USB-Based Zero Touch Provisioning
For customer environments that do not support Zero Touch Provisioning (ZTP) via the Cloud Portal and Orchestrator, gateways can be provisioned using a preconfiguration file loaded onto a USB drive.
Scenarios where this method may be required include:
-
No DHCP for WAN-side interfaces
-
No internet connectivity (MPLS only)
-
Restricted internet access (via proxy only)
In these scenarios, to provide a ZTP experience, you can prepare a USB flash drive containing the preconfiguration file with the necessary configurations for getting the gateway online and reachable via the Orchestrator.
Prerequisites
Review the prerequisites below.
- A USB drive formatted as FAT32.
- A valid configuration file (
bootstrap.xml) generated from the Orchestrator. Ensure the following syntax is used in thebootstrap.xmlfile:
<config>
<serial>EC-123456789</serial>
<orchestrator>orchestrator.example.com</orchestrator>
<accountKey>your-account-key</accountKey>
<tags>site=branch1,role=edge</tags>
</config>
- Use lowercase for XML tags. Avoid trailing slashes in URLs.
- Tags must be comma-separated with no spaces.
- The appliance serial number must be authorized in the Orchestrator.
- Orchestrator version 9.3.2 or later is recommended for full feature support.
USB ZTP Steps
Follow the steps below to use the USB ZTP.
NOTE: To use USB ZTP, the gateway must be in a “first boot state.” Gateways fresh out of the box will run in this mode, but existing gateways must be placed into this state before using USB ZTP.
-
Format the USB device to FAT32.
-
Create the
spcustom.ymlfile for the site.See the example
spcustom.ymlfiles below. -
Place the
spcustom.ymlfile within the root of the USB drive. -
Attach the USB device to one of the USB ports of the powered-off gateway.
-
Power on the gateway.
YAML Examples
The YAML examples below are for several scenarios. Modify the example by using the specific details of your environment. Be careful to verify that the syntax is correct.
NOTE: If you copy an example from this page, use copy and paste into a text editor like notepad or notepad++, to use as the basis to create a spcustom.yml file for deployment. Be sure to paste it into an editor that removes any hidden characters. Save the file in an ASCII ANSI compatible character set. Do not save it in UTF format.
Example 1 - Management 0 (mgmt0) DHCP, WAN0 DHCP (prefer WAN0 for management traffic)
This spcustom.yml file instantiates an EC gateway using DHCP for both mgmt0 and WAN0, but uses wan0 for management traffic.
silverpeak_vxoa_init:
config_vars:
HOSTNAME: <HOSTNAME>
ACCNAME: <ACCOUNT NAME>
ACCKEY: <ACCOUNT KEY>
SYS_TAG: <APPLIANCE TAG>
ILRM: true
# ----------------------------------------------------------
# Pre-Management Tasks
# ----------------------------------------------------------
pre_mgmtd_tasks:
- "configdb:/system/hostname,hostname,_$HOSTNAME$"
- "configdb:/cn/tunneld/portal/config/registration/account,string,_$ACCNAME$"
- "configdb:/cn/tunneld/portal/config/registration/key,string,_$ACCKEY$"
- "configdb:/cn/tunneld/portal/config/registration/site,string,_$SYS_TAG$"
- "configdb:/cn/tunneld/system/config/routing_inline,bool,_$ILRM$"
# ----------------------------------------------------------
# Set up Management and data plane
# system router commands required on wan/lan interfaces
# only specify if needed for initial management-plan access is required to contact Orchestrator
# use your environment's IP addresses for nexthop w.x.y.z
# ---------------------------------------------------------
- "cli:en;conf t;system router rtr1 create interface wan0 wan"
- "cli:en;conf t;system router rtr1 dhcp"
# ----------------------------------------------------------
# Use the ip default-gateway command to set the default route to the specified next-hop or interface.
# Use the no form of this command to remove the current default route or all the default routes.
# ip default-gateway <next-hop IP address> < interface name> <metric> [<src>]
# set metric for wan0
# metric of 5 will give preference to wan0 assuming mgmt0 is a higher number
# "cli:en;conf t;ip default-gateway _$WAN0_NEXTHOP$ wan0 5 _$WAN0_IP$"
# example without src
# ----------------------------------------------------------
- "cli:en;conf t;ip default-gateway _$WAN0_NEXTHOP$ wan0 5"
# -----------------------------------------------------------
# DNS (optional as we have a built-in policy that automatically sets it to 8.8.8.8)
# ---------------------------------------------------------
- "cli:en;conf t;ip name-server 8.8.8.8"
# ----------------------------------------------------------
# Write to memory and reboot
# ----------------------------------------------------------
- "cli:en;conf t;write memory;reboot noconfirm"
# ----------------------------------------------------------
Example 2 - Management 0 (mgmt0) DHCP, WAN0 DHCP (prefer mgmt0 for management traffic)
This spcustom.yml file instantiates an EC gateway using both mgmt0 and WAN0 with DHCP, preferring mgmt0 for management traffic.
