Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[EX] Understanding Zero Touch Provisioning (EZ Touchless Provisioning) , implementation and configuration

0

0

Article ID: KB27327 KB Last Updated: 24 Feb 2020Version: 2.0
Summary:

Zero Touch Provisioning (ZTP):

Zero Touch Provisioning allows you to provision new switches in network automatically, without manual intervention. When you physically connect a switch to the network and boot it with a default factory configuration, it attempts to upgrade the Junos OS software automatically and auto-install configuration files from the network. To make sure you have the default factory configuration loaded on the switch, issue the “request system zeroize” command on the switch you want to provision.

The switch uses information that you configure on a Dynamic Host Configuration Protocol (DHCP) server to locate the necessary software image and configuration files on the network. If you do not configure the DHCP server to provide this information, the switch boots with the preinstalled software and default factory configuration.
 
Solution:

Setup:


EX4200 (ME0)-------------l2switch-----------(192.168.1.55)TFTP
                                                |
                                                |
                         DHCP server (192.168.1.25)


EX4200 (DUT)  switch to accomplish ZTP using ISC DHCP V4.2 (Linux based) to provision the switch to automatically fetch the configuration file and Junos OS software from the TFTP server.

To trigger ZTP on the switch run the command "request system zeroize" from cli, switch will reboot and get an IP address/ tftp-server IP address from the DHCP server.
DHCP server will send the vendor specific options (option 43) in the offer packet, which helps the switch to discover TFTP server and fetches the image/config files from the TFTP server.


Please note that option 150 is the recommended option to specify the TFTP server IP address
 

Please find the below working dhcpd.conf(from ISC DHCP server version 4.2 linux):

[root@localhost etc]#vi dhcpd.conf

# dhcpd.conf
#
default-lease-time 600;
max-lease-time 7200;
option subnet-mask 255.255.255.0;
option routers 192.168.1.1;
option option-150 code 150 = ip-address;
option space NEW_OP;
option NEW_OP.image-file-name code 0 = text;
option NEW_OP.config-file-name code 1 = text;
option NEW_OP-encapsulation code 43 = encapsulate NEW_OP;         ## mapping suboptions 00 and 01 with option 43 (suboption 00 is used to specify the image file name and 01 is for conf file name)


Note: suboption and options string should be carefully configured with appropriate ., /, ; wherever required to avoid config issues

subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.10 192.168.1.20;
}



host ez_touch {
hardware ethernet b0:c6:9a:6d:db:42; ## MAC address of the ME0 interface, you can also use the dynamic IP allocation and also we can use any of the network port's (MAC add# chassis mac +1) for ZTP
fixed-address 192.168.1.66;
option option-150 192.168.1.55;
option host-name " ez_touch ";
option NEW_OP.image-file-name "jinstall-ex-4200-12.3R2.5-domestic-signed.tgz"
option NEW_OP.config-file-name "test.conf";
}



Optional configuration:

option NEW_OP.image-file-type code 2 = text;
option NEW_OP.transfer-mode code 3 = text;

Suboption 02: The symbolic link to the software image file to install
option NEW_OP.image-file-type "symlink";

Suboption 03: The transfer mode that the switch uses to access the TFTP/FTP/HTTP server
option NEW_OP.transfer-mode "ftp";            ## If you don’t specify then by default TFTP




press shift i (INSERT/edit mode) to edit the dhcp.conf file

edit the config once done press ESC

:wq!



To execute this configuration, follow the steps below

[root@localhost etc]#/usr/local/sbin/dhcpd -q -lf /var/db/dhcp.lease -cf /usr/local/etc/dhcpd.conf
[root@localhost etc]#/ps aux|grep dhcpd >>make sure the process started

[root@localhost etc]#tail -f /var/log/messages       ##check the messages log to see any config error and also for DHCP and TFTP transactions




How to execute ZTP on the switch?


root@> request system zeroize

warning: System will be rebooted and may not boot without configuration
Erase all data, including configuration and log files? [yes,no] (no) yes

warning: ipsec-key-management subsystem not running - not needed by configuration.
warning: zeroizing fpc0


Broadcast Message from root
(no tty) at 1:35 UTC...

