Zero-Touch Provisioning
Traditionally, the deployment of controllers was a multiple step process where the master controller information and local configurations were first pre-provisioned. After the local controller connected to the network, it established a secure tunnel to the master and downloaded the global configuration.
Zero touch provisioning makes the deployment of local controllers plug-n-play. The local controller now learns the required information from the network and provisions itself automatically. A 7000 Series branch controller is a zero-touch provision (ZTP) controller that automatically gets its local and global configuration and license limits from a central controller.
|
A controller does not need to be configured as a branch controller to be provisioned using ZTP.
|
ZTP offers the following advantages over a standard local controller:
|
|
reduced operational cost |
|
|
limits to provisioning errors |
The main elements of ZTP are:
|
|
auto discovery of the primary master (and optionally, backup master) controller. |
|
|
configuration download from the master controller |
Provisioning a controller includes completing the following:
|
|
setting the country code |
|
|
configuring the local configuration |
|
The local configuration is the configuration that is specific to a controller. That is, not the global configuration shared by a network of controllers. This includes, but is not limited to, IP addresses and VLANs.
|
Once the controller is provisioned, it is ready to obtain its global configuration either by:
|
|
The administrator entering the global configuration directly from the WebUI or CLI of a master controller |
|
|
The controller retrieving the global configuration from a master controller |
Previously the steps of setting the role, setting the country code, and configuring the local configuration could only be performed manually by an administrator. With ZTP, these steps can be automatically completed.
|
The local configuration that a branch controller retrieves through ZTP is called as branch config group.
A controller that is deployed using ZTP is called as branch controller.
Only the 7000 Series cloud services controllers may be deployed as branch controllers.
|
Before you Begin
Before you deploy a 7000 Series branch controller, use the smart config feature on the master controller to a create branch config group. The master controller can push a branch config group configuration to a branch controller when the branch becomes active on the network. The smart config feature is enabled by default. For more information on branch config group settings, refer to Using Smart Config to create a Branch Config Group .
|
The parameters of role, country code, and IP address of the master controller are collectively known as the provisioning parameters.
|
Provisioning Modes for branch deployments
The administrator has the choice of several provisioning modes that alter how the branch controller is supplied with its own IP address, role, country code, and branch config group.
During the various provisioning modes, the branch controller is supplied with the IP address of the primary master controller, or, for deployments requiring Layer-3 redundancy, the IP addresses of the primary and backup master controllers. Once the branch controller learns the IP address of the primary master controller, the branch controller contacts the master controller and retrieves its branch config group.
Provisioning a controller means defining the following values for that device:
|
|
the role of the controller (master or branch) |
|
|
local configuration settings |
ArubaOS supports the following provisioning modes for branch controllers:
|
|
auto: In this mode, branch controller: |
|
|
obtains its IP address from DHCP |
|
|
obtains its role, country code, and the IP addresses of the primary controller and any defined secondary controller from DHCP Options or a provisioning rule in Activate. |
|
|
retrieves its branch config group from the primary master controller |
|
|
mini-setup: In this mode, the branch controller: |
|
|
has its role set to branch when mini-setup is initiated |
|
|
obtains its IP address from DHCP |
|
|
is configured through the console with its country code and the IP address of the primary master controller and (optionally) the secondary master controller IP. |
|
|
retrieves its branch config group from the primary master controller |
|
|
full-setup: In this mode, the branch controller: |
|
|
is configured with its role set to branch through the console |
|
|
is configured to obtain its IP address through manual configuration of a static IP, DHCP, or PPPoE |
|
|
is configured through the console with its country code and the IP address of the primary master controller and (optionally) the secondary master controller IP |
|
|
retrieves its branch config group from the primary master controller |
Automatically Provisioning a Branch Controller
When a factory-default branch controller boots, it starts the auto-provisioning process.
First it will obtain its IP address through DHCP by sending a DHCP discover on the default uplink port. The default uplink port is configured as an access port in VLAN 4094.
Second, it will attempt to retrieve the provisioning parameters from the DHCP options in the DHCP lease it has obtained. If the provisioning parameters could not be obtained from the DHCP options, the branch controller will attempt to retrieve the provisioning parameters from Activate.
If the branch controller is unsuccessful in retrieving the provisioning parameters from Activate, it will retry in 30 seconds. The branch controller keeps trying to retrieve the provisioning parameters from Activate every 30 seconds until it is successful or the administrator interrupts Auto-Provisioning by initiating mini-setup or full-setup.
To interrupt the auto provisioning process, enter the string mini-setup or full-setup at the initial setup dialog prompt shown below.
Auto-provisioning is in progress. Choose one of the following options to override or debug...
'enable-debug' : Enable auto-provisioning debug logs
'disable-debug': Disable auto-provisioning debug logs
'mini-setup' : Stop auto-provisioning and start mini setup dialog for smart-branch role
'full-setup' : Stop auto-provisioning and start full setup dialog for any role
Enter Option (partial string is acceptable):_
DHCP Options
When the branch controller sends the DHCP discover message to obtain its IP address, it adds a DHCP option 60 b Vendor Class Identifier to that DHCP discover message, where DHCP Option 60 is set to “ArubaMC”.
