Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Create Onbox Agent

You need full admin / root privileges to create onbox agents. We recommend creating a dedicated user on the device using Apstra ZTP or other means. Make sure that you've:

  • Added login credentials for the devices.
  • Configured management IP connectivity between devices and the Apstra server. You must do this before installing agents so it’s out-of-band (OOB). Configuring management connectivity in-band (through the fabric) is not supported and could cause connectivity issues when changes are made to the blueprint.
  • Uploaded required packages.

Before creating/installing onbox device agents on Cisco NX-OS and Arista EOS, configure the following minimum configuration on them as shown below. (SONiC Enterprise has no specific configuration requirements other than Management Network and privileged user access.)

Cisco NX-OS Onbox Agent Minimum Configuration

Arista EOS Onbox Agent Minimum Configuration

Make sure the following configuration is not on the device:

  • VLANs other than VLAN 1
  • VRFs other than "management"
  • Interface IP addresses other than "management"
  • Loopback interfaces
  • VLAN interfaces
  • VXLAN interfaces
  • AS-Path access-lists
  • IP prefix-lists
  • Route maps or policies
  • BGP configuration

During the agent install process, device configuration is validated, and if the device contains configuration that could prevent the deployment of service configuration, the agent install process raises an error (as of Apstra 4.0.1).

In this case, manually remove conflicting configuration and start the agent installation process again.

If you must complete the agent installation with configuration validation errors, you can disable pristine configuration validation. To do this, from Devices > Managed Devices, click Advanced Settings (top-right), select Skip Pristine Configuration Validation, then click Update.

For information about retaining pre-existing configuration when bringing devices under Apstra management, see Device Configuration Lifecycle.


On some platforms (Junos for example) you can configure rate-limiting for management traffic (SSH for example). When the Apstra server interacts directly with devices it can be more bursty than when it interacts with a user. Rate-limiting configurations that are used for hardening security can impact device management, and lead to deployment failures and other agent-related issues.

Onbox agents include the following parameters:
Parameter Description
Device addresses Management IP(s) of the device(s)
Operation Mode
  • Full Control - deploys configuration and collects telemetry
  • Telemetry Only - configuration is not deployed
Username / Password If you're not using an agent profile with credentials, check these boxes and add credentials.
Agent Profile If you don't want to manually enter credentials and packages, use agent profiles that you previously defined.
Job to run after creation
  • Install (default) - installs the agent on the device
  • Check - creates the agent, but does not install it. It appears in the table view where you can install it later.
Install Requirements (servers only) For servers only: If servers don't have Internet connectivity, uncheck the box.
Packages Before creating the agent, install required packages so they are available. Packages associated with selected agent profiles are listed here as well.
  1. Confirm that you've installed the minimum configuration as described above, and that the device doesn't contain configuration that would raise validation errors.
  2. From the left navigation menu, navigate to Devices > Managed Devices and click Create Onbox Agent(s).
  3. Specify agent details as described in the parameters table above.
  4. Click Create. While the task is active you can view its progress at the bottom of the screen in the Active Jobs section. The job status changes from Initialized to In Progress to Succeeded.