Auto-image upgrade started successfully


Broadcast Message from root@
(no tty) at 1:35 UTC...

ALERT:Auto-image upgrade will start. This can terminate config CLI sess
ion(s). Modified configuration will be lost. To stop Auto-image, in CLI do the
following: 'edit; delete chassis auto-image-upgrade; commit'.


{master:0}
root> show interfaces vme
Physical interface: vme, Enabled, Physical link is Up
Interface index: 68, SNMP ifIndex: 35
Type: Mgmt-VLAN, Link-level type: Mgmt-VLAN, MTU: 1518, Speed: 1000mbps
Device flags : Present Running
Interface flags: SNMP-Traps
Link type : Full-Duplex
Link flags : None
Current address: b0:c6:9a:6d:db:42, Hardware address: b0:c6:9a:6d:db:42
Last flapped : Never
Input packets : 66
Output packets: 85

Logical interface vme.0 (Index 7) (SNMP ifIndex 36)
Flags: SNMP-Traps Encapsulation: ENET2
Input packets : 66
Output packets: 85
Protocol inet, MTU: 1500
Flags: None
Addresses, Flags: Is-Preferred Is-Primary
Destination: 192.168.1/24, Local: 192.168.1.66, >>>>switch has got an IP address from the switch
Broadcast: 192.168.1.255



The moment we execute ZTP, switch will discover the DHCP server and obtain an IP address from DHCP server and then connects to TFTP server 1. Fetch the config file (test.conf) 2. Fetch the image (jinstall-ex-4200-12.3R2.5-domestic-signed.tgz)

root> show log dhcp_logfile |last
Jan 26 04:02:20 DHCPD_OPTION_HOST_NAME: DHCP Host Name Option ez_touch
Jan 26 04:02:20 router address is 192.168.1.1
Jan 26 04:02:20 Written IP address 192.168.1.66 to file /var/db/leases/vme.0
Jan 26 04:02:22 Opened file for Writing /var/etc/dcd.dhcpd.conf

Jan 26 04:02:22 Writing interface for vme unit number 0 BEGINS

Jan 26 04:02:22 Writing interface for vme unit number 0 DONE

Jan 26 04:02:22 Closed file for Writing /var/etc/dcd.dhcpd.conf

Jan 26 04:02:22 signalled dcd (pid 1271) to overlay
Jan 26 04:02:22 Searching for route 0.0.0.0 on 7
Jan 26 04:02:22 Route entry already exists for 0.0.0.0 on 7
Jan 26 04:02:22 About to add static route for dest 0.0.0.0
Jan 26 04:02:22 Local addr 192.168.1.66
Jan 26 04:02:22 The next hop address is 192.168.1.1 iflindex 2147405176
Jan 26 04:02:22 VRF is default
Jan 26 04:02:22 RTT is 16777216
Jan 26 04:02:22 rtsock ifd message for vme
Jan 26 04:02:22 changed ifd vme to up
Jan 26 04:02:22 rtsock notified state change for IFD= vme
Jan 26 04:02:50 AIU: spawn : /bin/sh /usr/sbin/image_load -G 192.168.1.55 -I vme -O install_reboot -D /var/tmp -C test.conf -F jinstall-ex-4200-12.3R2.5-domestic-signed.tgz



root> show log image_load_log|last

[Sat Jan 26 03:56:44 UTC 2013] Directory to store image is valid /var/tmp
[Sat Jan 26 03:56:45 UTC 2013] Creating file /var/tmp/jinstall-ex-4200-12.3R2.5-domestic-signed.tgz
[Sat Jan 26 03:56:45 UTC 2013] tftp -JM binary -JG 192.168.1.55:test.conf -JI vme
[Sat Jan 26 03:56:45 UTC 2013] Received 380 bytes in 0.0 seconds
[Sat Jan 26 03:56:45 UTC 2013] Image fetch done
[Sat Jan 26 03:56:45 UTC 2013] tftp -JM binary -JG 192.168.1.55:jinstall-ex-4200-12.3R2.5-domestic-signed.tgz -JI vme
[Sat Jan 26 03:57:42 UTC 2013] Received 111189814 bytes in 56.1 seconds
[Sat Jan 26 03:57:42 UTC 2013] Image fetch done
[Sat Jan 26 03:57:50 UTC 2013] request system software add /var/tmp/jinstall-ex-4200-12.3R2.5-domestic-signed.tgz no-validate force
[Sat Jan 26 03:58:13 UTC 2013]
Checking pending install on fpc0

