script to be executed or a configuration file to be loaded.

To use ZTP, you configure a DHCP server to provide the required information. If you do not configure the DHCP server to provide this information, the device boots with the preinstalled software and default factory configuration. If your device is not in a factory default state, you can issue the request system zeroize command.

Note

Starting in Junos OS Release 20.2R1-S1, the DHCPv6 client is supported the MX-Series, EX3400, EX4300, QFX5100, and QFX5200 switches. Both DHCPv4 and DHCPv6 clients are included as part of the default configuration. During the bootstrap process, the device first uses the DHCPv4 client to request for information regarding image and configuration file from the DHCP server. The device checks the DHCPv4 bindings sequentially. If there is a failure with one of the DHCPv4 bindings, the device will continue to check for bindings until provisioning is successful. If there are no DHCPv4 bindings, however, the device will check for DHCPv6 bindings and follow the same process as for DHCPv4 until the device can be provisioned successfully. The DHCP server uses DHCPv6 options 59 and 17 and applicable sub-options to exchange ZTP-related information between itself and the DHCP client.

The DHCPv6 protocol doesn't have a subnet option for the IA_NA (identity association for non-temporary addresses) to learn and install subnet routes. Instead, the subnet route is installed through Neighbor Discovery Protocol.

In IPv6, devices periodically advertise IPv6 prefixes along with other link parameters using Router Advertisement (RA) messages. On the client (Juniper device running ZTP), once the DHCPv6 client is bound, the Neighbor Discovery Protocol (NDP) will learn these prefixes and installs the prefix routes via the client interface, with the next hop as the link to the local address of the gateway device.

On the client device, router advertisement configuration is enabled by default along with the DHCPv6 configuration.

  • Ensure that the device has access to the following network resources:

    • The DHCP server that provides the location of the software image and configuration files on the network

      Refer to your DHCP server documentation for configuration instructions.

    • On the MX Series, the File Transfer Protocol (anonymous FTP), Trivial File Transfer Protocol (TFTP), Hypertext Transfer Protocol (HTTP), or Hypertext Transfer Protocol Secure (HTTPS) server on which the software image and configuration files are stored.

      Caution

      HTTP URLs are limited to 256 characters in length.

    • On the EX3400, EX4300, QFX5100, and QFX5200 devices, the Hypertext Transfer Protocol (HTTP) or Hypertext Transfer Protocol Secure (HTTPS) server on which the software image and configuration files are stored.

      Caution

      HTTP URLs are limited to 256 characters in length.

  • Locate and record the MAC address printed on the device.

Caution

You cannot commit a configuration while the device is performing the software update process. If you commit a configuration while the device is performing the configuration file autoinstallation process, the process stops, and the configuration file is not downloaded from the network.

To use zero touch provisioning for a device using DHCPv6 options:

  1. Boot the device.
  2. Make sure the device has the default factory configuration installed.
    • If multiple DHCP replies arrive, the ZTP chooses the best set of arguments.

    • If multiple interfaces provide the same arguments, ZTP chooses one of the equal interfaces.

    • If there is an error while connecting to the DHCP server, ZTP tries again to connect to the DHCP server. If multiple interfaces again provide the same arguments, ZTP chooses one of the interfaces.

    We recommend you to provision the DHCP server and save the software and configuration file in the specified DHCP server path on the file server.

  3. Download the software image file and the configuration file to the FTP, HTTP, HTTPS, or TFTP server from which the device will download these files.
  4. Configure the DHCP server to provide the necessary information to the device.
  5. Configure IP address assignment.

    You can configure dynamic or static IP address assignment for the management address of the device. To determine the management MAC address for static IP address mapping, add 1 to the last byte of the MAC address of the device, which you noted before you began this procedure.

  6. Define the format of the DHCPv6 option 59 (OPT_BOOTFILE_URL) in the dhcpd6.conf file, so the server can send information about URLs to images to the client. Note

    Only the HTTP and HTTPS transport protocols are supported on the EX3400, EX4300, QFX5100, and QFX5200 devices.

    Here’s the format for this option:

    transfer-mode://[<ipv6-address>]:<port-number>/<path/image-file-name>

    For example:

    The transfer mode and IPv6 address are required, but the port number is optional. If you do not specify the port number, the default port number of the transfer mode is used. If you specify the port number in options 17 and 59, then the port number mentioned in option 17 vendor-specific information option is used.

