• ZTPv6 using DHCPv6 Relay Agent

 
 
Print Friendly, PDF & Email

1. Introduction
ZTP (v4/v6) is a simple hands-off approach to both initial set up and upgrading an existing network.  ZTP does not require entering into the switch CLI, speeds up and simplifies deployment, reduces the risk of human error, and can adapt to many deployment scenarios. It offers scripting extensibility for complex networks and flexible provisioning using standard tools.  Additionally, the switch can be ZTP booted using a variety of identifiers, such as its MAC address, serial number, or LLDP neighbors.

Arista switch’s ZTP process starts with communicating to a DHCP(v4/v6) Server, where apart from getting the IP Address, Default Gateway, DNS, etc., it also gets the path to the File Server where the boot-config/startup-config is present. A switch enters ZTP mode automatically when it doesn’t have a startup-config, except in case of ZTP is canceled or disabled in the boot.

In ZTP mode (v4 or v6), the switch:

  1. looks for a DHCP server to get an IP address and get a boot-file name
  2. downloads the boot-file
  3. executes the boot-file, which is a script that can be written in Bash, CLI, or Python

Notes:

  • The File Server (TFTP, FTP, HTTP) and DHCP Server can coexist on a single host/VM
  • The script can also be used to ask for other files to download (for example an EOS image, custom config)

 1.1. ZTPv6 Setup

 

             Fig.1. ZTPv6 setup

 The following example shows setting up the ZTPv6 server and the client receiving the prefix through DHCPv6 relay agent


1.2. ZTP Deployment

For a successful deployment following service/files are required:

  1. working DHCPv6 Server
  2. working File Server to download the script file
  3. valid script file 

The following config example can be used as a reference for a basic ZTPv6 setup.

The network topology is described in Fig. 1. DHCPv6 Server and TFTP server are Ubuntu Linux that uses free DHCPv6 Server (isc_dhcp_server6) and a free TFTP server (tftpdhpa). These servers are installed using the apt-get for Ubuntu.

 

1.3. IP Addressing and Switch Configuration

Fig.2. ZTP setup

 

Referring to Fig.2. for IP addressing for the setup.

Detailed running config for DHCPv6 Relay Agent including for VLAN 3000

! Command: show running-config

! device: DHCPRelay (DCS-7160-48TC6, EOS-4.20.2.1F-REV-0-1-HW)

!

ip dhcp relay always-on

!

hostname DHCPRelay Agent

!

spanning-tree mode mstp

!

vlan 3000

!

interface Ethernet12

  no switchport

  ipv6 address 1234:5678::3/64

!

interface Ethernet49/1

  switchport access vlan 3000

!

interface Vlan3000

  ipv6 dhcp relay destination 1234:5678::2

  ipv6 enable

  ipv6 address 1234:5679::5/64

  ipv6 nd ra interval msec 4000

  ipv6 nd managed-config-flag

  ipv6 nd other-config-flag

!

ipv6 route 1234:5678::/64 1234:5678::2

!

ipv6 unicast-routing

!

monitor session 1 source Ethernet49/1

monitor session 1 destination Cpu

!

end

 

The relay can be configured over Vlan or Physical interface as well:

DHCPRelay(config-if-Et36)#show active

interface Ethernet36

  description DHCPv6_Relay_Interface

  load-interval 5

  mtu 9000

  speed forced 10000full

  no switchport

  ip address 10.0.128.216/31

  ipv6 dhcp relay destination 1234:5678::2

  ipv6 address 1234:5679::5/64

  ipv6 nd ra interval msec 4000

  ipv6 nd managed-config-flag

 

  ipv6 nd other-config-flag

 

DHCPRelay#show ipv6 helper-address

DHCP Relay is active

DHCP Relay always-on mode enabled

DHCP Relay Option 82 is enabled

DHCP Smart Relay is disabled

Interface: Ethernet36

 Option 82 Circuit ID: Ethernet36

 DHCP Smart Relay is disabled

 DHCP servers: 1234:5678::2

Interface: Vlan3000

 Option 82 Circuit ID: Vlan3000

 DHCP Smart Relay is disabled

 DHCP servers: 1234:5678::2

 

