Switching between Secure Zero Touch Provisioning and Zero Touch Provisioning
To see which platforms support Secure Zero Touch Provisioning (SZTP), go to Feature Explorer. In the Explore Features section of the Feature Explorer page, select All Features. In the Features Grouped by Feature Family box, select Secure ZTP. You can also type the name of the feature in the Search for Features edit box. See the Release History Table at the end of this topic for more details of how ZTP support has expanded.
Overview
Secure zero-touch provisioning (SZTP) requires additional network infrastructure, such as a secure ZTP server, for provisioning. If you have a secure device with SZTP as its default provisioning method, and dont have the network infrastructure to support SZTP, you can easily switch to ZTP. On the other hand, if your device's default provisioning method is ZTP, and you want to use SZTP for provisioning, you can easily switch to SZTP.
Benefits
-
On secure devices, you have the flexibility to switch between using SZTP and ZTP depending on your network infrastructure.
Switching between SZTP and ZTP
See the following table for the Junos OS and Junos OS Evolved commands and the VM Host OS Junos OS commands to use to switch between SZTP and ZTP and vice versa.
On MX304 devices without a backup Routing Engine, when you issue the
request vmhost zeroize ztp-option secure-(enable | disable)
command, you will see the following warning on the console: Backup RE is
not present. Zeroize backup RE when it is inserted.
| Junos OS and Junos OS Evolved | VM Host Junos OS |
|---|---|
request system zeroize ztp-option
secure-disableWhen you issue this command, the CLI checks to see if the device is a secure device. If the device is secure, the next time the device boots, the device uses ZTP as the provisioning solution. If the device is not secure, the process ends. |
request vmhost zeroize ztp-option
secure-disableWhen you issue this command, the CLI checks to see if the device is a secure device. If the device is secure, the next time the device boots, the device uses ZTP as the provisioning solution. If the device is not secure, the process ends. |
request system zeroize ztp-option secure-enable
The CLI checks to see if the device is a secure device. If the device is secure, the process ends. The next time the device boots, the device uses SZTP as the provisioning solution. If the device is not a secure device, you will receive an error message that says the device is not secure, and the process ends. |
request vmhost zeroize ztp-option secure-enable
The CLI checks to see if the device is a secure device. If the device is secure, the process ends. The next time the device boots, the device uses SZTP as the provisioning solution. If the device is not a secure device, you will receive an error message that says the device is not secure, and the process ends. |
If you don't specify the ztp-option option in either the
request system zeroize or request vmhost
zeroize command, the secure platform will bootstrap with SZTP as its
provisioning solution.
Caveats
-
When the device uses ZTP, the SZTP configuration remains on the device, and the SZTP client (phone-home client) runs passively. Once ZTP commits its configuration, the phone-home server configuration is removed.
If the default ZTP behavior is different from the type of zero-touch provisioning (ZTP or SZTP, for example) you're using, you will need to issue either the
request system zeroize ztp-option secure-(enable | disable)orrequest vmhost zeroize ztp-option secure-(enable | disable)command.-
If the current Junos OS or Junos OS Evolved software version on your device supports SZTP, but the software image you're upgrading to doesn't support SZTP, then bootstrapping with SZTP will fail. On devices running Junos OS or VM Host Junos OS, this is not applicable if the device is installed with SZTP as part of its factory default configuration.