ZTP with Aruba Central

Aruba Central does not require any configuration of local DHCP Dynamic Host Configuration Protocol. A network management protocol used for automatically assigning IP addresses and other communication parameters to devices connected to the network. server or other network components but requires a switch with Internet access.

Users with access to Aruba Central cloud portal must provision their switches and assign licenses accordingly. Once complete, Aruba Central will automatically program the Activate portal with the required switch details and the group to which the switch must check in.

Aruba Central does not support IPv6 connectivity.
Aruba Central is not applicable for connection through OOBM Out-Of-Band Management. Accessing and managing network infrastructure at remote locations. interface.

The following diagram illustrates the working of Aruba Central ZTP Zero Touch Provisioning. A method of setting up devices that automatically configures the device using a switch feature.:

Prerequisites for Activate and Aruba Central connections:

To allow devices to communicate over a network firewall, ensure that the domain names and ports as mentioned in - are allowlisted.
The connection to Activate or Aruba Central must be through an HTTP or HTTPS proxy.
- For connection via HTTP proxy, refer to the configuration steps in HTTP Proxy support with ZTP overview.
- For connection via HTTPS proxy, the domain names given in , , and must be allowlisted so that the TLS Transport Layer Security. A cryptographic protocol that provides end-to-end security of data sent between applications over the Internet. connection is not intercepted and modified by the proxy.
For an exhaustive list of all the URLs, see Opening Firewall Ports for Device Communication.

The workflow is as follows:

The switches being provisioned in the branches, boot and connect to Activate on the cloud.

To establish a TLS connection with Activate, the switches send the Activate server domain name (devices-v2.arubanetworks.com) in the server_name SNI extension field of the Client Hello message to Activate. In order to successfully connect to Activate, the following domains must be allowlisted.

Domain Names for Device Communication with Aruba Activate
Domain Name	Protocol
device.arubanetworks.com	HTTPS TCP Transmission Control Protocol. A connection-oriented communications protocol that facilitates the exchange of messages between computing devices in a network. port 443
devices-v2.arubanetworks.com
est.arubanetworks.com *
pool.ntp.org	UDP User Datagram Protocol. Part of the Internet Protocol suite uesed to establish low-latency and loss-tolerating connections over the network. port 123

* Required for Aruba 2530 switches to provision certificate using the EST server in activate.

Switch obtains the URL of Aruba Central from Activate and establishes a TLS connection with Aruba Central. While establishing the TLS connection, it sends the server name of Aruba Central in the SNI extension field of the Client Hello message to Aruba Central. To successfully connect to Aruba Central, the following domains must be allowlisted.

Domain Names for Device Communication with Aruba Central
Region	URL for Device Connectivity	Protocol
US-1	app1.central.arubanetworks.com	HTTPS TCP port 443
US-2	device-prod2.central.arubanetworks.com	HTTPS TCP port 443
US-WEST-4	device-uswest4.central.arubanetworks.com	HTTPS TCP port 443
EU-1	device-eu.central.arubanetworks.com	HTTPS TCP port 443
EU-3	device-eucentral3.central.arubanetworks.com	HTTPS TCP port 443
Canada-1	device-ca.central.arubanetworks.com	HTTPS TCP port 443
China-1	device.central.arubanetworks.com.cn	HTTPS TCP port 443
APAC-1	app1-ap.central.arubanetworks.com	HTTPS TCP port 443
APAC-EAST1	device-apaceast.central.arubanetworks.com	HTTPS TCP port 443
APAC-SOUTH1	device-apacsouth.central.arubanetworks.com	HTTPS TCP port 443

You must add the URL used to access Aruba Central based on your region.

Based on administrator’s provisioning (such as folder, rule), the device is placed in the appropriate folder before being redirected to the Aruba Central.
The switches check-in with Aruba Central and the server pushes the configuration to the switches based on the group, switch model, and branch location.

Software update can be done via Activate and Aruba Central. In order to update the software successfully, the following domain(s) must be allowlisted.

Other Domain Names
Domain Name	Protocol
http://h30326.www3.hpe.com	TCP port 80

To view the URL for software updates, use the show activate software-update command.

To access the device console through SSH Secure Shell. A network protocol for operating network services securely over an unsecured network. from Aruba Central, the following domain(s) must be allowlisted.

Other Domain Names
Domain Name	Protocol
central-eu-rcs.central.arubanetworks.com (for Europe region)	TCP port 443
rcs-m.central.arubanetworks.com (for all other regions)	TCP port 443

For more information on Aruba Central configuration, refer to the Aruba Central Configuration Guide.

After the switch successfully checks-in with Aruba Central, the management interfaces on the switch are read-only or disabled.

The following management interfaces on the switch are read-only:

These interfaces are opened for READ operation after the switch is connected to Aruba Central. For the 2920 switches, only SNMP is read-only, REST and Web UI are disabled.

The following management interfaces on the switch are disabled:

TR-69
Menu

There is a restriction on executing the following commands over CLI:

boot
recopy
erase
reload
startup-default
upgrade-software
setup
delete
reboot
restore
menu
write memory
amp-server