fpc0:
WARNING: A reboot is required to install the software
WARNING: Use the 'request system reboot' command immediately
[Sat Jan 26 03:58:13 UTC 2013] Image installation is done
[Sat Jan 26 03:58:31 UTC 2013] Shutdown NOW!
[pid 2585]
[Sat Jan 26 03:58:31 UTC 2013] Removing /var/run/image_load.pid




Note: If the software versions are different, the switch downloads the software image from the TFTP server, installs it, If the software versions are the same, the switch does not upgrade the software, then continues to the next step.


Note: On the conf file make sure you have the root authentication otherwise commit will fail and also if the image version on the EX is same as in dhcp config file part of ZTP process configuration is not committed fixed in 12.3R3


For example:

If you execute ZTP the switch will boot from backup partition as shown below.
As you see on the backup partition the current running code is 12.2R4.5, if you attempt to pull the same image as already installed, the commit will fail.


root@ez_touch_4200# run show system snapshot media internal
fpc0:
--------------------------------------------------------------------------
Information for snapshot on internal (/dev/da0s1a) (backup)
Creation date: Apr 4 13:47:30 2013
JUNOS version on snapshot:
jbase : ex-12.2R4.5
jkernel-ex: 12.2R4.5
jcrypto-ex: 12.2R4.5
jdocs-ex: 12.2R4.5
jswitch-ex: 12.2R4.5
jpfe-ex42x: 12.2R4.5
jroute-ex: 12.2R4.5
jweb-ex: 12.2R4.5
fips-mode-powerpc: 12.2R4.5


Information for snapshot on internal (/dev/da0s2a) (primary)

Creation date: Mar 23 00:05:08 2013
JUNOS version on snapshot:
jbase : ex-12.3R2.5

jkernel-ex: 12.3R2.5
jcrypto-ex: 12.3R2.5
jdocs-ex: 12.3R2.5
jswitch-ex: 12.3R2.5
jpfe-ex42x: 12.3R2.5
jroute-ex: 12.3R2.5
jweb-ex: 12.3R2.5
fips-mode-powerpc: 12.3R2.5



root@ez_touch_4200# run show log image_load_log
[Sat Mar 23 00:08:05 UTC 2013] Creating /var/run/image_load.pid with 1701
[Sat Mar 23 00:08:05 UTC 2013] /usr/sbin/image_load -G 192.168.1.55 -I vme -O install_reboot -D /var/tmp -C test2.conf -F jinstall-ex-4200-12.3R2.5-domestic-signed.tgz
[Sat Mar 23 00:08:15 UTC 2013] Directory to store image is valid /var/tmp
[Sat Mar 23 00:08:16 UTC 2013] Creating file /var/tmp/jinstall-ex-4200-12.3R2.5-domestic-signed.tgz
[Sat Mar 23 00:08:16 UTC 2013] tftp -JM binary -JG 192.168.1.55:test2.conf -JI vme
[Sat Mar 23 00:08:16 UTC 2013] Received 3849 bytes in 0.0 seconds
[Sat Mar 23 00:08:16 UTC 2013] Image fetch done
[Sat Mar 23 00:08:16 UTC 2013] tftp -JM binary -JG 192.168.1.55:jinstall-ex-4200-12.3R2.5-domestic-signed.tgz -JI vme
[Sat Mar 23 00:09:10 UTC 2013] Received 111189814 bytes in 53.8 seconds
[Sat Mar 23 00:09:10 UTC 2013] Image fetch done
[Sat Mar 23 00:09:18 UTC 2013] /var/tmp/jinstall-ex-4200-12.3R2.5-domestic-signed.tgz is version 12.3R2.5.
[Sat Mar 23 00:09:18 UTC 2013] This version is already installed.
[Sat Mar 23 00:09:18 UTC 2013] Aborting install.
[Sat Mar 23 00:09:18 UTC 2013] Removing /var/tmp/jinstall-ex-4200-12.3R2.5-domestic-signed.tgz
[Sat Mar 23 00:09:19 UTC 2013] jinstall-ex-4200-12.3R2.5-domestic-signed.tgz not installed, committing config
[Sat Mar 23 00:09:34 UTC 2013] Removing /var/run/image_load.pid




Please check the internal media before executing ZTP, if the code is different; than the commit will work and you should be able to see the config pulled from the TFTP server.