 

Some Outputs to verify Functionality:

DHCPRelay(config)#sh ipv6 dhcp relay counters

 

           |  Dhcp Packets               

 Interface | Rcvd Fwdd Drop | Last Cleared 

———–|—– —- —–|————- 

   All Req |    8       2 |  0:17:37 ago 

  All Resp |    6    6    0 |              

           |                             

Ethernet36 |    6    0    0 |  0:17:37 ago 

  Vlan3000 |    4    0    2 |  0:17:37 ago 

 

 

On Client:

Ethernet1 is up, line protocol is up (connected)

  IPv6 is enabled, link-local is fe80::21c:73ff:fe80:6c07/64

  Address determined by SLAAC

  Global unicast address(es):

    1234:5677::21c:73ff:fe80:6c07, subnet is 1234:5677::/64

  Joined group address(es):

    ff02::1

    ff02::1:ff80:6c07

  ND DAD status is unavailable

  ND Reachable time is 30000 milliseconds

  ND retransmit interval is 1000 milliseconds

  ND enhanced duplicate address detection disabled

  ND advertised reachable time is 30000 milliseconds (using 30000)

  ND advertised retransmit interval is 1000 milliseconds

  ND router advertisements are sent every 200 seconds

  ND router advertisements live for 1800 seconds

  ND advertised default router preference is Medium

  ND advertised maximum hop count limit is 64

  Hosts use stateless autoconfig for addresses.

 

 

localhost#sh ipv6 int br 

Interface Status  MTU IPv6 Address                      Addr State  Addr Source 

——— —— —- ——————————— ———– ———– 

Et1       up     1500 fe80::21c:73ff:fe80:6c07/64       up          link local  

                      1234:5677::21c:73ff:fe80:6c07/64  up          slaac     

 

1.4. Configuring DHCPv6 Server

After successful installation, the DHCPv6 server should be properly configured to assign the address and with file option. Restart services using “sudo service isc-dhcp-server6 restart” command after making any changes to dhcpd6.conf file.

An example of how the dhcp6.conf (/etc/dhcp/dhcpd6.conf) should be configured:

# Server configuration file example for DHCPv6

# IPv6 address valid lifetime

#  (at the end the address is no longer usable by the client)

default-lease-time 2592000;

max-lease-time 29800;

 

# Global definitions for name server address(es) and domain search list

option dhcp6.name-servers 1234:5678::2;

option dhcp6.domain-search “aristanetworks.com”;

 

# Static definition (must be global)

# The subnet where the server is attached (i.e., the server has an address in this subnet)

subnet6 1234:5678::/64 {

       range6 1234:5678::5 1234:5678::11;

}

 

# The second subnet behind a relay agent

 subnet6 1234:5679::/64 {

range6 1234:5679::4 1234:5679::20;

 

# option dhcp6.name-servers 3ffe:501:ffff:101:200:ff:fe00:3f3e;

       option dhcp6.bootfile-url “tftp://[1234:5678::2]/ztp-switch-script”;

}

 

Also, ensure that the DHCPv6 server is bound to an interface. To set the values, got to /etc/default/ directory and lookout for isc-dhcp-server.

 

The contents should look like this:

 

ubuntu:/etc/default$ cat isc-dhcp-server

# Defaults for isc-dhcp-server (sourced by /etc/init.d/isc-dhcp-server)

 

# Path to dhcpd’s config file (default: /etc/dhcp/dhcpd.conf).

#DHCPDv4_CONF=/etc/dhcp/dhcpd.conf

DHCPDv6_CONF=/etc/dhcp/dhcpd6.conf

 

# Path to dhcpd’s PID file (default: /var/run/dhcpd.pid).

#DHCPDv4_PID=/var/run/dhcpd.pid

DHCPDv6_PID=/var/run/dhcpd6.pid

 

# Additional options to start dhcpd with.

# Don’t use options -cf or -pf here; use DHCPD_CONF/ DHCPD_PID instead

#OPTIONS=”-6″

 

# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?