    You can specify the image file name in either option 59 or option 17. If the image file name is mentioned in both options 59 and 17, then the image name mentioned in option 17 vendor-specific information option is used.

  7. Define the format of the vendor-specific information for the following DHCP option 17 suboptions:

    Here is an example of an ISC DHCP 4.2 server dhcpd6.conf file:

    • Suboption 00: The name of the software image file to install.

      Note

      When the DHCP server cannot use suboption 00, configure the software image filename using suboption 04. If both suboption 00 and suboption 4 are defined, suboption 04 is ignored.

    • Suboption 01: The name of the script or configuration file to install.

      Note

      ZTP determines if the file is a script file based on the first line of the file. If the first line contains the characters #! followed by an interpreter path, ZTP treats the file as a script and executes it with the specified interpreter path. In order for a script to execute, the script file must provide the ability to fetch and load a valid configuration file on the device during the ZTP process.

      The following list provides the types of scripts and their associated interpreter paths:

      • Shell script interpreter path: #!/bin/sh

      • SLAX script interpreter path: #!/usr/libexec/ui/cscript

      • Python script interpreter path: #!/usr/bin/python

        For security reasons, Junos OS has strict requirements for running unsigned Python scripts on devices running Junos OS. Only devices running Junos OS with Enhanced Automation and devices running Junos OS Evolved support running unsigned Python scripts as part of the ZTP process.

      If the file does not contain special characters (#!) , ZTP determines that the file is a configuration file and loads the configuration file.

    • Suboption 02: The image type.

      Note

      If you do not specify suboption 2, the ZTP process handles the software image as a filename, not a symbolic link.

    • Suboption 03: The transfer mode that the device uses to access the TFTP, FTP, HTTP, or HTTPS server.

      Note

      If suboption 03 is not configured, the transfer mode mentioned in option 59 for the boot image URL is used.

    • Suboption 04: The name of the software image file to install.

      Note

      When the DHCP server cannot use suboption 00, configure the image file using suboption 04. If both suboption 00 and suboption 4 are defined, suboption 04 is ignored.

    • Suboption 05: The port that the device uses to download either the image or configuration file or both instead of the default port.

    • Suboption 06: The JLoader package file name (supported only on QFX5100 devices)

    • Suboption 07: FTP timeout code.

    • The DHCPv6 protocol defines the Vendor-specific Information Option ("VSIO”) in order to send vendor options encapsulated in a standard DHCP option.

    The following sample configuration shows the DHCPv6 options you’ve just configured:

  8. Power on the device with the default configuration.
  9. Monitor the ZTP process by looking at the the console. Note

    When SLAX scripts are executed, the op-script.log and event-script.log files are produced.

    You can also use these log files to troubleshoot in case something goes wrong.

    • /var/log/dhcp_logfile

      Use this file to check DHCP client logs.

    • /var/log/event-script.log

      Use this file to check configuration commit status.

    • /var/log/image_load_log

      Use this file to check software image and configuration file fetch and installation status.

    • /var/log/messages

      Use this file to check system-level logs.

    • /var/log/op-script.log

      Use this file to check configuration commit status.

    • /var/log/script_output

      Use this file to check script execution output.

    You can also monitor the ZTP process by looking at error messages and issuing operational commands. See Monitoring Zero Touch Provisioning for more information.

Zero Touch Provisioning on SRX Series Devices

Understanding Zero Touch Provisioning on SRX Series Devices

This topic includes following sections:

Understanding ZTP on SRX Series Devices

Zero Touch Provisioning (ZTP) enables you to provision and configure devices automatically, minimizing most of the manual intervention required for adding devices to a network. ZTP is supported on SRX300, SRX320, SRX340, SRX345, SRX550M, and SRX1500 devices.

Starting in Junos OS Release 20.2R1 on SRX300, SRX320, SRX340, SRX345, SRX550 HM, and SRX1500 devices, you can use Zero Touch Provisioning with DHCP options to provision your device. See Zero Touch Provisioning Using DHCP Options for more information.

ZTP on SRX Series devices is responsible for the initial bootup and configuration of the device when the device is powered on. This functionality includes:

  • Providing the bare-minimum bootstrapping of the device. The SRX Series device is shipped with a factory-default configuration. The factory-default configuration includes the URL of the redirect server, that is used to connect to the central server by using a secure encrypted connection.

