ZTP with Aruba Central
Aruba Central does not require any configuration of local DHCP server or other network components but requires a switch with Internet access.
Users with access to Aruba Central cloud portal must provision their switches and assign licenses accordingly. Once complete, Aruba Central will automatically program the Activate portal with the required switch details and the group to which the switch must check in.
-
Aruba Central does not support IPv6 connectivity.
-
Aruba Central is not applicable for connection through OOBM interface.
The following diagram illustrates the working of Aruba Central ZTP:
Prerequisites for Activate and Aruba Central connections:
-
To allow devices to communicate over a network firewall, ensure that the domain names and ports as mentioned in - are allowlisted.
-
The connection to Activate or Aruba Central must be through an HTTP or HTTPS proxy.
-
For connection via HTTP proxy, refer to the configuration steps in HTTP Proxy support with ZTP overview.
-
For connection via HTTPS proxy, the domain names given in , , and must be allowlisted so that the TLS connection is not intercepted and modified by the proxy.
-
-
For an exhaustive list of all the URLs, see Opening Firewall Ports for Device Communication.
The workflow is as follows:
-
The switches being provisioned in branches boot and connect to the Activate on the cloud.
-
To establish a TLS connection with Activate, the switches send the Activate server domain name (
devices-v2.arubanetworks.com) in theserver_nameSNI extension field of the Client Hello message to Activate. In order to successfully connect to Activate, the following domains must be allowlisted.* Required for Aruba 2530 switches to provision certificate using the EST server in activate.
-
Switch obtains the URL of Aruba Central from Activate and establishes a TLS connection with Aruba Central. While establishing the TLS connection, it sends the server name of Aruba Central in the SNI extension field of the Client Hello message to Aruba Central. To successfully connect to Aruba Central, the following domains must be allowlisted.
You must add the URL used to access Aruba Central based on your region.
-
Based on administrator’s provisioning (such as folder, rule), the device is placed in the appropriate folder before being redirected to the Aruba Central.
-
The switches check-in with Aruba Central and the server pushes the configuration to the switches based on the group, switch model, and branch location.
-
Software update can be done via Activate and Aruba Central. In order to update the software successfully, the following domain(s) must be allowlisted.
Other Domain Names Domain Name
Protocol
http://h30326.www3.hpe.com
TCP port 80
To view the URL for software updates, use the show activate software-update command.
-
To access the device console through SSH from Aruba Central, the following domain(s) must be allowlisted.
Other Domain Names Protocol
central-eu-rcs.central.arubanetworks.com
(for Europe region)
TCP port 443
rcs-m.central.arubanetworks.com
(for all other regions)
TCP port 443
For more information on Aruba Central configuration, refer to the Aruba Central Configuration Guide.
After the switch successfully checks-in with Aruba Central, the management interfaces on the switch are read-only or disabled.
The following management interfaces on the switch are read-only:
- Web UI
- SNMP
- REST
These interfaces are opened for READ operation after the switch is connected to Aruba Central. For the 2920 switches, only SNMP is read-only, REST and Web UI are disabled.
The following management interfaces on the switch are disabled:
- TR-69
- Menu
There is a restriction on executing the following commands over CLI:
-
boot
-
recopy
-
erase
-
reload
-
startup-default
-
upgrade-software
-
setup
-
delete
-
reboot
-
restore
-
menu
-
write memory
-
amp-server