An example of config pulled from TFTP:
version 12.3R2.5;
system {
    host-name ez_touch;
    root-authentication {
        encrypted-password "$ABC123"; ## SECRET-DATA
    }
    services {
        ssh;
        telnet;
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any notice;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family ethernet-switching   
            }
        }
    
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching             
            }
        }
    
    ge-0/0/2 {
        unit 0 {
            family ethernet-switching            
            }
        }

    ge-0/0/3 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/4 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/5 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/6 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/7 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/8 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/9 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/10 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/11 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/12 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/13 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/14 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/15 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/16 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/17 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/18 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/19 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/20 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/21 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/22 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/0/23 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/1/0 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/1/0 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/1/1 {
        unit 0 {
            family ethernet-switching;
        }
    }
    xe-0/1/1 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/1/2 {
        unit 0 {
            family ethernet-switching;
        }
    }
    ge-0/1/3 {
        unit 0 {
            family ethernet-switching;
        }
    }
}

protocols {
    igmp-snooping {
        vlan all;
    }
    rstp;
    lldp {
        interface all;
    }
    lldp-med {
        interface all;
    }
}

ethernet-switching-options {
    storm-control {
        interface all;
    }
}
poe {
    interface all;
}


Troubleshooting:

# Validate the Physical connection and make sure the switch have an access to DHCP/TFTP server
# run this command to confirm the me0 interface is up "show interfaces me0"
# Configure DHCPD referring the above sample configuration and make sure there are no config errors
# [root@localhost etc]#tail -f /var/log/messages      ######check the messages log to see any config error and also for DHCP and TFTP transactions
# Start the TFTP services and copy the image/config file to TFTP root
# Do a PCAP on TFTP server to see the switch requesting for image and config file
# run the below command to see what's happening on the background

root@ez_touch# run show log image_load_log|last
[Sat Jan 26 03:56:44 UTC 2013] Directory to store image is valid /var/tmp
[Sat Jan 26 03:56:45 UTC 2013] Creating file /var/tmp/jinstall-ex-4200-12.3R2.5-domestic-signed.tgz
[Sat Jan 26 03:56:45 UTC 2013] tftp -JM binary -JG 192.168.1.55:test.conf -JI vme
[Sat Jan 26 03:56:45 UTC 2013] Received 380 bytes in 0.0 seconds
[Sat Jan 26 03:56:45 UTC 2013] Image fetch done
[Sat Jan 26 03:56:45 UTC 2013] tftp -JM binary -JG 192.168.1.55:jinstall-ex-4200-12.3R2.5-domestic-signed.tgz -JI vme
[Sat Jan 26 03:57:42 UTC 2013] Received 111189814 bytes in 56.1 seconds
[Sat Jan 26 03:57:42 UTC 2013] Image fetch done
[Sat Jan 26 03:57:50 UTC 2013] request system software add /var/tmp/jinstall-ex-4200-12.3R2.5-domestic-signed.tgz no-validate force
[Sat Jan 26 03:58:13 UTC 2013]
Checking pending install on fpc0
fpc0:
WARNING: A reboot is required to install the software
WARNING: Use the 'request system reboot' command immediately
[Sat Jan 26 03:58:13 UTC 2013] Image installation is done
[Sat Jan 26 03:58:31 UTC 2013] Shutdown NOW!
[pid 2585]
[Sat Jan 26 03:58:31 UTC 2013] Removing /var/run/image_load.pid



Limitations:
Supported only on stand-alone Boxes, not supported in VC setup.
Switch should be in Factory default mode.

Setup requirement:
DHCP Server
TFTP Server


 
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search