# Separate multiple interfaces with spaces, e.g. “eth0 eth1”.

INTERFACESv4=””

INTERFACESv6=”ens33″ #The physical interface to which the DHCPv6 should be binded

 

The same file also needs to be edited for DHCPv4 as well.

 

Use sudo systemctl restart/enable/start/stop isc-dhcp-server6 to restart, stop, start or enable DHCPv6 server

 


1.5. Configuring TFTP server

After successful installation, the TFTP server should be configured for hosting the file.tftpd-hpa was used to for TFTP server.

The configuration steps are as follows:

 $sudo apt install –y tftpd-hpa

 

To start, enable, stop, restart TFTP server
$ sudo systemctl restart/enable/start/stop tftpd-hpa

 Create a directory in var/lib/ named as tftpboot. Don’t forget to change the permission of the directory.

The directory has two files, a boot script, and a startup-config:

 ubuntu:/var/lib/tftpboot$ ls -lh
-rw-r–r– 1 root root 102 Nov  2 20:57 ztp-switch-script
-rw-r–r– 1 root root 117 Oct  2 09:09 ztp-switch-startup-config

The first fileztp-switch-script’ is the same file that is being referenced in the DHCP6 option parameters.

  1. Contents of ztp-switch-script’

ubuntu:/var/lib/tftpboot$ cat ztp-switch-script
#!/usr/bin/Cli -p2

enable

copy tftp://[1234:5678::2]/ztp-switch-startup-config flash:startup-config

     2. Contents of ‘ztp-switch-startup-config’

ubuntu:/var/lib/tftpboot$ cat ztp-switch-startup-config

hostname ZTP-Switch

!

interface Management1

description ZTP_Mgmt_Interface

ip address 192.168.111.3/24

!

end

Like DHCPv6 same options for tftpd-hpa also needs to set in /etc/default/ directory for the TFTP server. These are basically setting the options for the TFTP server.

The file should like this:
ubuntu:/etc/default$ cat tftpd-hpa

# /etc/default/tftpd-hpa
TFTP_USERNAME=”root”

TFTP_DIRECTORY=”/var/lib/tftpboot”

TFTP_ADDRESS=”[::]:69″

TFTP_OPTIONS=”–secure –ipv6″

#RUN_DAEMON=”yes”

#OPTIONS=”-l -s /var/lib/tftpboot”

Also, ensure that the firewall is opened or configure port –forwarding.

 

1.6. Configuration

The DHCPv6 relay agent should be configured to advertise the Router Advertisements (RA’s) containing the link-local prefix. If ‘m’ ( managed-flag bit) is set,  the switch will start sending stateful DHCPv6 Solicit messages and if ‘o’ (other bit) the switch will send statelessSolicit messages instead. The default behavior is the stateless DHCPv6.

In the case of the managed-config flag being set in the RA packet, the switch will receive IPv6 address, nameserver location, and bootfile URL from the DHCPv6 server. The RA packet will provide the default route information. If the ‘o’ bit is set, the switch will receive nameserver location and bootfile URL from the DHCPv6 server. The RA packet will provide the prefix information and default route information. The kernel will use Stateless Address Auto Configuration(SLAAC) to configure the IPv6 address based on the received prefix.

As soon as the client boots up and receives an ‘RA’ from the dhcpv6 relay it will initiate the ZTPv6 process. Once the switch receives the configuration parameters and configures the IPv6 address, default route, and nameserver, it will start sending HTTP/HTTPS/FTP/TFTP request packets in an attempt to download the config script.

If the downloaded file is a startup-config script, it will be saved to /mnt/flash. If the downloaded file is an executable script, it will be executed. The switch will then reboot with the startup-config.