  • Automatically connecting to the server over the Internet, and downloading the configuration and Junos OS image as specified by the customer or user from the server when the SRX Series device boots up with the factory-default configuration. The new image is installed first and then the initial configuration is applied and committed on the SRX Series device.

ZTP offers the following advantages:

  • Simplified and faster deployment

  • Increased configuration accuracy

  • Support for scaling of network without additional resources

The ZTP process uses Network Activator to initially provision SRX Series devices.

Network Activator Overview

Network Service Activator enables fast device discovery and provisioning for automated configuration to eliminate complex device setup.

Network Activator initially provisions SRX Series devices (henceforth referred to as remote devices in this documentation), which reside at end users’ sites. The remote devices download a boot image and initial configuration files from servers hosting Network Activator, using a process that provides full authorization and authentication for all interactions. When initial provisioning is complete, the remote device communicates with a management server, which then starts to manage and monitor the remote device.

Network Activator uses a distributed architecture to support remote devices. Network Activator is installed on one central administration server (central server) and multiple regional administration servers (regional servers). A device communicates directly with its assigned regional server. The distributed architecture optimizes the efficiency of the initial provisioning process, contributing to high performance and scaling of the network.

Figure 1 Illustrates the distributed architecture and the components involved in the initial provisioning process.

Figure 1: Components Involved in Initial Provisioning of Remote Device
Components
Involved in Initial Provisioning of Remote Device

The roles of the components in the initial provisioning process are as follows:

  • The remote device sends requests for initial provisioning. The remote device resides at the end user’s location.

  • The Redirect Tool provides authentication and authorization for remote devices to access their assigned regional servers through use of ITU-T X.509 private key infrastructure (PKI) digital certificates. Redirect service is hosted on Amazon Web Services (AWS), operated and maintained by Juniper Networks.

  • The central server hosts Network Activator and communicates with the regional activator servers. Administrators at a service provider or central enterprise location interact with this server to install and set up Network Activator. The central server is located at a central geographic location for the service provider.

  • The regional server also hosts Network Activator. This server stores information about its assigned remote devices and communicates directly with those devices. This server typically resides at a regional administrative location the provider designates for the end user.

Figure 2 illustrates the initial provisioning workflow.

Figure 2: Workflow for Initial Provisioning
Workflow
for Initial Provisioning

In detail, the provisioning workflow proceeds as follows:

  1. The administrator at the service provider:
    • Installs and sets up Network Activator on the central server.

    • Adds remote devices and regional servers in the Redirect Tool.

  2. The central server forwards the installation to the regional servers.
  3. The end user powers on the remote device, connects it to a computer, and enters the authentication code in the webpage to send a request for initial provisioning.
  4. The device transmits its X.509 certificate and fully qualified domain name (FQDN) as a provisioning request to the Redirect Tool.
  5. The Redirect Tool searches its data store for the regional server that the administrator specified for this device, and confirms that the device’s request corresponds to the X.509 certificate specified for the server.
  6. The Redirect Tool sends contact information for the regional server to the device.
  7. The device sends a request to the regional server for the URL of the boot image and the location of the initial configuration.
  8. The regional server sends the information to the device.
  9. The device obtains the boot image and configuration from the regional server.
  10. The device uses the boot image and configuration to start and become operational.

Limitations

  • There are no restrictions on the number of attempts for entering the correct activation code.

  • If the remote device is not able to reach the server (because the configured address in the factory-default configuration is not correct or the server is down, and so on), the remote device attempts to connect to an alternative server (if configured in the factory-default configuration). If there is only one server configured, then you can reattempt to connect. In such scenarios, we recommend that you configure the device manually through the console.

  • Captive portal redirection, required for automatically redirecting users to the authentication webpage for entering the activation code, is not supported. You must manually navigate to the activation page after connecting to the device.

Configuring Zero-Touch Provisioning on an SRX Series Device

This section provides step-by-step instructions on how to use ZTP on an SRX Series device for initial provisioning of the device.

Before you begin:

  • Unpack the device, install it, complete the necessary cabling, connect a laptop or any other terminal device, and power on the device. See the Hardware installation Guide for your device more information.

  • For SRX300, SRX320, SRX340, SRX345, and SRX550M devices, connect the management device and access the J-Web interface.

    For more information, see Quick Start guides of respective devices at SRX300  , SRX320  , SRX340  , SRX345  , and SRX550M  .

