Zero Touch Provisioning Support


Zero Touch Provisioning (ZTP) is used to quickly bring up and deploy a configuration on a Pluribus switch with no user interaction. It is typically used in large-scale data center deployments where the data center engineers simply racks the equipment and connects it to the management network.


ZTP leverages an on-premise DHCP server where an administrator configures one or more vendor-specific DHCP options that Netvisor One interprets and configures the switch.


ZTP runs when Netvisor One is started and is in setup mode. Netvisor One searches for vendor specific DHCP options (236 and 237), in addition to a few commonly used ones.


Phase 2 of ZTP allows you to bring up a new switch and automatically configure the required switch-setup settings, in-band-ip, or port-specific settings.


As new switches are connected to the DHCP-enabled management network, the new switch is provided the required configuration using DHCP options to connect and retrieve a script (ZTP script) that is then interpreted by Netvisor One.


If the switch is in ‘setup’ mode, Netvisor One discovers and runs the ZTP script using the following algorithm:


  1. local directory (/sftp/import/nv-ztp-installer)
  2. directory of USB drive (i.e. /media/{drive}/nv-ztp-installer)
  3. remote web server (http://<host>/nv-ztp-installer)


In all of the above cases, the script must be named nv-ztp-installer. One exception is that a complete URL may be specified using DHCP option 236, in which case the complete path to the installer may be specified.


For example:

option Pluribus_ZTP_url “http://<server>/my_script”;

 

Also, if you are using options 66 and/or 67, the script may be named option 67. If option 67 is not used, Netvisor One defaults to the name nv-ztp-installer. Additionally, the script is encrypted and signed using the Developer Portal on Pluribus Networks Cloud.



Pluribus Networks Cloud - Developer Portal


Pluribus Networks Developer Portal


You can upload the script and click Create Signed Package button. The script is then encrypted, signed, and downloaded to the your switch. The script is not stored on the Pluribus Networks Cloud.


Note: Please contact Pluribus Networks for access to the Developer Portal.



If Netvisor One mode is in setup mode, ZTP discovery is triggered upon service startup. This is the default mode for Netvisor One.

The ZTP script contains a number of CLI commands that are interpreted in the order listed in the script and issued to Netvisor One as if you typed them at the CLI prompt.

The following sample script accepts the EULA, sets the inband-ip (based on DHCP option 237), name of the switch, DNS domain, and joins the fabric, corp-fabric:

#

# Configure the setup-related options first

#

switch-setup-modify eula-accepted true

switch-setup-modify in-band-ip %NV_ZTP_INBAND_IP%

--script-password switch-setup-modify password changeme

switch-setup-modify switch-name august

switch-setup-modify domain-name pluribusnetworks.com

#

# At this stage, nvOS is no longer in setup mode, other commands

# may now be used.

#

switch-setup-modify phone-home

--user network-admin:test123 fabric-join name corp-fabric


Any command used at the CLI prompt can also be used in a ZTP script. The ZTP script is limited to any CLI command. However, regular Unix shell commands are not supported at this time and cause the script to fail.

When developing the script, it is recommended to validate the script by first executing the equivalent commands at the CLI prompt to ensure the proper sequence and syntax. If any command fails, the script is terminated.

The %NV_ZTP_INBAND_IP%, if used, is replaced with the vendor-specific DHCP option 237. This allows the DHCP server to control the in-band IP assignment in much the same way as control management IP assignment by MAC. For example, the following DHCP server snippet sends the inband-ip of 1.1.1.1 to my-switch:

 

host my-switch {

hardware ethernet 01:02:03:04:05:06;

option host-name "my-switch1";

option Pluribus_ZTP_inband_ip "1.1.1.1/24";

fixed-address 192.168.1.10;

 



ZTP Script Discovery

 

DHCP Options


The following options are queried and interrogated during ZTP discovery:

  • OPTION 54: DHCP server identifier
  • OPTION 66: TFTP server name
  • OPTION 67: Boot filename
  • OPTION 72: WWW server
  • OPTION 236: Pluribus ZTP URL (string)
  • OPTION 237: Pluribus ZTP Inband IP (string)


SFTP Discovery


SFTP discovery checks for the presence of the ZTP installer (nv-ztp-installer) in the directory: /sftp/import.


USB Discovery


USB discovery checks for the presence of the ZTP installer (nv-ztp-installer) on the root directory of a removable drive. For Netvisor One, USB drives are auto-mounted under /media/{name of drive}.


HTTP Discovery


HTTP discovery uses the DHCP options above to find the ZTP script by performing a wget to each of the options.


When performing HTTP discovery, Netvisor One sends a number of HTTP headers with each request. These HTTP headers are set in the request to identify the client and platform to the server. This allows the server-side to generate a dynamic response based on these client parameters.


Netvisor One sends the following HTTP headers during ZTP discovery:

  • X-NV-ZTP-HOSTID: <hostid of switch>
  • X-NV-ZTP-SERIAL: <serial # of switch>
  • X-NV-ZTP-PLATFORM: <platform of switch>


Security Considerations


The script is encrypted and signed in the same way as Netvisor One packages and can only be decrypted by Netvisor One.

Additionally, the signer is also verified and only scripts signed by Pluribus are run.