How to setup a controller using ZTP (Zero Touch Provisioning) on a MM in ArubaOS 8.x
- Need an account in Activate and MD should be added in the Activate account.
- MD should be able to get an IP address/DNS from a DHCP server.
- MM and MD should have access to the internet (Ports: DNS and https) to contact Activate server (device.arubanetworks.com).
Starting from 8.x we can bring up the 72xx, 70xx controllers as MD on a MM using Zero Touch Provision.
- Connect the last copper port of the controller (which will be pre-congiured on access vlan-4094 as dhcp-client) to the uplink switch/modem so that the MD can get IP address/DNS information.
- MM uploads the certificate to Activate server using the Activate credentials provided to it.
- MD establishes HTTPS connection with Activate server and obtains the information about MM (IP address of MM, node path, certificate).
- MM gets the details about the MD from activate and white lists it.
- MD establishes IPsec connection with MM.
1. Once the device is added to Activate, set the mode of MD to "Managed Device.":
2. Configure the rule "Managed Device to Master Controller" and provide the details about the MM.
3. Configure the Activate credentials on MM.
Once the MD has got IP address/DNS from DHCP server, it automatically contacts Activate and receives the MM information from Activate.
From the console logs of MD:
Received DHCP response, My IP = 10.17.168.30, Master = none, Country code = none
Master info not received from DHCP, trying activate
Received Activate response, My Role = md, Master = 10.17.164.171, Master MAC = 00:50:56:9F:E7:A1, Hostname = ZTP-MD, Country code = US, Redundant Master MAC = none VPN IP = none, VPN MAC = none, Redundant VPN MAC = none
Master = 10.17.164.171 auto-discovered from Activate
(Abdul-MM) [mynode] #show running-config | include local-custom
local-custom-cert local-mac "00:0b:86:dd:4f:20" ca-cert factory-ca-cert server-cert self-signed-field-cert --> whitelist entry pushed from Activate.
Note: Controller syncs regularly to get the whitelist details from Activate. If not, execute the command #activate sync
IP Address IPv6 Address Name Location Type Model Version Status Configuration State Config Sync Time (sec) Config ID
---------- ------------ ---- -------- ---- ----- ------- ------ ------------------- ---------------------- ---------
10.17.164.171 None Abdul-MM Building1.floor1 master ArubaMM 220.127.116.11_57204 up UPDATE SUCCESSFUL 0 6
10.17.168.30 None ZTP-MD Building1.floor1 MD Aruba7010 18.104.22.168_57204 up UPDATE SUCCESSFUL 0 6
(Abdul-MM) [mynode] #show activate
Activate Whitelist Service Enabled
Activate URL https://activate.arubanetworks.com/
Provision Activate URL https://device.arubanetworks.com/
Activate Login Username rvincent
Activate Login Password ********
Periodic Interval for WhiteList Download 1
Add-Only Operation Enabled
Custom cert to upload to Activate N/A
Server cert to be used for IPSEC N/A
(Abdul-MM) [mynode] #