    You are provided with an option to use ZTP; you can use this option or skip it and continue with J-Web wizards.

  • For SRX1500 devices, before you can use J-Web to configure your device, you must access the CLI to configure the root authentication and the management interface. For more information, see How to Set Up Your SRX1500 Services Gateway  .

To provision an SRX Series device by using ZTP:

  1. Connect a management device (PC or laptop) to any front panel Ethernet port (WAN port) of the SRX Series device.
  2. Launch a Web browser from the management device and enter the authentication code in the webpage as shown in Figure 3.
    Figure 3: Entering Activation Code for ZTP
     Entering
Activation Code for ZTP

    After the device is successfully authenticated, it starts downloading the software image and initial configuration from the server as shown in Figure 4.

    Figure 4: Initiating ZTP Process (Software Image Downloading)
    Initiating
ZTP Process (Software Image Downloading)

    At this step:

    • The activation code is sent to the server, and if the authentication is successful, the server pushes the initial configuration to the device. If the authentication is unsuccessful, you are asked to provide the correct code.

    • The server can optionally pushes a new software image on the SRX Series device. In that case, the new image is installed first and then the initial configuration is applied and committed on the device.

    The new image is installed and then the initial configuration is applied and committed on the device. When the process is complete, a confirmation message is displayed, as shown in Figure 5.

    Figure 5: Completing ZTP Process
    Completing
ZTP Process
  3. Click Logs to display details of the bootstrapping process.

After successfully installing the new software image and configuration on the system, the client sends the bootstrap-complete notification to the server that provided the image and the configuration. After the notification is sent, the configuration that includes the names of servers is deleted from the system. When you use ZTP the next time, you must explicitly configure the URL of the redirect server.

Note

In case of failure at any stage, the procedure is started all over again.

Note

The ZTP process either upgrades or downgrades the Junos OS version. During a downgrade on an SRX Series device, if you downgrade to a software version earlier than Junos OS Release 15.1X49-D100, in which ZTP is not supported, the autoinstallation phase of the ZTP process does not happen.

For SRX300, SRX320, SRX340, SRX345, and SRX550M devices, ZTP is the default method for provisioning the devices. However, if you want to use J-Web-based provisioning (J-Web setup wizards supported for the SRX300 line of devices and SRX550M devices), then instead of ZTP, you can use the option provided in the client portal to skip to J-Web setup wizards for performing the initial software configuration of your device.

If you select the Skip to JWeb option, you must configure the system root authentication password as shown in Figure 6.

Figure 6: Configuring System Root-Authentication Password
Configuring
System Root-Authentication Password
Note

For SRX1500 devices, the Skip to JWeb option is not supported. To access J-Web, the ZTP client configuration must be deleted during the initial setup of SRX1500 through CLI.

Understanding Factory-Default Configuration on SRX Series Device for Zero Touch Provisioning

Your services gateway is shipped with a factory-default configuration. Following is a sample of the default configuration that includes configuration for ZTP:

Note that, in this configuration:

  • server indicates the name or IP address of the server. The factory-default configuration on an SRX Series device might include IP addresses of more than one servers.

  • rfc-compliant indicates that after an upgrade, the server enforces certain behaviors that are compliant with RFC standards.

Note

By default, the system autoinstallation configuration is part of the factory-default configuration of the device. So, the administrator must ensure that the configuration file sent from the regional server to the remote device (SRX series device) must include the delete system autoinstallation option in the factory-default configuration.

Monitoring Zero Touch Provisioning

Starting in Junos OS Release 12.2, you can use the console and operational commands to monitor Zero Touch Provisioning.

Starting in Junos OS Evolved Release 19.1R1, to monitor zero touch provisioning on Junos OS Evolved, use the show system ztp command.

  1. Using the Console to Monitor Zero Touch Provisioning

  2. Using System Log Alerts to Monitor Zero Touch Provisioning

  3. Using Error Messages to Monitor Zero Touch Provisioning

  4. Using System Log Files to Monitor Zero Touch Provisioning in Junos OS Using DHCP Options

  5. Using System Log Files to Monitor Zero Touch Provisioning in Junos OS Using DHCPv6 Options

  6. Using the Console to Monitor Zero Touch Provisioning in Junos OS Evolved

  7. Using the show dhcp client binding Command

  8. Using the show dhcpv6 client binding Command

  9. Using the show dhcp client statistics Command

  10. Using the show dhcpv6 client statistics Command

Using the Console to Monitor Zero Touch Provisioning

The following Zero Touch Provisioning (ZTP) activities are displayed on the console during the ZTP process:

  • Starting and ending times of ZTP process.