 1.7. Status messages on the Switch

When the switch sends a DHCPv6 request packet:

Nov 8 02:56:35 localhost ConfigAgent: %ZTP-6-DHCPv6_QUERY: Sending DHCPv6 request on [Ethernet1 ]

Nov 8 05:36:22 localhost ConfigAgent: %ZTP-6-DHCPv6_QUERY: Sending DHCPv6 request on [Management1 ]

When the switch adjusts the interface speed:

Nov 8 02:54:20 localhost ConfigAgent: %ZTP-6-INTERFACE_SPEED: Setting interface speed to default speed for [Ethernet52/1, Ethernet26, Management1, Ethernet7,…………Ethernet54/1, Ethernet28, Ethernet25, Ethernet33]

When the switch sends a DHCPv6 information request packet, the following log message will be generated:

Oct  3 20:21:19 localhost ConfigAgent: %ZTP-6-STATELESS_DHCPv6_QUERY: Sending stateless DHCPv6 request on  [ Ethernet8/1, Ethernet8/2, Ethernet8/3,………..Ethernet32/4 ]

When the switch fails to get a valid DHCPv6 response from the DHCPv6 server, the following log message will be generated:

Sep 28 18:39:00 cd210 ConfigAgent: %ZTP-4-DHCPv6_QUERY_FAIL: Failed to get a valid DHCPv6 response

When the switch fails to get a valid response from the DHCPv6 server in response to the information request done earlier, the following log message will be generated:

Sep 28 18:39:00 cd210 ConfigAgent: %ZTP-4-STATELESS_DHCPv6_QUERY_FAIL: Failed to get a valid stateless configuration parameters over DHCPv6 response

When the switch receives a valid response from a DHCPv6 server in response to an earlier DHCPv6 information request, the following log message will be generated:

Sep 28 18:39:00 cd210 ConfigAgent: %ZTP-6-STATELESS_DHCPv6_SUCCESS: DHCPv6 response with stateless configuration parameters received on Ethernet1
 

When the switch receives a valid response from a DHCPv6 server in response to an earlier DHCPv6 request, the following log message will be generated:

Nov 8 02:56:37 localhost ConfigAgent: %ZTP-6-DHCPv6_SUCCESS: DHCPv6 response received on Ethernet1 [ Mtu: 0; Ip Address: 1234:5678::5/64/0; Nameserver: 1234:5678::2; Domain: aristanetworks.com.; Boot File: tftp://[1234:5678::2]/ztp-switch-script ]

When the switch requests a file from the TFTP or HTTP server:

Nov 8 05:36:25 localhost ConfigAgent: %ZTP-6-CONFIG_DOWNLOAD: Attempting to download the startup-config from tftp://[1234:5678::2]/ztp-switch-script

Nov 8 05:36:25 localhost ConfigAgent: %ZTP-6-CONFIG_DOWNLOAD_SUCCESS: Successfully downloaded config script from tftp://[1234:5678::2]/ztp-switch-script

Executing the Script and the status messages:

Nov 8 05:36:25 localhost ConfigAgent: %ZTP-6-EXEC_SCRIPT: Executing the downloaded config script

Nov 8 05:36:25 localhost Rib: if_rtup: UP route for interface ma1 1234:5678::464c:a8ff:feb8:58ff/ffff:ffff:ffff:ffff::

Nov 8 05:36:26 localhost ConfigAgent: %ZTP-6-EXEC_SCRIPT_SUCCESS: Successfully executed the downloaded config script

Nov 8 05:36:26 localhost ConfigAgent: %ZTP-6-RELOAD: Rebooting the system

When the ZTP process restarts from the beginning:

Nov 8 05:20:49 localhost ConfigAgent: %ZTP-6-RETRY: Retrying Zero Touch Provisioning from the beginning (attempt 1)

Nov 8 05:32:19 localhost ConfigAgent: %ZTP-6-RETRY: Retrying Zero Touch Provisioning from the beginning (attempt 20)

