Zero Touch Provisioning for a Branch office controller
Zero Touch Provisioning for a Branch office controller:
Lack of onsite IT support is a big challenge in deployments of remote sites, ZTP makes the deployment of Branch office controllers plug & play. Factory state branch office controllers will be able to learn all the required info from the network and provision itself automatically in the Auto provisioning mode
Currently you can configure controller using setup dialog box.
We are adding two more auto provisioning modes for supporting ZTP feature for BoCs.
Connect last copper port of Controller to as uplink for controller which has vlan 4094 configured with dhcp client
Below are auto Provisioning Modes:
- Controller will get its local IP address and routing information from DHCP
- Controller will get Master information and Country code from DHCP Server
- Controller will add “ArubaMC” as vendor class identifier (VCI - option 60) in its DHCP requests
- DHCP server has to be configured with Master information corresponding to that identifier
- DHCP server sends that information as vendor-specific information (VSI - option 43) in its responses to the controller.
- This method requires interactions with activate server to get Master information.
- BoC establishes HTTPS connection with the activate server (device.arubanetworks.com) and posts provision request to it.
- Activate server authenticates the controller and on successful authentication provides Master information and Country Code to the BoC.
- To override completely auto provisioning – semi-auto and manual modes can be used. Semi-auto mode is available only for BoCs while manual mode is available for any controller roles.
ZTP Semi-auto Mode
- While controller tries to provision automatically in the background, following message will be displayed to the user –
- Auto-provisioning is in progress. To override…
- Enter Switch Role (master|local|standalone|remote-node):
- If user specifies the role as “remote-node”, user will be asked the following question -
- Do you want complete setup dialog? (yes/no):
- If user answers “no”, it will be prompted to provide the master IP address –
- Enter Master Controller IP address:
- If the controller is restricted to a particular country, controller will use that. Otherwise it will prompt the user for country code –Enter Country code:
- After this, the setup dialog will terminate and user will be asked no more questions. Controller will retrieve rest of the configurations from the provided master
- If user answers “yes” for complete setup dialog, or if the user specifies the role as local, master, or standalone, it will be presented the complete setup dialog as today.
- Configuration to BoC will be pushed from Master Controller to BoC
- This configuration will be done through Smart configuration
- For basic BoC operation you need to configure below through Smart Config
- Model Type
- Interface vlan
- IP address for vlan
- Controller IP
- DHCP pool
- Adding mac address of BoC to whitelist
Smart Config has following tabs to configure:
- Profile Management
1) DHCP Auto Provisioning:
- You can log into BoC using serial console with username “remotenodesupport” password “mac address of BoC”
- Make sure controller got an ip address on vlan 4094 from dhcp server
- Make sure controller got default-router from DHCP Server
- Make sure BoC is able to send traffic out to master
- Make sure Wired uplink has state as shown below
(7030) #show uplink
Uplink Manager: Enabled
Uplink Management Table
Id Uplink Type Properties Priority State Status Reachability
-- ----------- ---------- -------- ----- ------ ------------
1 Wired vlan 4094 200 Connected * Active * Reachable
- You can do the packet capture on DHCP Server to make sure DHCP requests coming from BoC
- Make sure BoC Sends Option 60 from packet capture
- Make sure DHCP offer sends Master ip in option 43 from packet capture
Commands to see Status of BoC on Master:
#Show crypto isakmp sa
#Show crypto ipsec sa
#Show switches remote-node
For debugging IPSec issues use debugging levels below:
#Logging level debugging security
#Logging level debugging security process crypto subcat ike
#Show log security all