Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[MX] Zero Touch Provisioning on MX10003 / MX204

0

0

Article ID: KB36251 KB Last Updated: 13 Nov 2020Version: 1.0
Summary:

This article describes how to provision MX10003 and MX204 devices by using Zero Touch Provisioning (ZTP).

 

Symptoms:

Zero Touch Provisioning (ZTP) facilitates setting up new devices in the network without manual intervention. When a device is connected to the network and booted with default factory configuration, it attempts to upgrade the Junos OS software automatically and auto-installs configuration from the network. To make sure that the factory-default configuration is loaded on the device, the request system zeroize CLI command is executed.

The auto image upgrade (AIU) process on the device uses the information that is provided by the Dynamic Host Configuration Protocol (DHCP) server to locate the necessary software image and configuration files on the network. If the DHCP server is not configured to provide this information, then the preinstalled software and default factory configuration are loaded.

 

Solution:

This article assumes that dhcpd, vsftpd, tftpd, and httpd are installed and configured to support ZTP.

  • dhcp options as configured in the dhcpd.conf file are used to provide the image and configuration file information for the ZTP process.

  • vsftpd, httpd, or tftpd is used by ZTP for downloading the image and configuration files.

  • MX10003 and MX204 support ZTP only on the management interface (fxp0) as of the writing of this article.

  • EX9251, which uses a similar Routing Engine as the MX10003, supports ZTP on the management and WAN ports.

Setting Up DHCP Server & Transport Mode

  1. Refer to the dhcpd.conf manpage to know more about parameters and declarations.

  2. Below is a sample configuration of /etc/dhcp/dhcpd.conf with a brief description that is commented (#).

# interface over which dhcp server listens to dhcp discover messages.

DHCPDARGS=ens33;

# The below declaration is used to identify the subnets over which to listen for dhcp
# discover messages and provide ip addresses.
# range : specifies how many ip addresses to lease.
# domain-name : is used to identify the network, domain name-servers: used when host names
# are used instead of ip addresses.
   subnet 3.3.3.0 netmask 255.255.255.0 { 
     range 3.3.3.3 3.3.3.15;              
     option domain-name “mydomain.net";   
     option domain-name-servers 10.209.194.133;
     option routers 3.3.3.254;
     default-lease-time 60000;             
     max-lease-time 720000;
   }

# Below declaration provides an option space definition.

    option space SUNW;
   option SUNW.server-image code 0 = text;
   option SUNW.server-file  code 1 = text;
   option SUNW.image-file-type code 2 = text;
   option SUNW.transfer-mode code 3 = text;
   option SUNW.symlink-server-image code 4 = text; 
   option SUNW.http-port  code 5 = text;
   option SUNW-encapsulation code 43 = encapsulate SUNW;

# group is used to apply common parameters for a bunch of different hosts.
# defining a particular host and its parameters.
# “hardware ethernet <mac>” mac-address of the device. For MX10003/MX204 it will have the
# mac address of the fxp0 interface. For EX9251 it can have the mac-address of either management or WAN interface
# that is used for the upgrade. It is important to have the correct mac-address to receive the dhcp options.
# “transfer-mode <mode>” mode used for downloading the image and config files.
# If this absent, default is tftp. Options are http, ftp or tftp.
# log-server and ntp-server are for sending syslog messages.
# “server-image <imagename>”  is the image for the device.
# “server-file <filename>” is the option for the config file.
# “tftp-server-name” is the ip address of the server that provides the files for booting.
# this is provided as a string.
 
    group {
     next-server 3.3.3.1;
     host mx204-12345 {
       hardware ethernet 98:a4:04:7f:1a:83;
       option SUNW.transfer-mode "ftp";
       option host-name “mx204-12345";
       option log-servers 3.3.3.1;
       option ntp-servers 66.129.255.62;
       option SUNW.server-file   “dut-baseline-config.conf”;
       option SUNW.server-image  “junos-vmhost-install-mx-x86-64-19.4R1.1.tgz”;
       option tftp-server-name "3.3.3.1";  
     }
   }

Note that the text or number format used above must be adhered to. If not, dhcpd will indicate an error upon startup.

  1. Save the dhcpd.conf file and start the dhcpd service by using the command that is appropriate to the version of Linux. The logs pertaining to dhcpd can be viewed in the /var/log/messages file.

  2. Copy the image and configuration file to the appropriate paths depending on the transport mode configured.

The following table is an example that assumes that /tftpboot/ is used by tftp and ftp for file store. The server-file and server-image options in the dhcpd.conf file need to have the path relative to the path configured for the transport mode.

Transport mode

Config file path

Home directory

ftp /etc/vsftpd/vsftpd.conf

/tftpboot

tftp

/etc/xinet.d/tftp

/tftpboot

http

/etc/http/conf/httpd.conf /var/www/html/

For example, if the image is in /tftpboot/PLATFORM_AA/image_aa.tgz, then the server-file option should be /PLATFORM_AA/image_aa.tgz.

  1. Start the service used for transport and verify that the service is running.

Initiating ZTP and Monitoring Progress

  1. If a factory shipped device is being provisioned, only network connections are to be made and the device powered on. When the device boots, AIU (auto-image-upgrade) will be started.

  2. If an existing device is to be provisioned, zeroize the device by using the request system zeroize CLI command. Type yes for the prompt and press Enter.

Note that all configurations, logs, and user-created files and directories will be erased.

  1. The device comes up in amnesiac mode. Users can log in on the console as the root user and will not be prompted for a password since none is configured. After a couple of minutes, messages on the console will be displayed to indicate that Auto Image upgrade has started.