1.8. Wireshark Messages on the DHCPv6 Client

06:33:02.071435 Out 44:4c:a8:b7:a8:b5 ethertype IPv6 (0x86dd), length 140: (hlim 1, next-header UDP (17) payload length: 84) fe80::464c:a8ff:feb7:a8b5.dhcpv6-client > ff02::1:2.dhcpv6-server: dhcp6 inf-req (xid=3a9f58 (vendor-specific-info) (client-ID hwaddr type 1 444ca8b7a8b5) (option-request opt_59 DNS-search-list DNS-server) (elapsed-time 0))

06:33:02.073040   M 44:4c:a8:b8:59:00 ethertype IPv6 (0x86dd), length 88: (hlim 255, next-header ICMPv6 (58) payload length: 32) 1234:5679::5 > ff02::1:ffb7:a8b5: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::464c:a8ff:feb7:a8b5

      source link-address option (1), length 8 (1): 44:4c:a8:b8:59:00

        0x0000:  444c a8b8 5900

06:33:02.073127 Out 44:4c:a8:b7:a8:b5 ethertype IPv6 (0x86dd), length 88: (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::464c:a8ff:feb7:a8b5 > 1234:5679::5: [icmp6 sum ok] ICMP6, neighbor advertisement, length 32, tgt is fe80::464c:a8ff:feb7:a8b5, Flags [solicited, override]

      destination link-address option (2), length 8 (1): 44:4c:a8:b7:a8:b5

        0x0000:  444c a8b7 a8b5

06:33:02.073212  In 44:4c:a8:b8:59:00 ethertype IPv6 (0x86dd), length 187: (hlim 64, next-header UDP (17) payload length: 131) 1234:5679::5.dhcpv6-server > fe80::464c:a8ff:feb7:a8b5.dhcpv6-client: dhcp6 reply (xid=3a9f58 (client-ID hwaddr type 1 444ca8b7a8b5) (server-ID hwaddr/time type 1 time 563432856 000c298ee244) (opt_59) (DNS-search-list aristanetworks.com.) (DNS-server 1234:5678::2))

06:33:02.246733   M 44:4c:a8:b8:59:33 ethertype Unknown (0x002a), length 121:

 

06:33:09.047142 Out 44:4c:a8:b7:a8:b5 ethertype IPv6 (0x86dd), length 120: (hlim 64, next-header UDP (17) payload length: 64) 1234:5679::464c:a8ff:feb7:a8b5.47345 > 1234:5678::2.tftp:  56 RRQ “ztp-switch-script” octet tsize 0 blksize 512 timeout 5

06:33:09.048432   M 44:4c:a8:b8:59:00 ethertype IPv6 (0x86dd), length 88: (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::464c:a8ff:feb8:5900 > ff02::1:ffb7:a8b5: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has 1234:5679::464c:a8ff:feb7:a8b5

      source link-address option (1), length 8 (1): 44:4c:a8:b8:59:00

        0x0000:  444c a8b8 5900

06:33:09.048460 Out 44:4c:a8:b7:a8:b5 ethertype IPv6 (0x86dd), length 88: (hlim 255, next-header ICMPv6 (58) payload length: 32) 1234:5679::464c:a8ff:feb7:a8b5 > fe80::464c:a8ff:feb8:5900: [icmp6 sum ok] ICMP6, neighbor advertisement, length 32, tgt is 1234:5679::464c:a8ff:feb7:a8b5, Flags [solicited, override]

      destination link-address option (2), length 8 (1): 44:4c:a8:b7:a8:b5

        0x0000:  444c a8b7 a8b5

06:33:09.048542  In 44:4c:a8:b8:59:00 ethertype IPv6 (0x86dd), length 98: (flowlabel 0x3024a, hlim 63, next-header UDP (17) payload length: 42) 1234:5678::2.49149 > 1234:5679::464c:a8ff:feb7:a8b5.47345: UDP, length 34

06:33:09.048673 Out 44:4c:a8:b7:a8:b5 ethertype IPv6 (0x86dd), length 68: (hlim 64, next-header UDP (17) payload length: 12) 1234:5679::464c:a8ff:feb7:a8b5.47345 > 1234:5678::2.49149: UDP, length 4