If the DHCP Offer does have DHCP Option 60 = ArubaMC, the branch controller will accept the DHCP lease and send a DHCP request. It will also look for DHCP Option 43 – Vendor Specific Information in the DHCP Lease. If DHCP Option 43 is present in the Offer, the branch controller will parse it to learn the provisioning parameters.
|
The role is not explicitly specified in DHCP Option 43. However, the Controller will set its Role to branch if the other provisioning parameters are present in DHCP Option 43.
|
If the DHCP Offer does not have DHCP Option 60 = ArubaMC, the branch controller will still accept the DHCP lease and send a DHCP request. However, once it is bound to the IP address, it will initiate the next mode of auto-provisioning and query Activate for a provisioning rule.
DHCP Server Provisioning
The branch controller adds ArubaMC as a DHCP option-60 vendor class identifier in its DHCP discovery messages, so the DHCP offer from the server must include ArubaMC as a DHCP option-60 vendor class identifier. The controller gets the master information and country code from the DHCP server, which is configured with the master information corresponding to that identifier. The server may also send vendor-specific information (VSI - option 43) in its response to the controller.
Before you deploy a branch controller using ZTP, configure the DHCP server with the following information:
|
|
The option-60 vendor class identifier ArubaMC |
|
|
Option-43 Vendor Specific Information (VSI) with the primary master IP address, the country code, and optionally, a secondary master IP (for deployments requiring Layer-3 redundancy). This VSI must be in one of the following formats, where the IP address of a master controller is in dotted-decimal notation (a.b.c.d) format or a fully qualified domain name format (master.example.com), and the country code contains a valid ISO 3166 country codes, such as US, AU, or IN |
|
n
|
<Master-ip-address>,<Country-code> |
|
n
|
<Primary-master-IP-address>, <Country-Code>,<Secondary-master-IP-address> |
If the DHCP offer from the server does not include ArubaMC as DHCP option 60, the branch controller will still accept the DHCP Lease and send a DHCP Request. However, once the branch controller is bound to an IP Address, it will query Activate for additional provisioning information. If the controller does not receive the ArubaMC identifier through option-60, or if the received IP address is not valid, option-43 is completely discarded and ZTP moves to the next discovery method. For details, refer to Activate Provisioning
Activate Provisioning
If the branch controller does not receive its provisioning parameters through DHCP options, it will query Activate for a provisioning rule that assigns that branch to a master controller.
When a branch controller establishes an HTTPS connection to the Activate server and requests provisioning information, the Activate server authenticates the controller and provides that branch device with provisioning information, including the IP address of its master controller and secondary master, and its country code. If the branch controller is unsuccessful in retrieving the provisioning parameters from Activate, it will retry in 30 seconds. The branch controller will keep trying to retrieve the provisioning parameters from Activate every 30 seconds until it is successful, or the administrator interrupts the auto-provisioning by initiating Mini-Setup or Full-Setup provisioning.
Before you can use Activate to associate branch controllers with a master controller, you must configure additional device settings on each branch and master controller, create a folder for those branch devices, then assign a provisioning rule to that folder that associates the branch controllers to a specified master. Use the following procedures to configure device details for the master and branch controllers, create folders, and define the provisioning rule.
Configuring Device details for a Branch Controller
When you place an order for a controller, that device appears in the Activate Devices list displaying the preconfigured settings for its serial number, MAC address, and software image. Before you can add a branch controller to a master controller whitelist, you must use the Activate interface to assign a name to each branch controller, and use the Activate interface to identify a master controller in a branch controller deployment.
Follow the steps below to use Activate to configure branch or master controller device settings
|
1.
|
Click the Devices icon at the top of the page to display the Devices page. |
|
2.
|
Select a branch or master controller from the Devices list. If the list is very large, you can click the filter icon by any Devices list column heading and choose which entries to display, then select the branch controller from the smaller, filtered list. |
|
3.
|
If the controller will be used as the master controller, select the Master Controller checkbox. |
|
4.
|
In the Device Detail section of the Devices page, enter the following values: |
|
|
Device name: (Required) an IP address or fully-qualified domain name for the branch or master controller |
|
|
Full name: (Optional) a user-friendly name for the device |
|
|
Description: (Optional) a short text string describing the device |
|
5.
|
Click Done to save your settings. |
Figure 1 Device Details for a Branch Controller
Creating a New Branch Controller Folder
Associate multiple branch controllers to the same master controller by moving those branch controllers into a single Activate folder.
|
A folder can contain only one model of branch controller, using the same country code and mapping to the same branch config group. Different folders need to be created for branch controllers of different model types, or that use a different country code or branch config group.
|
Follow the steps below to add a new folder to the Folders list:
|
1.