  • Lists of bound and unbound DHCP client interfaces.

  • DHCP options that DHCP servers send to DHCP clients.

  • Logs indicating which interfaces are used for ZTP.

  • ZTP parameters that DHCP clients obtain from DHCP servers.

  • Filenames of configuration and image files, names of file servers, protocols used to fetch files, and times when DHCP servers fetch configuration and image files.

  • Failure states caused by files not being on servers, or unreachable servers, and time outs.

  • Number of attempts made, and number of attempts remaining, for retry in current ZTP cycle.

  • Completion of file transfers.

  • Installation, reboot, and state of ZTP process.

  • Internal state errors and termination of ZTP process.

  • Logs for when default routes were added or deleted.

Using System Log Alerts to Monitor Zero Touch Provisioning

Purpose

In this example, the system log alert alerts you that the auto-image upgrade will start.

Action

Use the following system log alert to monitor the auto-image upgrade process.

Meaning

This system log alert indicates that the auto-image upgrade will start, and provides information on how to stop the auto-image upgrade process.

Using Error Messages to Monitor Zero Touch Provisioning

Purpose

Error messages provide information on which DHCP options are not configured.

Action

Use the information in the following error message to find out which DHCP options are not configured.

Meaning

The error message indicates that the DHCP log server, hostname, and NTP server options are not configured.

Using System Log Files to Monitor Zero Touch Provisioning in Junos OS Using DHCP Options

Purpose

System log files provide information on the state of the auto-upgrade process, lists of bound and unbound DHCP client interfaces, IP addresses of file servers, names and locations of image and configuration files, and successful and failed attempts at fetching configuration and image files.

Action

Use the information in the following system log files to monitor the auto-upgrade process.

Meaning

These system log files indicate that there were six failed attempts to fetch the configuration file from the file server, the IP address of the file server, the DHCP client interface name, and the number of times the retry process occurred.

Using System Log Files to Monitor Zero Touch Provisioning in Junos OS Using DHCPv6 Options

Purpose

System log files provide information on the state of the auto-upgrade process, lists of bound and unbound DHCP client interfaces, IP addresses of file servers, names and locations of image and configuration files, and successful and failed attempts at fetching configuration and image files.

Action

Use the information in the following system log files to monitor the auto-upgrade process.

Meaning

These system log files indicate that there were six failed attempts to fetch the image file from the file server, the IP address of the file server, the DHCPv6 client interface name, and the number of times the retry process occurred.

Using the Console to Monitor Zero Touch Provisioning in Junos OS Evolved

Purpose

System log files provide information on the state of the auto-upgrade process, lists of bound and unbound DHCP client interfaces, IP addresses of file servers, names and locations of image and configuration files, and successful and failed attempts at fetching configuration and image files.

Action

Use the information in the console to monitor the auto-upgrade process.

Here is an example of output for Junos OS Evolved.

Meaning

The console shows the progress of ZTP.

Using the show dhcp client binding Command

Purpose

Issue the show dhcp client binding command to display DHCP client binding information

Note

This command does not apply to Junos OS Evolved.

Action

Issue the show dhcp client binding command to display the IP address of the DHCP client, the hardware address of the DHCP client, number of seconds in which the DHCP client’s IP address lease expires, state of the DHCP client IP address in the binding table, and the name of the interface that has active client bindings.

show dhcp client binding

user@device# show dhcp client binding

Meaning

The output of this command shows that there is one client interface that is bound, and that there are three interfaces that are receiving DHCP offers from the DHCP server.

Using the show dhcpv6 client binding Command

Purpose

Issue the show dhcpv6 client binding command to display DHCP client binding information

Note

This command does not apply to Junos OS Evolved.

Action

Issue the show dhcp6 client binding command to display the IP address of the DHCPv6 client, the hardware address of the DHCPv6 client, number of seconds in which the DHCPv6 client’s IP address lease expires, state of the DHCPv6 client IP address in the binding table, and the name of the interface that has active client bindings.

show dhcpv6 client binding

user@device# show dhcpv6 client binding

Meaning

The output of this command shows that there is one client interface that is bound, and that there are three interfaces that are receiving DHCPv6 offers from the DHCP server.

Using the show dhcp client statistics Command

Purpose

Issue the show dhcp client statistics command to display DHCP client statistics.

Action

Issue the show dhcp client statistics command to display DHCP client statistics, such as the number of packets dropped, and the number DHCP and BOOTP messages sent and received.

show dhcp client statistics

user@device# show dhcp client statistics

Meaning

The output of this command displays how many packets were dropped with errors, the number of BOOTREPLY and DHCPOFFER messages that were received, and the number of BOOTREQUEST and DHCPREQUEST messages that were sent.

Using the show dhcpv6 client statistics Command

Purpose

Issue the show dhcpv6 client statistics command to display DHCPv6 client statistics.

Action

Issue the show dhcpv6 client statistics command to display DHCPv6 client statistics, such as the number of packets dropped, and the number of DHCPv6 messages sent and received.

show dhcpv6 client statistics

user@device# show dhcpv6 client statistics

Meaning

The output of this command displays how many packets were dropped with errors, and the number of DHCPV6 messages that were received and sent.

show system ztp

Syntax

Release Information

Command introduced in Junos OS Evolved Release 19.1R1.

Description

Show Zero Touch Provisioning (ZTP) state information.

Required Privilege Level

view

List of Sample Output

show system ztp

Output Fields

For a description of the output fields, see Table 2. Output fields are listed in the approximate order in which they appear. The state field can have multiple settings. The rest of the fields are self explanatory based on DHCP arguments provided by the server.

Table 2: show system ztp Output Fields

Field Name

Description

ZtpState

ZTP state field values for starting:

  • INITIALIZED—ZTP is initializing.

  • STARTED—ZTP started running.

 

ZTP state field values for image download:

  • IMAGE_DOWNLOADING—ZTP is downloading the next software image.

  • IMAGE_DOWNLOADED—ZTP is finished downloading the next software image.

  • RETRY_IMAGE_DOWNLOAD—ZTP is retrying image download.

  • IMAGE_NOT_FOUND—ZTP could not find the image at the specified location on the server.

ZTP state field values for configuration download:

  • CONFIG_DOWNLOADING—ZTP is downloading the configuration.

  • CONFIG_DOWNLOADED—ZTP is finished downloading the configuration.

  • RETRY_CONFIG_DOWNLOAD—ZTP is retrying configuration download.

  • CONFIG_NOT_FOUND—ZTP could not find the configuration.

ZTP state field values for upgrading configuration:

  • IMAGE_CONFIG_UPGRADING—ZTP got an image and a configuration from the server.

  • CONFIG_UPGRADING—ZTP is upgrading the configuration.

ZTP state field values for upgrading image:

  • RETRY_IMAGE_UPGRADE—ZTP is retrying image upgrade.

  • IMAGE_CONFIG_UPGRADING—ZTP got an image and a configuration from the server.

  • IMAGE_UPGRADING—ZTP is downloading the image.

  • IMAGE_UPGRADED—ZTP is finished upgrading the image.

ZTP state field values for scripts:

  • SCRIPT_UPGRADING—ZTP is running the script provided by server.

  • SCRIPT_UPGRADED—ZTP is finished upgrading the script.

  • SCRIPT_UPGRADE_SUCCEEDED—ZTP script upgrade finished with success.

  • SCRIPT_UPGRADE_FAILED—ZTP script upgrade finished with failure status.

ZTP state field values for reboot:

  • REBOOTING—ZTP is rebooting the system.

  • REBOOTED—ZTP is finished rebooting the system.

ZTP state field values for configuration commit:

  • CONFIG_COMMIT_SUCCEEDED—ZTP succeeded in committing user configuration.

  • CONFIG_COMMIT_FAILED—ZTP user configuration commit failed.

ZTP state field values for finishing:

  • FAILED—ZTP failed.

  • SUCCEEDED—ZTP succeeded.

ZtpInterface

Name of interface.

FtpIpAddr

IP address.

DefaultRouter

When the log server, NTP server, or FTP server are on a remote subnet, the value of DefaultRouter is used to configure a route to reach the servers.

LogServers

ZTP allows specification of a remote log server address. ZTP logs are then streamed to the remote log server.

NtpServers

ZTP allows specification of a remote NTP server address.

