Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Example: Configuring Zero Touch Provisioning in Branch Networks

    Zero Touch Provisioning (ZTP) allows automatic provisioning of new switches without any manual intervention. This example configuration shows how to configure ZTP in a typical branch network environment.

    Requirements

    This example uses the following hardware and software components:

    • EX3300 24-port switch
    • EX3300 48-port switch
    • Network Director 1.6
    • CentOS DHCP server
    • FileZilla FTP server

    Before you configure ZTP, ensure that you have completed the following tasks:

    • Make sure that devices are physically cabled properly. Confirm that each ZTP device can connect to the DHCP server, the file server, and Network Director.
    • Make sure that devices to be provisioned are plugged into power, but switched OFF. The devices should not be switched to ON before configuring ZTP. Devices can be powered ON after the ZTP environment has been configured.

    In this example configuration, the network devices that are provisioned by ZTP are referred to as the ZTP device. For example, the EX3300 24-port switch at the branch site in this topology is the ZTP device. Network Director is used as the ZTP server.

    Overview

    When a switch is connected to the network and powered up with its factory default configuration, the ZTP process on the switch downloads the appropriate software and also the configuration file for the device. The basic ZTP process provides a standard configuration file based on the type of device. For example, all EX3300 switches must have a specified Junos OS software version and a standardized configuration file intended for EX3300 switches.

    When bringing up a new device on a network with ZTP, there are two phases. The first phase is the basic ZTP process that includes general provisioning, such as downloading of the proper software and configuration files to the ZTP device. After the configuration file has been downloaded, the basic ZTP process is completed. The second phase is device-specific, taking advantage of Juniper Networks built-in automation capabilities. During the second phase, the device automatically installs a device-specific configuration based on its location.

    Figure 1 shows the basic ZTP process.

    Figure 1: Phase One - Basic ZTP Process

     Phase One - Basic ZTP Process

    When the basic ZTP process is complete, the ZTP device has the correct OS for that model and also has a configuration file that is common for that type of platform in a site. ZTP solutions from most other vendors stop there. However, Juniper Networks devices can go on further. Figure 2 shows the next part of the process.

    Figure 2: Phase Two - Device-Specific Provisioning

     Phase Two - Device-Specific
Provisioning

    After the device is connected and powered up, there is no need for any additional CLI or GUI intervention to configure the device. The device has the necessary configuration for the location. Note that there is no need to identify the MAC address/Serial number of the device. The device gets a specific configuration based on where the device is plugged into the network. If this device is removed and another device gets plugged in at this location, that device gets the same specific configuration irrespective of the MAC address or serial number of the device. This is a truly “Zero Touch” provisioning solution.

    Topology

    The topology as illustrated in Figure 3 is used for this example.

    Figure 3: Network Topology for ZTP

    Network Topology for ZTP

    Configuration

    The network environment requires some preparation to support the ZTP process. This section includes procedures that show how to set up the environment to support ZTP, as well as how to actively deploy ZTP in this example. It shows how network administrators can use Junos Space Network Director to prepare the environment to support the ZTP process. The network administrators can also manually prepare these tasks separately if desired. To configure ZTP involves performing these tasks:

    Configuring the DHCP Server (Manually)

    Step-by-Step Procedure

    The DHCP server should be configured to identify the type of device (in this case, the EX3300) requesting the DHCP address and to send back the following information along with the DHCP response. The DHCP server can be configured separately, or Network Director can be used to configure DHCP as well.

    • Software image file name
    • Configuration file name
    • File transfer mode
    • Server IP address where these files are located

    To configure the DHCP server manually:

    1. Set the DHCP options within the dhcpd.conf file on the DHCP server.

      The screenshot in Figure 4 provides an example dhcpd.conf file.

      Figure 4: Set DHCP Options Screenshot

      Set DHCP Options Screenshot

      Network administrators can prepare this configuration manually or they can use Network Director to generate this configuration.