  2. The show dhcp client binding CLI command is used to verify the IP address assigned by the DHCP server. The state should show up as BOUND. Conversely, on the DHCP server, the /var/log/messages file can be checked to view the IP address assignment.

Sep 26 04:11:41 mx-phs-server1 dhcpd: DHCPREQUEST for 17.17.34.110 from e4:fc:82:0f:d2:00 (TC3718210039) via eth1
Sep 26 04:11:42 mx-phs-server1 dhcpd: DHCPACK on 17.17.34.110 to e4:fc:82:0f:d2:00 (TC3718210039) via eth1
Sep 26 05:11:41 mx-phs-server1 dhcpd: Vendor-Class-Identifier: Juniper:ex4600-40f:TC3718210039
Sep 26 05:11:42 mx-phs-server1 dhcpd: DHCPREQUEST for 17.17.34.110 from e4:fc:82:0f:d2:00 (TC3718210039) via eth1
Sep 26 05:11:42 mx-phs-server1 dhcpd: DHCPACK on 17.17.34.110 to e4:fc:82:0f:d2:00 (TC3718210039) via eth1
  1. After the IP addresses are bound, further dhcp options sent by the server are processed. Below is a snapshot of the messages that are displayed on the console after the dhcp options are received.

Auto Image Upgrade: DHCP INET Options for client interface fxp0.0 ConfigFile:
baseline_mt-bona ImageFile: junos-vmhost-install-mx-x86-64-20.3R1.3.tgz
Gateway: 17.17.34.1 DHCP Server: 17.17.34.1 File Server: 17.17.34.1

Auto Image Upgrade: To stop, on CLI apply
"delete chassis auto-image-upgrade"  and commit
Auto Image Upgrade: Active on INET client interface : fxp0.0
Auto Image Upgrade: Interface::   "fxp0"
Auto Image Upgrade: Server::      "17.17.34.1"
Auto Image Upgrade: Image File::  "junos-vmhost-install-mx-x86-64-20.3R1.3.tgz"
Auto Image Upgrade: Config File:: "baseline_mt-bona"
Auto Image Upgrade: Gateway::     "17.17.34.1"
Auto Image Upgrade: Protocol::    "ftp"
  1. AIU will use the information in dhcp options to download the image and configuration files. The file download progress is checked by listing the contents of the /var/tmp folder.

Auto Image Upgrade: Start fetching baseline_mt-bona file from server 17.17.34.1 through fxp0 using ftp
Auto Image Upgrade: File baseline_mt-bona fetched from server 17.17.34.1 through fxp0
Auto Image Upgrade: FTP timeout set to 300 seconds
Auto Image Upgrade: Start fetching junos-vmhost-install-mx-x86-64-20.3R1.3.tgz file from server 17.17.34.1 through fxp0 using ftp
Auto Image Upgrade: File junos-vmhost-install-mx-x86-64-20.3R1.3.tgz fetched from server 17.17.34.1 through fxp0
  1. The downloaded image is then installed. If the downloaded image version is the same as the one already running on the device, the install step is skipped. The following messages are shown when the image is downloaded and installed.

Auto Image Upgrade: Aborting image installation of junos-vmhost-install-mx-x86-64-20.3R1.3.tgz received from 17.17.34.1 through fxp0: Installed and fetched image version same
Auto Image Upgrade: Applying baseline_mt-bona file configuration fetched from server 17.17.34.1 through fxp0
  1. After image installation and reboot, AIU will apply the configuration from the downloaded configuration file. This is configured with the override option, so on bootup, only the configuration that is downloaded is present. Installation logs are present in the /var/log/image_load_log file.

  2. The show system commit CLI command will show the commit made by the Junos script.

Verification

  1. To verify that the device has received an IP address from the DHCP server, issue the show dhcp client binding CLI command.

  2. After installation, the show version CLI command can be used to verify the version that is running.

  3. To view the installation logs, the show log image_load_log CLI command can be used.

  4. To ensure that the downloaded configuration is applied without an error, issue the show system commit CLI command. There should be a single commit from the Junos script.

Troubleshooting

  1. Ensure working connections. Since the DHCP discover messages are broadcast, the network should be able to forward them to the DHCP server. Either a VLAN or DHCP Relay should be in place for this to work.

  2. The dhcpd process status should be running/active. If not, check the /var/log/messages file to see the reason that it is not coming up. The same file is also used to look for dhcp entries to verify if the DHCP discover messages reach the DHCP server.

  3. The DHCP messages in /var/log/messages should pertain to the mac-address of the fxp0 interface. If it is not present, then the dhcp discover messages from the device are not reaching the server.

  4. Verify that the fxp0 interface is receiving the IP address in the show dhcp client binding message. In addition to the IP address, the device should also receive information about the image file, configuration file, server IP address, and the transport mode to use to provision the device. If only the IP address is received but not the other options, ensure that the tftp-server-name option or the server-name options are present. If either of these two are not present, dhcpd will not send the additional options. The hardware ethernet <mac-address> should also match the mac-address of fxp0.

Note: If changes are made to any of the configuration files, the corresponding service has to be restarted for the changes to take effect.

  1. Some Linux distributions (for example, CentOS 7 or later) have firewalled or selinux running by default. Configure it to allow access for these services or disable the firewall if you choose to.

  2. If the options are received but there are issues with downloading the image or configuration files, check the configuration for the correct home directory for the corresponding service and also ensure that the image file and configuration files are present in the appropriate home location. In the case of vsftpd (or any other ftp service), configure it to allow anonymous logins and ASCII modes.

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search