Thursday, August 23, 2018

Juniper Zero Touch not quite Zero Touch?

I've been working on implementing ZTP for our EX3400 and EX4300 deployments. I got it working on a basic level without too many annoyances (get to those in a minute). I am noticing that the ZTP process on the zeroed switches does not seem to be kicking in until I go to the switch, console in, and go to cli mode. I then immediately see things kick off. If I just let it sit at the bash for hours nothing seems to happen at all (no config, no firmware). So, this is my main concern at the moment. I do not want to have to touch the the switch during zero touch for anything past verification that it's done, so if anyone has a thought on that, I'd really appreciate it.

Side questions:

  • Pulling firmware to the switch via TFTP takes hours. Pulling via FTP, minutes. Pushing via FTP or TFTP from a server are both pretty quick. WTF?
  • I want to get into the script side of ZTP for additional functionality (to deploy more than just the basic config that is identical to all switches). I'm kinda terrible with scripting at the moment, so I'd love if anyone has some sage advice here or a favorite guide. I've seen a few examples from others that are like 4-5 years old. Mostly SLAX. Not sure if I'm going to prefer config based on "where am I plugged in?" vs "what is my MAC/Serial?"
  • How are others using ZTP? Or is anyone, really? Curious about any stories that might be fun/horrifying/interesting.
  • How extensively are people leveraging dot1x for provisioning interfaces? I'm working with one huge campus and a bunch of smaller ones scattered all about, so things like "This is a WAP, configure for a WAP" would be very handy to automate. We have ClearPass that I'll be looking at leveraging this way after ZTP.

Thanks all!



No comments:

Post a Comment