Zero-Touch Provisioning Overview


Traditionally, the deployment of controllers was a multiple step process where the master controller information and local configurations were first pre-provisioned. After the managed device connected to the network, it established a secure tunnel to the master and downloaded the global configuration. ZTP automates deployment of managed devices plug-n-play. The managed device now learns the required information from the network and provisions itself automatically. ArubaOS allows a managed device to automatically get its local and global configuration and license limits from Mobility Master.

This section includes the following topics:

Why use ZTP?

Managed Device Provisioning Modes

Managed Device Address Pools

Zero-Touch Provisioning Workflows


For more information about the procedures to prepare your network for ZTP, see Using ZTP to Provision a Managed Device.

Why use ZTP?

ZTP offers the following advantages over a standard managed device configuration:

simple deployment

reduced operational cost

limits to provisioning errors

A managed device configured using ZTP automatically discovers the Mobility Master, downloads its local configuration from that Mobility Master, and is provisioned with its device role, and country code.


The local configuration is the configuration that is specific to a managed device. That is, not the global configuration shared by a network of managed devices. This includes, but is not limited to, IP addresses and VLANs.

Once the manged node is provisioned, it is ready to obtain its global configuration in either of two ways:

The administrator enters the global configuration via the WebUI or CLI of the Mobility Master.

The managed device retrieves its global configuration from the Mobility Master.

Device-specific configurations that are common across multiple devices can be modified from a central location using the bulk edit feature. Users can apply common device configurations to a group of devices without having to update each device individually. Bulk edit supports, but is not limited to, the following configurations: 

Time zone

Daylight savings time setting


Managed device IP addresses

DHCP pools

Managed Device Provisioning Modes

The administrator has the choice of provisioning modes that select how the managed device is supplied with its own IP address, role, country code, and configuration settings.

Once the managed device learns the IP address of the primary Mobility Master, the managed device contacts that Mobility Master and retrieves its configuration from its assigned configuration node.


Before you deploy a managed device, use you must create a configuration for that device at a configuration node on Mobility Master. Mobility Master pushes this configuration to the managed device when the device becomes active on the network.

ArubaOS supports the following provisioning modes for managed devices:

auto: In this mode, the managed device:

obtains its IP address from DHCP

obtains its role, country code, and the IP addresses of the Mobility Master and any defined secondary Mobility Master from a provisioning rule in Activate

retrieves its configuration from a configuration node on Mobility Master

mini-setup: In this mode, the managed device:

has its role set to local (local) when mini-setup is initiated

obtains its IP address from DHCP

is configured through the console with its country code and the IP address of the primary Mobility Master and (optionally) the secondary Mobility Master IP

retrieves its local config group from the primary Mobility Master

full-setup: In this mode, the managed device:

is configured with its role set to ocal (local) through the console

is configured to obtain its IP address through manual configuration of a static IP, DHCP, or PPPoE

is configured through the console with its country code and the IP address of the primary Mobility Master and (optionally) the secondary Mobility Master IP

retrieves its configuration from a configuration node on the primary Mobility Master

Managed Device Address Pools

Each managed device needs a pool of addresses it can dynamically assign to APs or users on each of its VLANs, and a separate IP address that managed device uses to create a GRE tunnel to Mobility Master. Mobility Master can assign IP these addresses to managed devices using dynamic address pools. These pools allow network administrators to create a generic configuration that provisions managed device interfaces with individual settings that are unique across branch offices. If managed devices are also serving as DHCP servers for other devices at that location, smaller DHCP pools for those individual branches can be dynamically carved out from a larger DHCP pool.

ArubaOS 8.0 supports three different types of address pools that can be applied to a hierarchy node

NAT Pools: A NAT pool is used to assign IP addresses to a VLAN interface on a managed device . The range of addresses in this pool is available for use for any DHCP-enabled managed device when it is added to that specific node in the configuration hierarchy. When you add a managed device, a group of IP addresses is removed from the NAT pool on that hierarchy node and is and leased to the device. The IP addresses in a NAT pool are dynamic (leased) rather than static (permanently assigned), so addresses no longer in use are automatically returned to the pool for reallocation.

Tunnel pools: A tunnel pool defines a range of IP addresses that can be used by the managed devices to create a GRE tunnel to the Mobility Master. When you add a managed device controller, an  IP address is removed from the tunnel pool on that hierarchy node and is and leased to that device. Addresses no longer in use are automatically returned to the pool for reallocation.

VLAN pools: A VLAN pool allocates a block of IP addresses for each managed device. The managed device acts as a DNS proxy server and dynamically assigns IP addresses from its allocated pool to each AP or client on the VLAN. A VLAN pool allocates multiple addresses to each managed device VLAN, unlike the tunnel pool, which assigns a single tunnel IP address to each managed device.

Zero-Touch Provisioning Workflows

The managed device obtains its IP address through DHCP by sending a DHCP discover on the default uplink port. The default uplink port is configured as an access port in VLAN 4094.

Next it will attempt to retrieve the provisioning parameters from Activate. If the managed device is unsuccessful in retrieving the provisioning parameters from Activate, it will retry in 30 seconds. The managed device keeps trying to retrieve the provisioning parameters from Activate every 30 seconds until it is successful or the administrator interrupts Auto-Provisioning by initiating mini-setup or full-setup.

To interrupt the auto provisioning process, enter the string mini-setup or full-setup at the initial setup dialog prompt shown below.

Auto-provisioning is in progress. Choose one of the following options to override or debug...

'enable-debug' : Enable auto-provisioning debug logs

'disable-debug': Disable auto-provisioning debug logs

'mini-setup' : Stop auto-provisioning and start mini setup dialog for smart-local role

'full-setup' : Stop auto-provisioning and start full setup dialog for any role

Enter Option (partial string is acceptable):_