|
Click the Setup icon to display the Setup page. |
|
2.
|
Click the New link in the title bar of the Folders list. The Create a New Folder window appears. |
|
3.
|
Enter the following information for the folder: |
|
|
Name: Name of the new branch controller folder. The folder name must be 100 characters or less, and cannot include the characters ?, # or &. |
|
|
Parent: The new folder's parent folder. The new folder will be created under the selected parent. |
|
|
Notes: (Optional) Use this field to add any additional notes about the folder. |
|
4.
|
Click Done to save the new folder. |
Configuring the Provisioning Rule
A folder can only have one provisioning profile configured within it and the Provisioning Profile can only reference one branch config group. consequently, it is necessary to create a folder and associate the provisioning rule for each group of branch controllers that share a common branch config group.
Follow the steps below to create a new provisioning rule for the new branch controller folder
|
1.
|
Click the Setup icon to display the Setup page. |
|
2.
|
In the folders section of the Setup page, select the new branch controller folder. |
|
3.
|
Click the New link in the title bar of the Rules list. The Create a New Rule window appears at the bottom of the page. Enter a value for each required field described in the tables below, then click Done to save your settings. |
Figure 2 New Provisioning Rule
Table 1: Provisioning Rule Configuration Settings
Provisioning Rule Setting |
Description |
Rule Type
|
Click the Rule Type drop-down list, and select Provisioning Rule.
|
Parent Folder
|
Select the folder to which this provisioning rule applies.
|
Provision Type
|
Select the Branch to Master Controller rule type.
|
Primary Controller |
MAC address of the primary master controller. Activate sends a branch controller whitelist with information about the controllers in this folder to the master controller with this MAC address. |
Primary Ctrl IP
|
Enter the IP address of the primary master controller.
|
Backup Controller
|
(Optional) MAC address of a backup master controller, for deployments that require Layer-3 redundancy.
|
Backup Ctrl IP
|
(Optional) Enter the IP address of the secondary (backup) master controller.
|
Country Code |
Select a country code to be assigned to the branch controllers in this folder. |
Branch Config Group |
Enter the name of a branch config group to assign that group of branch configuration settings to the branch controllers in this folder. |
Moving a Branch Controller to the New Folder
Follow the steps below to assign one or more branch controllers to a folder:
|
1.
|
Click the Devices icon at the top of the page to display the Devices page. |
|
2.
|
Click the filter icon by any Devices list column heading and choose which entries to display. You can repeat this step and filter the list by multiple criteria types until the Devices list shows only those devices you want to move to a new folder. |
|
3.
|
Click the Move to Folder button at the top of the Devices page. A drop-down window appears, displaying with all folder names. |
|
4.
|
Select the destination folder for the devices. |
|
5.
|
A confirmation window appears, showing the total number of devices that will be moved. |
|
6.
|
Click OK to confirm the change, or click Cancel to cancel the move. |
You can also assign an individual device to a new folder by selecting that device from the Devices list and manually changing its parent folder in the Device Details window.
Retrieval of Branch Controller Whitelist from Activate
Activate may be configured to supply the list of branch controllers to the master controller to be added to the whitelist in smart config.
The master controller sends a query to Activate every hour.
The enable mode CLI command “activate sync” may be used to initiate an immediate query to Activate.
When the master controller sends the query to Activate, Activate searches for all provisioning rules of type branch to master controller, that specify the MAC address of this master controller in the primary controller field.
Activate Interface Communication
The branch controller and the master controller interact with the Activate server to receive information about each other. Once the Activate server is properly configured with the appropriate folders and provisioning rules, Activate automatically manages the relationship between a master controller and all the branch controllers associated with that master.
The master controller regularly contacts the Activate server to get a list of its associated branch controllers. Branch controllers interact with the Activate server to learn about their role, master controller information, and their regulatory domain. The master controller sends its own information and not branch controller information. Activate reuses information in the AP-information field for controller interactions between master and branch controllers.
The following steps describe the how master controller retrieves the whitelist database from the Activate server.
|
1.
|
The master controller sends an initial post with a keepalive connection type that includes the following information: |
|
|
type = Provision update |
|
|
AP information that includes <serial number>, <mac-address>, <model> |
|
2.
|
Activate responds with the following information: |
|
|
type = provision update |
|
|
an Activate-assigned session ID |
|
|
connection = keep alive. |
|
3.
|
The master controller then sends a second POST with ‘close’ connection type with the following information: |
|
|
type = provision update, |
|
|
the session ID received from Activate, |
|
|
Device information that includes <serial number>, <mac-address>, <model> |
|
4.
|
Activate then responds with the following information: |
|
|
type = provision update, |
|
|
the same session ID that Activate assigned in the first response |
|
|
status = success or failure |
|
|
the list of branch controllers from the whitelist database, where each list entry contains a <mac- address>,<serial number>,<model>,<mode>,<hostname>, and <config group> |