      This example configuration file can be used for your DHCP server.

      ddns-update-style interim;
      set vendor-string = option vendor-class-identifier;
      ignore client-updates;
      option space NEW_OP;
      option NEW_OP.image-file-name code 0 = text;
      option NEW_OP.config-file-name code 1 = text;
      option NEW_OP.image-file-type code 2 = text;
      option NEW_OP.transfer-mode code 3 = text;
      option NEW_OP-encapsulation code 43 = encapsulate NEW_OP;
      option NEW_OP.image-file-type "symlink";
      option option-150 code 150 = ip-address;
      
      class "ex3300-48"      {
              match if (
                      (substring (option vendor-class-identifier,0,18) = "Juniper-ex3300-48p")
                      or
                      (substring (option vendor-class-identifier,0,18) = "Juniper-ex3300-48t")
              );
      
      }
      
      subnet 10.105.5.0 netmask 255.255.255.0 {
              option domain-name-servers 8.8.8.8, 8.8.4.4;
              option routers 10.105.5.1;
              default-lease-time 600;
              max-lease-time 7200;
              authoritative;
             	pool {
      		allow members of “ex3300-48t”;
      range dynamic-bootp 10.105.5.98 10.105.5.198;
      		option NEW_OP.transfer-mode “ftp”;
      		option OPTION-150 10.92.70.224;
      		option NEW_OP.config-file-name "/3300/3300-base-network.conf";
              		option NEW_OP.image-file-name "/3300/jinstall-ex-3300-13.2X50-D19.2-domestic-signed.tgz";
      	}
      }
      

    Configuring Network Director for ZTP

    Step-by-Step Procedure

    To use Network Director to populate the dhcpd.conf file as well as prepare the rest of the ZTP environment:

    1. Log in to the Network Director Dashboard and select Device View.

      Figure 5: Selecting Device View

      Selecting Device View
    2. Select the Deploy task category and then choose the Set up ZTP task.
    3. Set up the DHCP server on Network Director.

      Figure 6 shows example settings to provision DHCP.

      Set the following DHCP server information details:

      • DHCP server type
      • DHCP server IP address
      • DHCP server username and password

        Note: This user must have write permission for the dhcpd.conf file.

      Figure 6: DHCP Server Setup

      DHCP Server Setup
    4. Set up the file server on Network Director.

      Once you have set up the DHCP server details, continue to populate the information for the file server details.

      Set the following file server information:

      • File server type
      • File server IP address
      • Directory path to software images and configuration file storage

      Figure 7: Network Director ZTP Configuration - File Server Setup

      Network Director ZTP Configuration
- File Server Setup
    5. Configure the software image and configuration.

      Once you have completed the DHCP server setup and file server setup, click Next to enter device-specific image and configuration details.

      Configure the root password for the ZTP device. This is the password that is used by the root user in the configuration file that the ZTP device downloads during the ZTP process.

      Note: Network Director uses this password to discover and manage the device once it is registered. If you decide not to use the default configuration generated by Network Director, make sure that you use the same root password used in your configuration file so the ZTP device can be managed by Network Director after the device completes ZTP.

      Figure 8: Network Director ZTP Configuration - Image and Config

      Network Director ZTP Configuration - Image and Config

      Add the type of device for which the ZTP environment should be prepared.

      Be sure to include the following details:

      • Device model
      • Software image

        Note: You can upload images to Network Director under Image Management > Manage Image Repository.

      • Configuration file

        Note: Network Director generates a default configuration file or you can use your own. If you are using your own, upload your file to Network Director by clicking Upload Config.