06:33:09.048947  In 44:4c:a8:b8:59:00 ethertype IPv6 (0x86dd), length 170: (flowlabel 0x3024a, hlim 63, next-header UDP (17) payload length: 114) 1234:5678::2.49149 > 1234:5679::464c:a8ff:feb7:a8b5.47345: UDP, length 106

06:33:09.049106 Out 44:4c:a8:b7:a8:b5 ethertype IPv6 (0x86dd), length 68: (hlim 64, next-header UDP (17) payload length: 12) 1234:5679::464c:a8ff:feb7:a8b5.47345 > 1234:5678::2.49149: UDP, length 4

06:33:09.504793 Out 44:4c:a8:b7:a8:b5 ethertype IPv6 (0x86dd), length 128: (hlim 64, next-header UDP (17) payload length: 72) 1234:5679::464c:a8ff:feb7:a8b5.34002 > 1234:5678::2.tftp:  64 RRQ “ztp-switch-startup-config” octet tsize 0 blksize 512 timeout 6

06:33:09.506113  In 44:4c:a8:b8:59:00 ethertype IPv6 (0x86dd), length 98: (flowlabel 0x006c8, hlim 63, next-header UDP (17) payload length: 42) 1234:5678::2.43970 > 1234:5679::464c:a8ff:feb7:a8b5.34002: UDP, length 34

06:33:09.506219 Out 44:4c:a8:b7:a8:b5 ethertype IPv6 (0x86dd), length 68: (hlim 64, next-header UDP (17) payload length: 12) 1234:5679::464c:a8ff:feb7:a8b5.34002 > 1234:5678::2.43970: UDP, length 4

06:33:09.506564  In 44:4c:a8:b8:59:00 ethertype IPv6 (0x86dd), length 185: (flowlabel 0x006c8, hlim 63, next-header UDP (17) payload length: 129) 1234:5678::2.43970 > 1234:5679::464c:a8ff:feb7:a8b5.34002: UDP, length 121

06:33:09.507316 Out 44:4c:a8:b7:a8:b5 ethertype IPv6 (0x86dd), length 68: (hlim 64, next-header UDP (17) payload length: 12) 1234:5679::464c:a8ff:feb7:a8b5.34002 > 1234:5678::2.43970: UDP, length 4

 


2. ZTP Boot

Now that the DHCPv6 and the TFTP file server are running, with ZTP script and startup-config files, the switch can be automatically provisioned.

  • If the switch is being deployed for the first time, power it on, and ZTP will configure and load the image on the switch
  • If an existing switch is being upgraded delete the startup-config on the switch and enter reload now, (do not save any changes if prompted). The switch will reboot and download its new startup-config using ZTP
  • In case ZTP was disabled in the past, remove zero-touch config file from the flash using “delete flash:zerotouch-config” command

To view the output of ZTP during the boot process, connect to the console of the switch. Fig. 3 shows a ZTP initial message:

 

Fig.3. Initial ZTP messages

 

3. ZTPv6 in not only about configuration…

In addition to the above example, ZTPv6 can do a lot more – for example, one can automatically upgrade the EOS image running on the switch. In order to do this, simply change theztp-switch-scriptscript a little and add the desired EOS image in the File Server:

#!/usr/bin/Cli -p2

enable copy http://192.168.111.2/ztp-startup-config flash:startup-config

copy http://192.168.111.2/EOS.swi flash:EOS.swi

config

boot system flash:EOS.swi


4. Summary

ZTPv6 is a key part of network deployment at large scale with support for IPv6 and is suited to a wide array of network topologies.  It can be extended to support the use of serial number, LLDP neighbors or other unique identifiers. With the use of scripting tools, the configuration file creation can be fully automated, leading to the elimination of repetitive tasks in network switch deployment and upgrading.  ZTPv6 is a powerful new feature for the modern data center. The steps mentioned in the process could also be repeated for ZTP for IPv4 as well.

 

Follow

Get every new post on this blog delivered to your Inbox.

Join other followers: