Automation Win: Zero-Touch Provisioning
Listening to the networking vendors it seems that zero-touch provisioning is a no-brainer … until you try to get it working in real life, and the device you want to auto-configure supports only IP address assignment via DHCP, configuration download via TFTP, and a DHCP option that points to the configuration file.
As Hans Verkerk discovered when he tried to implement zero-touch provisioning with Ansible while attending the Building Network Automation Solutions course you have to:
- Use a DHCP server to assign IP addresses to devices, combined with a TFTP server to push initial configuration to newly-attached devices;
- Detect a new IP address has been assigned by DHCP server;
- Find the MAC address associated with the IP address if you want to provision devices based on their MAC address. He used ARP cache to find it;
- Generate SSH keys on the device and add those keys to known_hosts file (you could also turn off key checking… maybe not such a great idea);
- Generate the final device configuration;
- Push the configuration to the device.
All his playbooks are on Github – explore and adapt them, and submit a pull request when you improve them ;)
In October 2020 Hans ported his ZTP solution to Nornir.
- Before doing anything else, go and read the awesome Zero-Touch Provisioning DIY Tutorial by Patrick Ogenstad.
- Some vendors neatly solved the problem with automated procedures that can do anything from figuring out where their device is in the network to upgrading software and downloading tailored configuration. Similar to network automation RFP requirements, make ease of zero-touch provisioning using a well-documented standards-based approach a mandatory requirement when buying the next batch of hardware;
- If you have to provision Cisco Catalyst switches, check out the FreeZTP server;
- I know someone who solved the same problem with Salt – have to persuade him to talk about it one of these days.
This blog post was initially sent to the subscribers of my SDN and Network Automation mailing list. Subscribe here.
You need to define a DHCP entry for them first, but after that it gets handled for you.
It's been a lot cleaner to work with than the nexus POAP setup.
There is a little information in here...but at least these guys got wise and took out the middle man. They use ipv6 link-local addressing with a combination neighbor discovery to locate the controllers. The caveat being that the controllers need to be L2 adjacent with the switch mgmt ports that they hope to provision. Still...its better than anything dhcp related with all the options and image repos involved.
It's definitely in the "how much brute force do you want to apply" category.