        This is an example custom configuration file that you would upload to Network Director for your ZTP device.

        system {
            host-name ex_autoi;
            root-authentication {
                encrypted-password;
        The root password of the device will not appear in cleartext, it will be encrypted    }
            services {
                rsh;
                ssh {
                    max-sessions-per-connection 32;
                }
                netconf {
                    ssh;
                }
             dhcp {
                    traceoptions {
                        file dhcp_logfile;
                        level all;
                        flag all;
                    }
                }
            }
            syslog {
                user * {
                    any emergency;
                }
                file messages {
                    any notice;
                    authorization info;
                }
                file interactive-commands {
                    interactive-commands any;
                }
                file default-log-messages {
                    any any;
                    match "(requested 'commit' operation)|(copying configuration to juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU removal)|(FRU insertion)|(link UP)|transitioned|Transferred|transfer-file|(license add)|(license delete)|(package -X update)|(package -X delete) | cm_device|(Master Unchanged, Members Changed)|(Master Changed, Members Changed)|(Master Detected, Members Changed)|(vc add)|(vc delete)|(Master detected)|(Master changed)|(Backup detected)|(Backup changed)|(interface vcp-) | (AIS_DATA_AVAILABLE)";
                    structured-data;
                }
            }
        }
        interfaces {
            interface-range first24 {
                member-range ge-0/0/0 to ge-0/0/28;
                unit 0 {
                    family ethernet-switching {
                        vlan {
                            members v200;
                        }
                    }
                }
            }
         vme {
                unit 0 {
                    family inet {
                        dhcp {
                            vendor-id Juniper-ex3300-48p;
                        }
                    }
                }
            }
        }
        event-options {
            generate-event {
                ztp-autoi time-interval 60;
            }
            policy ztp-autoi {
                events ztp-autoi;
                then {
                    execute-commands {
                        commands {
                            "op url ftp://10.92.70.224/ztp.slax interface ge-0/0/0 server 10.92.70.224 SWVER 13.2X51";
                        }
                    }
                }
            }
        }
        protocols {
            igmp-snooping {
                vlan all;
            }
            rstp;
            lldp {
                interface all;
            }
            lldp-med {
                interface all;
            }
        }
        ethernet-switching-options {
            storm-control {
                interface all;
            }
        }
        vlans {
            v200 {
                vlan-id 200;
            }
        }
        poe {
            interface all;
        }
        
        
      • DHCP subnet
      • DHCP range

      DHCP information that was specified in the dhcpd.conf file loaded in Network Director is automatically displayed. You can add a new subnet through this user interface if desired.

    6. Review the ZTP configuration.

      Once you have completed configuring the device software image and configuration details, you can click Next to review your work. You can click the Backbutton to modify any configuration details before you finish.

    7. Finish the ZTP configuration.

      Click Finish after you have fully reviewed your configuration and are ready to push the image file and configuration file to the ftp server. On the upper right corner of the browser window, click System to check the job status of ZTP Profile creation. You can click the Job ID for further details.

      Figure 9: Network Director ZTP Configuration - System Status Check

      Network Director ZTP Configuration - System Status
Check

    Configuring ZTP for Device-Specific Configuration File

    Step-by-Step Procedure

    In this example, a customer wants a device-specific configuration file installed with a device-specific hostname and static IP address configured on the device. To achieve this, use the on-box automation capabilities available in Juniper Networks switches.

    To configure ZTP for a device-specific configuration file:

    1. Configure event options on the ZTP device.

      Using the event-options configuration, generate an event that triggers the switch to download a slax script and run the slax script on the box. This slax script can be the ztp.slax script that is used in this example or any other slax script that is specific to your environment.

      You can download the ztp.slax script from https://github.com/spkrishnan/ztp/blob/master/ztp.slax .

      event-options {generate-event {ztp-autoi time-interval 60;}policy ztp-autoi {events ztp-autoi;then {execute-commands {commands {"op url ftp://10.92.70.224/ztp.slax interface ge-0/0/0 server 10.92.70.224 SWVER 12.3R6.6";}}}}}

      The ztp.slax script that is used in this example checks the LLDP neighbor information for the interface that is provided as input to the script. Based on the LLDP neighbor hostname and neighbor interface name, the script prepares the name of the device-specific configuration file that should be downloaded for this device. For example, if the LLDP neighbor hostname is BR1 and the neighbor interface name is ge-0/0/7, the script generates the filename the JUNOS-BR1-ge-0_0_7.conf.

