ZTP Network Device Provision
ZTP Provisioning
Juniper's Zero-Touch Provisioning can be leveraged to configure new network devices without having to manually configure them. A ZTP cookbook has been created by DC-Ops and Infra-Foundations which can be used to upgrade device software to our preferred version, and push the minimum base config for network connectivity and user auth.
The cookbook currently supports QFX5120 series devices, but with a little effort this can be expanded to other platforms.
ZTP Provisioning Steps
- Add to Netbox (dc-ops)
- Include serial number and asset tag
- Set Netbox status to 'planned'
- Ensure there is only one interface 'enabled' in Netbox set to 'Management Only'
- For QFX5120 this normally means disabling em1
- Connect power/console/mgmt
- Update console server's port (& test it)
- Run the ZTP cookbook for the device:
- e.g.: sudo cookbook sre.network.provision ssw1-a1-codfw
- Run the TLS certificate cookbook for (this step will soon be merged into the provision cookbook)
- e.g.: sudo cookbook sre.network.tls ssw1-a1-codfw
Notes
- The cookbook currently takes approx 1 hour to complete for a device. This is due to the time it takes to download the new JunOS image file, install it locally on the switch and reboot.
- Multiple cookbooks can be executed in parallel to configure more than one device. But step 1 of the cookbook invokes the sre.dns.netbox script, which we need to avoid running simultaneously as it is very intensive on the Netbox server. So the execution of the provision cookbooks for multiple devices should be staggered, wait until the first cookbook is at the "waiting for device" stage before starting the second.
Remaining Configuration
At this point the device should be reachable on our management network and we should be able to configure with Homer.
The remaining steps, depending on the use-case, are as follows:
- Add to Homer
- For L3 switches this requires the "l3_switch" var to be set in devices.yaml
- EVPN devices additionally need the 'evpn' var set, an IRB interface defined in Netbox and device added to BGP cluster in sites.yaml
- Create license key using activation-code on Juniper's portal, and add as a new 'license' inventory item for the device in Netbox
- Push initial configuration with Homer
- e.g.: homer ssw1-a1-codfw* commit "apply initial configuration"
- Save rescue configuration locally on the device
- request system configuration rescue save
- Set Netbox status to 'active'
- Run the sre.puppet.sync-netbox-hiera cookbook to import location to hiera
Monitoring
Add device to monitoring using Setup a new network device#Monitoring.
Software Image
Right now only QFX5120 devices are supported, and the DHCP script just pushes the image file stored in /srv/private/junos/qfx5120.tgz to the device. To adjust what version of JunOS the cookbook will install you can download the required version to the local apt server in a DC and rename it to that.