Testing Zero Touch Provisioning

Here is a truncated capture of the boot process, and you can see that it is a factory load because it says Amnesiac at the login prompt and even states that it is loading the factory configuration:

U-Boot 1.1.6 (Jun 29 2011 - 11:08:23) Board: EX2200-C-12P-2G 4.5

EPLD: Version 14 (0x02) DRAM: Initializing (512MB) Flash: 8 MB

Firmware Version:01.00.00

USB: scanning bus for devices... 3 USB Device(s) found

scanning bus for storage devices... 1 Storage Device(s) found FreeBSD/arm U-Boot loader, Revision 1.1

…bootsuccess is set

new boot device = disk0s2:

Loading /boot/defaults/loader.conf

/kernel data=0x889590+0xdd8ac syms=[0x4+0xf0f80+0x4+0xc89d0]

Hit [Enter] to boot immediately, or space bar for command prompt.

Booting [/kernel]...

JUNOS 12.3R11.2 #0: 2015-09-24 11:14:53 UTC ETHERNET SOCKET BRIDGE initialising

Initializing EXSERIES properties ...

FILE SYSTEM CLEAN; SKIPPING CHECKS

clean, 188909 free (29 frags, 23610 blocks, 0.0% fragmentation)

** /dev/da0s4d

FILE SYSTEM CLEAN; SKIPPING CHECKS

clean, 31663 free (23 frags, 3955 blocks, 0.1% fragmentation)

Creating initial configuration...mgd: error: Cannot open configuration file: /config/

juniper.conf

mgd: warning: activating factory configuration mgd: Running FIPS Self-tests

mgd: FIPS Self-tests Passed mgd: commit complete

mgd: --- mgd: Please login as ‘root’. No password is required.

mgd: To start Initial Setup, type ‘ezsetup’ at the JUNOS prompt.

mgd: To start JUNOS CLI, type ‘cli’ at the JUNOS prompt.

mgd: --- Doing initial network setup:

.Initial interface configuration:

Doing additional network setup:.

Starting final network daemons:.

setting ldconfig path: /usr/lib /opt/lib starting standard daemons: cron.

Local package initialization:.

Initialize /var subdirs

starting local daemons:set cores for group access Boot media /dev/da0 has dual root support

FILE SYSTEM CLEAN; SKIPPING CHECKS

clean, 43287 free (31 frags, 5407 blocks, 0.0% fragmentation) Amnesiac (ttyu0)

Factory-Default Configuration

Here’s a glance at the factory-default configuration so you can see just how minimal it is. Using the show configuration | display set command on a fresh factory-default switch produces the following output:

Amnesiac (ttyu0) login: root

--- JUNOS 12.3R9.4 built 2015-02-12 11:08:08 UTC root@:RE:0%

root@:RE:0% cli

Broadcast Message from root@

(no tty) at 14:10 UTC...

ALERT Auto-image upgrade will start. This can terminate config CLI session(s).

Modified configuration will be lost. To stop Auto-image, in CLI do the following: edit; delete chassis auto-image-upgrade; then commit.

{master:0}

root@CAN1> show configuration | display set set version 12.3R9.4

set system services dhcp traceoptions file dhcp_logfile set system services dhcp traceoptions level all

set system services dhcp traceoptions flag all set system syslog user * any emergency

set system syslog file messages any notice

set system syslog file messages authorization info

set system syslog file interactive-commands interactive-commands any set chassis auto-image-upgrade

set interfaces ge-0/0/0 unit 0 family ethernet-switching set interfaces ge-0/0/1 unit 0 family ethernet-switching set interfaces ge-0/0/2 unit 0 family ethernet-switching set interfaces ge-0/0/3 unit 0 family ethernet-switching set interfaces ge-0/0/4 unit 0 family ethernet-switching set interfaces ge-0/0/5 unit 0 family ethernet-switching set interfaces ge-0/0/6 unit 0 family ethernet-switching set interfaces ge-0/0/7 unit 0 family ethernet-switching set interfaces ge-0/0/8 unit 0 family ethernet-switching set interfaces ge-0/0/9 unit 0 family ethernet-switching set interfaces ge-0/0/10 unit 0 family ethernet-switching set interfaces ge-0/0/11 unit 0 family ethernet-switching set interfaces ge-0/1/0 unit 0 family ethernet-switching set interfaces ge-0/1/1 unit 0 family ethernet-switching

set interfaces me0 unit 0 family inet dhcp vendor-id Juniper-ex2200-c-12p-2g set interfaces vlan unit 0 family inet dhcp vendor-id Juniper-ex2200-c-12p-2g set protocols igmp-snooping vlan all

set protocols rstp

set protocols lldp interface all set protocols lldp-med interface all

set ethernet-switching-options storm-control interface all set vlans default l3-interface vlan.0

set poe interface all

The boldface terms of the configuration are interesting. First, the set

chassis auto-image upgrade is enabled. Next you can see both the me0.0 and vlan.0 interfaces are DHCP clients and are proudly telling the network that this is a Juniper EX2200-C-12P-2G switch and that it wants to be put to work immediately!

Another interesting thing you will see is that the OOB management interface (me0.0) is still connected and the auto-image-upgrade that kicked in before the show configuration command was initiated. That was pretty quick. And because the DHCP server is still running, it actually started the BOOTP process and pulled its configuration:

[root@localhost dhcpd]# tail -f /var/log/messages | grep dhcpd

Oct 10 22:36:32 localhost dhcpd: Wrote 0 new dynamic host decls to leases file.

Oct 10 22:36:32 localhost dhcpd: Wrote 0 leases to leases file.

Oct 10 22:36:32 localhost dhcpd: Listening on LPF/eth0/08:00:27:04:f3:a3/192.168.2.0/24 Oct 10 22:36:32 localhost dhcpd: Sending on LPF/eth0/08:00:27:04:f3:a3/192.168.2.0/24 Oct 10 22:36:32 localhost dhcpd: Sending on Socket/fallback/fallback-net

Oct 10 22:36:50 localhost dhcpd: Dynamic and static leases present for 192.168.2.10.

Oct 10 22:36:50 localhost dhcpd: Remove host declaration CAN1 or remove 192.168.2.10 Oct 10 22:36:50 localhost dhcpd: from the dynamic address pool for 192.168.2.0/24

Oct 10 22:36:50 localhost dhcpd: DHCPREQUEST for 192.168.2.10 from 78:fe:3d:e4:01:bf via eth0

Oct 10 22:36:50 localhost dhcpd: DHCPACK on 192.168.2.10 to 78:fe:3d:e4:01:bf via eth0

Meanwhile, if you log in to the switch as root, you will see on the console that the auto configuration has started:

Broadcast Message from root@CAN1 (no tty) at 14:10 UTC...

Auto-image upgrade started successfully Broadcast Message from root@CAN1 (no tty) at 14:10 UTC...

ALERT Auto-image upgrade will start and this process can terminate CLI session(s) and modified configurations can be lost. To stop auto-image, do the following: edit; delete chassis auto-image-upgrade; commit. Approximately two minutes after the BOOTP message you will receive the auto-image upgrade message:

Auto-image upgrade starts now

WARNING!!! On successful installation, system will reboot automatically

Approximately five minutes after the warning message you will receive the shutdown message:

*** FINAL System shutdown message from root@CAN1 ***

System going down IMMEDIATELY

And when the switch issues the broadcast message you can see the BOOTP request coming to the server:

22:37:40.420568 IP 192.168.2.10.bootpc > 192.168.2.252.bootps: BOOTP/DHCP, Request from 78:fe:3d:e4:01:bf, length 321

22:38:11.208321 IP 192.168.2.10.50591 > 192.168.2.252.http: Flags [S], seq 3188398318, win 65535, options [mss 1460,nop,wscale 1,nop,nop,TS val 853868 ecr 0,sackOK,eol], length 0 22:38:11.208339 IP 192.168.2.252.http > 192.168.2.10.50591: Flags [R.], seq 0, ack 3188398319, win 0, length 0

22:38:16.208658 ARP, Request who-has 192.168.2.10 tell 192.168.2.252, length 28 22:38:16.209233 ARP, Reply 192.168.2.10 is-at 78:fe:3d:e4:01:bf, length 46

22:39:01.259141 IP 192.168.2.10.55088 > 192.168.2.252.http: Flags [S], seq 2908127708, win

65535, options [mss 1460,nop,wscale 1,nop,nop,TS val 903921 ecr 0,sackOK,eol], length 0 22:39:01.259183 IP 192.168.2.252.http > 192.168.2.10.55088: Flags [S.], seq 2050800400, ack 2908127709, win 14480, options [mss 1460,sackOK,TS val 9602325 ecr 903921,nop,wscale 7], length 0

22:39:01.260281 IP 192.168.2.10.55088 > 192.168.2.252.http: Flags [.], ack 1, win 33304, options [nop,nop,TS val 903922 ecr 9602325], length 0

Upon reboot you can see that the device pulled the correct image from the dhcpd.conf file:

Installing disk0s3d:/jinstall-ex-2200-12.3R9.4-domestic-signed.tgz

Verified jinstall-ex-2200-12.3R9.4-domestic.tgz signed by PackageProduction_12_3_0

One more reboot to remove the old J-base files (approximately five minutes after last message):

WARNING: A reboot is required to load this software correctly WARNING: Use the ‘request system reboot’ command

WARNING: when software installation is complete Adding jbase-ex...

Adding jkernel-ex-2200...

Adding jcrypto-ex...

Adding jdocs-ex...

Adding jswitch-ex...

Adding jpfe-ex22x...

Adding jroute-ex...

Adding jweb-ex...

hup_init: not found Adding fips-mode-arm...

Rebooting to complete the installation. Please wait...

And now the final verification:

FILE SYSTEM CLEAN; SKIPPING CHECKS

clean, 43215 free (55 frags, 5395 blocks, 0.1% fragmentation) CAN1 (ttyu0)

--- JUNOS 12.3R9.4 built 2015-02-12 11:08:08 UTC root@CAN1:RE:0% cli

{master:0}

root@CAN1>

Now let’s SSH to the device to ensure that we can verify the device is manageable, that the interface is up, and that our configuration has been automatically loaded:

sreisinger$ ssh junspace@192.168.2.10

The authenticity of host ‘192.168.2.10 (192.168.2.10)’ can’t be established.

RSA key fingerprint is b2:73:92:4f:11:4b:1f:c2:8d:3a:1a:e4:ec:04:71:04.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added ‘192.168.2.10’ (RSA) to the list of known hosts.

- Banner

junspace@192.168.2.10’s password:

--- JUNOS 12.3R9.4 built 2015-02-12 11:08:08 UTC {master:0}

junspace@CAN1> show interfaces terse | match me0.0

me0.0 up up inet 192.168.2.10/24 {master:0}

junspace@CAN1> show configuration

## Last commit: 2015-02-12 14:22:35 UTC by root version 12.3R9.4;

groups {

juniper-ais { system { scripts { commit {

allow-transients;

file jais-SN-activate-scripts.slax { optional;

} } } }

event-options { destinations { juniper-aim { archive-sites { /var/tmp/;

} } } } } }

apply-groups juniper-ais;

* dhcpd-generated /var/etc/dhcpd.options.conf

* Version: DHCPD release 12.3R9.4 built by builder on 2015-02-12 11:12:32 UTC * Written: Thu Feb 12 14:18:53 2015

system {

host-name CAN1;

authentication-order [ password radius ];

root-authentication {

encrypted-password 12uJsJuK6hHKA; ## SECRET-DATA }

radius-server { 192.168.2.252 { port 1812;

secret “$9$uFP6OIhrlv8x-lKxdVbaJFn6C0BEcy”; ## SECRET-DATA timeout 3;

retry 3;

source-address 192.168.2.10;

} } login {

message “\n\nYou are accessing….

<…>

And obviously, this is truncated for the sake of brevity. Let’s summarize the steps in Chapter 4:

You verified the MAC address of the chassis and determined which interface to use.

You connected the device to the network.

You reviewed the default configuration.

You watched the device boot to Amnesiac prompt that indicates it is at factory default.

You watched the CLI state that it is going into the auto-image upgrade.

And, once the device rebooted, you were presented with the configuration pulled from the HTTP server with a working production configuration to include hostname production interfaces and user accounts.

Summary

This was a successful ZTP implementation using just the basics of a DHCP and HTTP server and a factory default configuration on a Juniper Networks EX2200-C-12P Series Switch.

The server was built on VMware Fusion, on a Mac.

The server was configured for access with IP addresses, and IPTABLE entries to allow ports 80, 67, and 68.

The SSHD, HTTPD, and DHCPD services were turned up.

You should understand, in detail, the different pieces of the dhcpd.conf file.

And finally, the ZTP test was run and it accomplished the task with very successful results.

NOTE The Day One lab EX Series switch pulled a new image and it had to reboot twice, which added an extra five minutes per boot. The EX2200-C takes about five minutes to boot already, so the entire process took about 15-20 minutes from power up to complete load.

However, there was no truck role, and there was no hands-on require- ment – it’s a complete set it and forget it solution.

Appendix A: VI

VI is a command-line editor that is widely used on Linux/UNIX-based platforms and is automatically loaded with virtually all versions of Linux/UNIX. Table A.1 lists some of the most common commands to assist you in getting started.

Table A.1 Common VI Commands

Input mode commands

i Inserts text before cursor

I Inserts text at the beginning of the current line a Appends text after cursor position

A Appends text at the end of the current line

o Opens a line below

O Opens a line above

Delete commands

dw Deletes word from current position dd Deletes the entire line

D Deletes from current position to end of current line x Deletes character at cursor position

Change Text

cw Changes word

cc Changes the line

C Changes to the end of the line

r Replaces the single character under the cursor

J Joins lines

Move cursor

e Moves to the end of the word

w Moves to the next word

$ Moves to the end of the line

l Moves one space right

k Moves one line up

j Moves one line down

h Moves one space left

H Moves cursor to the top line on the screen L Moves cursor to the bottom line on the screen M Moves cursor to the middle line on the screen

^ Moves cursor to the beginning of the line fx Moves cursor to first occurrence of x Marking Locations

mx Marks current position with letter x

`x Moves cursor to mark x

‘x Moves cursor to beginning of the line containing mark x Screen Control

CTRL-d Scrolls forward one half screen CTRL-u Scrolls backwards one half screen CTRL-f Scrolls forward one screen CTRL-b Scrolls backward one screen CTRL-l Refreshes screen

z Redraws screen with current line on top z- Redraws screen with current line on bottom [number]G Places cursor at line number

Moving text

yy Yanks one line into buffer

p Puts yanked lines below cursor position P Puts yanked lines above current position Escape or Last Line mode commands

:w[file] Writes current buffer as file

:q Quits file

:q! Quits file without saving changes :wq Writes changes to file and quits :r[file] Reads file

:e[file] Edits file

:!command Executes a command in the shell

:n Moves to line n

:f Prints out current line and file name Info

CTRL-G Shows size of file, current filename, and current line Other functions

u Undoes last command

/string Searches forward for string

?string Searches backward for string

n Finds next string

. Repeats last command

ESC Moves from text input mode to command mode. ** Note ** Use this to enter Last Line mode

CTRL-V Inserts any character including special characters

~ Changes character to opposite case

ZZ Saves file and exits

TIPS

5dd Deletes 5 lines

10yy Yanks 10 lines

10CTRL-d Scrolls down 10 lines

$vi new.file This command is used at the command line and tells the editor to open and place you in full screen mode at which point you can begin creating the file named new.

file

i To insert text

ESCAPE To enter last line mode :wq To write and exit the file

$ Back to the command line

Appendix B: The CAN1.config

Here is the CAN1.config that is being utilized in this book’s lab and is what was actually loaded on the HTTP server and pulled down by the EX2200 during ZTP:

CAN1> show configuration | display set | no-more set version 12.3R9.4

set groups juniper-ais system scripts commit allow-transients

set groups juniper-ais system scripts commit file jais-SN-activate-scripts.slax optional set groups juniper-ais event-options destinations juniper-aim archive-sites /var/tmp/

set apply-groups juniper-ais set system host-name CAN1

set system authentication-order password set system authentication-order radius

set system root-authentication encrypted-password 12uJsJuK6hHKA set system radius-server 192.168.2.252 port 1812

set system radius-server 192.168.2.252 secret “$9$uFP6OIhrlv8x-lKxdVbaJFn6C0BEcy”

set system radius-server 192.168.2.252 timeout 3 set system radius-server 192.168.2.252 retry 3

set system radius-server 192.168.2.252 source-address 192.168.2.10

set system login message “\n\nCommunications and work product are private and\

nconfidential.\n\nSee User Agreement for details.\n\n”

set system login user junspace uid 2003

set system login user junspace class super-user

set system login user junspace authentication encrypted-password “$1$3Q81TUw2$4YBbYpStkF4gnV npjBYSx.”

set system login user lab1 uid 2005 set system login user lab1 class operator set system login user lab2 uid 2011 set system login user lab2 class operator set system login user lab3 uid 2012 set system login user lab3 class operator set system login user lab4 uid 2013 set system login user lab4 class operator set system login user lab5 uid 2014 set system login user lab5 class operator set system login user scott uid 2001

set system login user scott class super-user set system services ssh root-login allow

set system services ssh max-sessions-per-connection 32 set system services netconf ssh

set system services dhcp traceoptions file dhcp_logfile set system services dhcp traceoptions level all

set system services dhcp traceoptions flag all set system syslog user * any emergency

set system syslog host 192.168.2.40 any any set system syslog host 192.168.2.2 any any set system syslog file messages any notice

set system syslog file messages authorization info

set system syslog file interactive-commands interactive-commands any set system syslog file default-log-messages any any

AVAILABLE)”

set system syslog file default-log-messages structured-data set system syslog source-address 192.168.2.10

set system ntp server 128.252.19.1 version 4 set system ntp source-address 192.168.2.10

set interfaces interface-range DEFAULT0 member ge-0/0/2 set interfaces interface-range DEFAULT0 member “ge-0/0/[5-9]”

set interfaces ge-0/0/0 unit 0 family ethernet-switching port-mode trunk set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members B5 set interfaces ge-0/0/1 unit 0 family ethernet-switching

set interfaces ge-0/0/2 unit 0 family ethernet-switching port-mode trunk set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members B5 set interfaces ge-0/0/3 unit 0 family ethernet-switching

set interfaces ge-0/0/4 unit 0 family ethernet-switching set interfaces ge-0/0/5 unit 0 family ethernet-switching set interfaces ge-0/0/6 disable

set interfaces ge-0/0/6 unit 0 family ethernet-switching set interfaces ge-0/0/7 disable

set interfaces ge-0/0/7 unit 0 family ethernet-switching set interfaces ge-0/0/8 disable

set interfaces ge-0/0/8 unit 0 family ethernet-switching set interfaces ge-0/0/9 disable

set interfaces ge-0/0/9 unit 0 family ethernet-switching set interfaces ge-0/0/10 disable

set interfaces ge-0/0/10 unit 0 family ethernet-switching set interfaces ge-0/0/11 disable

set interfaces ge-0/0/11 unit 0 family ethernet-switching set interfaces ge-0/1/0 disable

set interfaces ge-0/1/0 unit 0 family ethernet-switching set interfaces ge-0/1/1 disable

set interfaces ge-0/1/1 unit 0 family ethernet-switching set interfaces lo0 unit 0 family inet6 address 2001:db8::2/128 set interfaces me0 unit 0 family inet filter input MGT_FILTER set interfaces me0 unit 0 family inet address 192.168.2.10/24 set interfaces vlan unit 5 family inet address 10.1.5.13/24 set snmp client-list 192.168.1.0/24

set snmp client-list 192.168.2.0/24 set snmp community “CAct1SNMP”

set snmp trap-options source-address 192.168.2.10

set snmp trap-group networkdirector_trap_group version all

set snmp trap-group networkdirector_trap_group destination-port 10162 set snmp trap-group networkdirector_trap_group categories authentication set snmp trap-group networkdirector_trap_group categories chassis set snmp trap-group networkdirector_trap_group categories link

set snmp trap-group networkdirector_trap_group categories configuration set snmp trap-group networkdirector_trap_group categories services set snmp trap-group space targets 192.168.2.61

set forwarding-options helpers bootp server 192.168.2.252

set event-options policy target_add_test events snmpd_trap_target_add_notice set event-options policy target_add_test events coldStart

set event-options policy target_add_test then raise-trap set routing-options static route 0.0.0.0/0 next-hop 192.168.2.1 set routing-options static route 0.0.0.0/0 no-readvertise set protocols igmp-snooping vlan all

set protocols rstp

set protocols lldp interface all set protocols lldp interface me0.0 set protocols lldp-med interface all

set policy-options prefix-list SSH 192.168.2.0/24 set policy-options prefix-list SSH 192.168.4.0/24 set policy-options prefix-list SSH 192.168.5.2/32

set policy-options policy-statement OSPF-LOCAL-DIRECT-STATIC from protocol direct set policy-options policy-statement OSPF-LOCAL-DIRECT-STATIC from protocol local set policy-options policy-statement OSPF-LOCAL-DIRECT-STATIC from protocol static set policy-options policy-statement OSPF-LOCAL-DIRECT-STATIC then accept

set firewall family inet filter MGT_FILTER term SSH from source-prefix-list SSH set firewall family inet filter MGT_FILTER term SSH from destination-port ssh set firewall family inet filter MGT_FILTER term SSH then count MGT.SSH set firewall family inet filter MGT_FILTER term SSH then accept

set firewall family inet filter MGT_FILTER term ICMP from source-address 192.168.2.0/24 set firewall family inet filter MGT_FILTER term ICMP from destination-address 192.168.2.10/32 set firewall family inet filter MGT_FILTER term ICMP from protocol icmp

set firewall family inet filter MGT_FILTER term ICMP then count MGT.ICMP set firewall family inet filter MGT_FILTER term ICMP then accept

set firewall family inet filter MGT_FILTER term SNMP from source-address 192.168.2.0/24 set firewall family inet filter MGT_FILTER term SNMP from destination-port snmp

set firewall family inet filter MGT_FILTER term SNMP then count MGT.SNMP set firewall family inet filter MGT_FILTER term SNMP then accept

set firewall family inet filter MGT_FILTER term ALL_OTHERS then count MGT.REJECT set firewall family inet filter MGT_FILTER term ALL_OTHERS then log

set firewall family inet filter MGT_FILTER term ALL_OTHERS then reject

set ethernet-switching-options analyzer port-mirror input ingress interface ge-0/0/11.0 set ethernet-switching-options analyzer port-mirror input egress interface ge-0/0/11.0 set ethernet-switching-options analyzer port-mirror output interface ge-0/0/10.0 set ethernet-switching-options storm-control interface all

set vlans B5 vlan-id 5

set vlans B5 l3-interface vlan.5 set vlans VRF_S interface ge-0/0/1.0

Appendix C: SRX100 Configuration

Here is the configuration used in this book’s lab for those who may not be familiar with the device. It uses an OOB network for the me0.0 interface. You can see the interfaces that the CAN1 EX2200-C is connected to (fe-0/0/6), as well as the DHCP server (fe-0/0/4), are also located:

SRX> show arp no-resolve

MAC Address Address Interface Flags 2c:21:72:ce:8f:88 192.168.2.1 vlan.200 none 78:fe:3d:e4:01:bf 192.168.2.10 vlan.200 none 08:00:27:04:f3:a3 192.168.2.252 vlan.200 none a8:20:66:27:06:19 192.168.2.254 vlan.200 none Total entries: 4

SRX> show ethernet-switching table

Ethernet-switching table: 11 entries, 9 learned, 0 persistent entries VLAN MAC address Type Age Interfaces LAB * Flood - All-members LAB 00:30:67:a5:02:c4 Learn 0 fe-0/0/4.0 LAB 2c:21:72:ce:8f:88 Learn 0 fe-0/0/0.0 LAB 28:c0:da:e3:db:48 Static - Router LAB 08:00:27:04:f3:a3 Learn 0 fe-0/0/4.0 LAB 5c:45:27:b1:72:3f Learn 0 fe-0/0/3.0

Testing Zero Touch Provisioning

Configuring the HTTP and DHCP Daemons