      The script downloads this file from the file server provided as input to the script and merges the configuration in the file with the device configuration. In this example, JUNOS-BR1-ge-0_0_7.conf configuration file was already created by the network administrator and posted on the ftp server. In this example, the device-specific configuration file has the device-specific hostname for the device and a static IP address for the device. But, depending on the requirements of your environment, this configuration file can have any valid configuration.

    2. Configure device auto registration with Network Director.
      system {root-authentication {encrypted-password <PASSWORD>; ## SECRET-DATA}}
      event-options {policy target_add_test {events snmpd_trap_target_add_notice;then {raise-trap;}}}
      snmp {trap-group networkdirector_trap_group {version all;destination-port <ND Port>;categories {authentication;link;services;}targets {<ND IP Address>;}}}

      This configuration is necessary for the device to automatically register with Network Director after the ZTP process is complete.

      Be sure to specify the following parameters in your configuration properly:

      • ND IP address
      • ND port (by default this port is 10162)
      • Password

      Note: If it is desired to have the device auto register with Network Director after completing the ZTP process, the following requirements must be met:

      • The device should the send the trap snmpd_trap_target_add_notice to the Network Director.
      • There should be a profile on Network Director for ZTP.
      • The IP address of the device must be from the pool of IP addresses defined in the ZTP profile.
      • The root password of the device must be the same password that is defined in the ZTP profile.

    Verification

    Confirm that the configuration is working properly.

    Verifying the ZTP Configuration

    Purpose

    Confirm that the ZTP configuration is properly configured.

    Action

    1. Physically connect cables and power up the ZTP device (switch) to enter ZTP.

      If the ZTP device was already in use, you can restore the device to factory default settings.

      root# request system zeroize

      Reboot system to enter ZTP.

    2. Verify DHCP.

      Figure 10: Verifying ZTP - DHCP

      Verifying ZTP - DHCP

      After the switch completes booting, it starts broadcasting DHCP discover packets. If a DHCP server on the network responds with a DHCP ACK packet with DHCP vendor options set with the necessary values to initiate ZTP, then ZTP proceeds.

    3. Verify the image upgrade.

      Figure 11: Verifying ZTP - Auto Image Upgrade

      Verifying ZTP - Auto Image Upgrade

      To disable the ZTP process, manually delete the auto-image-upgrade statement located in the [edit chassis] hierarchy. If ZTP completes without errors, the auto-image-upgrade is automatically deleted.

      The device downloads the configuration file and the image file from the file server indicated in the DHCP vendor options. The device compares the downloaded image file with the installed software version. If the downloaded image file is different from the installed software version, the downloaded software image is installed and the switch reboots automatically.

      After the software installation, the downloaded configuration file is installed and the basic ZTP process is completed. The auto-image-upgrade statement in [edit chassis] hierarchy is deleted. This completes the basic ZTP process.

      The device now has the correct software image and configuration file intended for that device type.

    Meaning

    The ZTP device was able to automatically download the correct software image and configuration file without any manual intervention.

    Verifying the Custom Configuration for a Device Using the ZTP Device-Specific Configuration

    Purpose

    Verify that the ZTP device has registered with Network Director from the customized configuration file.

    Action

    1. After the ZTP device automatically registers with Network Director, go to the Unassigned location in the Location view.

      The device can then be moved to the appropriate location.

      Figure 12: Network Director ZTP Configuration - Device Auto Registration

      Network Director ZTP Configuration - Device Auto Registration
    2. Verify the IP address of the ZTP device.

      The IP address of the device must be from the pool of IP addresses defined on the ZTP profile for the device in Network Director.

    3. Verify the password of the ZTP device.

      The root password matches in the configuration file and the ZTP setup in Network Director if the device was able to successfully acquire the expected IP address.

    Meaning

    The ZTP device was able to register with Network Director and properly download a custom configuration.

    Modified: 2016-07-29