TransferMode

Options for TransferMode are ftp, tftp, http, or https

ImageFileType

It can be a symbolic link.

ConfigFileName

Configuration filename.

ConfigUrl

Configuration URL.

ConfigStatus

This field specifies whether the config file is downloading, is downloaded, or the download is being retried.

ZtpRetryCount

If the ZTP state machine, which applies the image and configuration, fails, the number of retries attempted.

DhcpRetryCount

If the DHCP state machine, which fetches parameters for ZTP from the DHCP server, fails, the number of times it retries.

ZTP State History

Lists the last 10 state transitions by Time (date and time) and Description or which state it was in then.

Sample Output

show system ztp

user@host> show system ztp
Release History Table
Release
Description
Starting in Junos OS Release 20.2R1-S1 on the MX-Series, EX3400, EX4300, QFX5100, and QFX5200 devices, ZTP supports the DHCPv6 client. During the bootstrap process, the device first uses the DHCPv4 client to request for information regarding image and configuration file from the DHCP server. The device checks the DHCPv4 bindings sequentially. If there is a failure with one of the DHCPv4 bindings, the device will continue to check for bindings until provisioning is successful. If there are no DHCPv4 bindings, however, the device will check for DHCPv6 bindings and follow the same process as for DHCPv4 until the device can be provisioned successfully. The DHCP server uses DHCPv6 options 59 and 17 and applicable sub-options to exchange ZTP-related information between itself and the DHCP client.
Starting in Junos OS Release 20.2R1 on SRX300, SRX320, SRX340, SRX345, SRX550 HM, and SRX1500 devices, you can use Zero Touch Provisioning with DHCP options or the phone-home client to provision your device.
Starting in Junos OS Evolved Release 20.1R1 on PTX10003 devices, Zero Touch Provisioning (ZTP) dynamically detects the port speed of WAN interfaces and uses this information to create ZTP server ports with the same speed.
Starting in Junos OS Evolved Release 20.1R1, PTX10008 devices support automation of the device configuration and software upgrade over the management interface of Routing Engine 0 (RE0).
Starting in Junos OS Release 19.4R1, ZTP can automate the provisioning of the device configuration and software image on Juniper Route Reflector (JRR). ZTP supports self image upgrades and automatic configuration updates using ZTP DHCP options. In this release, ZTP supports revenue ports em2 thru em9, in addition to management port em0 which is supported in Junos OS Releases before 19.4R1.
Starting in Junos OS Evolved Release 19.3R1, on QFX5220-128C device, in Zero Touch Provisioning (ZTP), you can use either WAN interfaces or management interfaces, to automatically download and install the appropriate software and the configuration file on your device during the bootstrap process.
Starting in Junos OS Release 19.3R1, you can use either WAN interfaces or management interfaces, to automatically download and install the appropriate software and the configuration file on your router during the ZTP bootstrap process.
Starting in Junos OS Release 19.2R1, ZTP can automate the provisioning of the device configuration and software image on management interface emo for ACX5448 switches.
Starting in Junos OS Evolved Release 19.1R1, ZTP can automate the provisioning of the device configuration and software image on the management interface for QFX5220 and PTX10003 devices.
Starting in Junos OS Evolved Release 19.1R1, to monitor zero touch provisioning on Junos OS Evolved, use the show system ztp command.
Starting in Junos OS Release 18.3R1, ZTP, which automates the provisioning of the device configuration and software image with minimal manual intervention, is supported on MX Series VM hosts.
Starting in Junos OS Release 18.2R1, ZTP can automate the provisioning of the device configuration and software image on VM host platforms that use PTX5000, PTX3000, PTX10008, PTX10016, PTX10002-60C routers.
Starting in Junos OS Release 18.2R1, ZTP can automate the provisioning of the device configuration and software image on VM host platforms that use QFX10008 and QFX10016 switches.
Starting in Junos OS Release 18.1R1, ZTP can automate the provisioning of the device configuration and software image on VM host platforms that use QFX10002-60C switches.
Starting in Junos OS Release 17.2R1, ZTP can automate the provisioning of the device configuration and software image on VM host platforms that use PTX1000 routers.
Starting in Junos OS Release 16.1R1, you can provision supported devices by using either a script to be executed or a configuration file to be loaded
Starting in Junos OS Release 12.2, you can use the console and operational commands to monitor Zero Touch Provisioning.