Zero Touch Provisioning (ZTP)
Zero-Touch Provisioning (ZTP) automates the deployment of devices with minimal user intervention, particularly after a factory reset or fresh installation. With ZTP enabled by default, the device automatically connects to the network, fetches its configuration from a pre-configured source, and provisions itself based on custom configuration files defined by the user. These files must be error-free, valid, and meet the supported configuration criteria.
Prerequisites
Before configuring ZTP, ensure the following:
-
A valid DHCP server is available in the network.
-
The DHCP server is configured with the appropriate URL path for the device to download the configuration file.
Configuration Boot File Setup for Zero Touch Provisioning (ZTP)
The following sections describe how to set up the configuration boot file for ZTP:
Add the Configuration Boot File Path
| 1. | Add the configuration boot file path to the DHCP server. |
| a. | For unique configurations per device: Use *.conf in the path. The device will then request a configuration file named with its specific serial number (e.g., device_serial_number.conf). Ensure each device has its serial-number-specific configuration file present in the path. |
| b. | For identical configurations across all devices: Use a single configuration file named boot.conf in the path. |
Sample configuration for Linux based DHCP server
DHCPv4 server config(/etc/dhcp/dhcpd.conf)
subnet 3.3.33.0 netmask 255.255.255.0 {
range 3.3.33.5 3.3.33.10;
default-lease-time 600;
max-lease-time 7200;
if (substring(option vendor-class-identifier, 0, 7) = "gigamon") {
option ztp-url "http://3.3.33.6/bootfile.conf";
}
}
Create the Configuration Boot File
| 1. | Define the configuration in the boot file that the device will use: |
| a. | Hostname: Specifies the device hostname. |
| b. | Local User Configuration: Defines user credentials. For security reasons, password must be provided in encrypted format. you can use a Gigamon device for password encryption. |
| c. | Log Server Configuration: Specifies log server details for device log storage. |
| d. | SNMP Server Configuration: Provides SNMP server details for monitoring. |
| 2. | Save the configuration file with an appropriate name (e.g., Serialnumber.conf or boot.conf). |
Sample configuration via ZTP bootfile:
hostname HC1
username admin password 9 VB8LxzVH1iNEs7BfNgTqOIeOTsU86OXnNTnK1izrVPC63IwuNP1IV+D+ATVrHRUy
ip domain-list
logging 10.114.10.57
logging 10.114.10.57 trap info
logging fcab:1:1:2160:34f8:8bb1:d2d:20b8
logging fcab:1:1:2160:34f8:8bb1:d2d:20b8 trap warning
logging local info
snmp-server community public
snmp-server enable communities
no snmp-server host 20.114.210.62 disable
snmp-server host 20.114.210.62 traps port 7744 version 2c
no snmp-server host fcab:1:1:2160:34f8:8bb1:d2d:20b8 disable
snmp-server throttle event bcmsoctemp interval 120
snmp-server throttle event bottomswitchtemp interval 120
snmp-server throttle event cpusoctemp interval 120
snmp-server traps event userauthfail
snmp-server traps event vportstatechange
snmp-server traps event watchdogreset
no snmp-server user fm-snmp-user v3 enable
snmp-server user fm-snmp-user v3 encrypted auth sha "" priv aes-128 ""
snmp-server user user1 v3 enable
Upload the Configuration Boot File
| 1. | Upload the configuration boot file to the server location specified in the DHCP server. |
| 2. | Ensure the file is in the correct path as mentioned in the DHCP server and accessible by devices. |
Verify the Zero Touch Provisioning (ZTP) Process
| 1. | Perform a factory reset or fresh installation to initiate the ZTP process. |
| 2. | The device automatically requests an IP address from the DHCP server, retrieves the configuration boot file specified by the URL, and applies the configurations from the boot file. |
| 3. | Use the show system ztp command to check the ZTP ztatus. |
Note: In all the failure scenarios, the system will prompt the user with the jump-start.
Security Considerations
The security of the Zero Touch Provisioning process is entirely dependent on DHCP, and any customer choosing to deploy it should ensure the security of the DHCP infrastructure. A compromised DHCP server, or an environment where a rogue DHCP server could be enabled, potentially compromise the security of the Gigamon ZTP process and therefore the end-device.
Gigamon further strongly recommends that passwords should be encrypted if they are present in the configuration. The configuration file is passed in clear text, and this fact should be acknowledged and risk-managed for any deployment.
Note: ZTP will be enabled in the case of a fresh installation or following a factory reset (command: ‘reset factory all’). In normal operation, including a normal reload of a configured box or following a software upgrade, ZTP will be disabled.
Limitations
| 1. | ZTP functionality is limited to the DHCP client on the management interface only. |
| 2. | When both DHCPv4 and DHCPv6 are enabled on the management interface, the same boot file URL must be configured on both DHCP servers. |
| 3. | ZTP is not supported on the DELL S4112F-ON and G-TAP A Series 2 devices. |
| 4. | The ZTP configuration boot file can be downloaded only through HTTP. |
| 5. | In the event of a configuration failure during ZTP, successfully applied configurations will not be reverted. |
| 6. | ZTP does not support cluster configurations through the boot file. |
| 7. | It is not recommended to include AAA configurations in the ZTP boot file, as GigaVUE-OS currently does not support password encryption for AAA configurations. |
| 8. | Configurations that require user input (e.g., yes/no) are not supported through the ZTP boot file. |