silverpeak_vxoa_init:
config_vars:
HOSTNAME: <HOSTNAME>
ACCNAME: <ACCOUNT NAME>
ACCKEY: <ACCOUNT KEY>
SYS_TAG: <APPLIANCE TAG>
ILRM: true
# ----------------------------------------------------------
# Pre-Management Tasks
# ----------------------------------------------------------
pre_mgmtd_tasks:
- "configdb:/system/hostname,hostname,_$HOSTNAME$"
- "configdb:/cn/tunneld/portal/config/registration/account,string,_$ACCNAME$"
- "configdb:/cn/tunneld/portal/config/registration/key,string,_$ACCKEY$"
- "configdb:/cn/tunneld/portal/config/registration/site,string,_$SYS_TAG$"
- "configdb:/cn/tunneld/system/config/routing_inline,bool,_$ILRM$"
# ----------------------------------------------------------
# Post-Management Tasks
# ----------------------------------------------------------
post_mgmtd_tasks:
# ----------------------------------------------------------
# Set up management and data plane
# system router commands required on wan/lan interfaces
# only specify for initial management-plan access when required to contact Orchestrator
# use your lab environment IP addresses in place of w.x.y.z
# ----------------------------------------------------------
- "cli:en;conf term; interface mgmt0 dhcp"
- "cli:en;conf term; ip default-gateway w.x.y.z mgmt0"
- "cli:en;conf term; system router rtr1 create interface wan0 wan"
- "cli:en;conf term; system router rtr1 dhcp"
# ----------------------------------------------------------
# DNS (optional as we have a built-in policy that automatically sets it to 8.8.8.8)
# ---------------------------------------------------------
- "cli:en;conf t;ip name-server 8.8.8.8"
# ----------------------------------------------------------
# write to the memory and reboot
# ----------------------------------------------------------
- "cli:en;conf t;write memory;reboot noconfirm"
# ----------------------------------------------------------
Example 3 - Management 0 (mgmt0) and WAN0 configured with static IP address (prefer WAN0 for management traffic)
This spcustom.yml file instantiates an EC gateway and configures a static IP address on both mgmt0 and WAN0, but prefers to use WAN0 for management traffic.
silverpeak_vxoa_init:
config_vars:
HOSTNAME: <HOSTNAME>
ACCNAME: <ACCOUNT NAME>
ACCKEY: <ACCOUNT KEY>
SYS_TAG: <APPLIANCE TAG>
ILRM: true
# ------------------------------------------------------------
# Management Plane IPs
# Did not use initially DHCP for mgmt0
# Once obtained, provision statically
# Data Plane IPs
# No DHCP, provisioned statically
# The static IP addresses below are for example, use your lab environment IP addresses.
# ------------------------------------------------------------
MGMT0_IP: 192.162.111.122
MGMT0_MASK_LENGTH: 24
MGMT0_IP_DEFAULT_GATEWAY: 192.162.111.10
WAN0_IP: 192.168.0.34
WAN0_MASK_LENGTH: 24
WAN0_IP_DEFAULT_GATEWAY: 192.168.0.1
WAN0_NEXTHOP: 192.168.0.1
# ----------------------------------------------------------
# Pre-Management Tasks
# ----------------------------------------------------------
pre_mgmtd_tasks:
- "configdb:/system/hostname,hostname,_$HOSTNAME$"
- "configdb:/cn/tunneld/portal/config/registration/account,string,_$ACCNAME$"
- "configdb:/cn/tunneld/portal/config/registration/key,string,_$ACCKEY$"
- "configdb:/cn/tunneld/portal/config/registration/site,string,_$SYS_TAG$"
- "configdb:/cn/tunneld/system/config/routing_inline,bool,_$ILRM$"
# ---------------------------------------------------------
# Set up management and control plane
# Management plane next hop can NOT be assigned with the interface command.
# system router commands required on wan/lan interfaces
# only specify if needed for initial management-plane access is required to contact Orchestrator
# security-mode <security mode for interface>
# 0 Open
# 1 Harden
# 2 Stateful Firewall
# 3 Stateful Firewall with SNAT
# ---------------------------------------------------------
- "cli:en;conf t;system router rtr1 create interface wan0 wan"
- "cli:en;conf t;no system router rtr1 dhcp"
- "cli:en;conf t;system router rtr1 ip _$WAN0_IP$ /_$WAN0_MASK_LENGTH$ nexthop _$WAN0_NEXTHOP$"
- "cli:en;conf t;system router rtr1 ip default-gateway _$WAN0IP_DEFAULT_GATEWAY$ WAN0"
- "cli:en;conf t;system router rtr1 ip _$WAN0_IP$ security-mode 3"
# ---------------------------------------------------------
# Use the ip default-gateway command to set the default route to the specified next-hop or interface.
# Use the no form of this command to remove the current default route or all the default routes.
# ip default-gateway <next-hop IP address> < interface name> <metric> [<src>]
# set metric for wan0
# metric of 5 will give preference to wan0 assuming mgmt0 is a higher number
# "cli:en;conf t;ip default-gateway _$WAN0_NEXTHOP$ wan0 5 _$WAN0_IP$"
# example without src
# ----------------------------------------------------------
- "cli:en;conf t;ip default-gateway _$WAN0_NEXTHOP$ wan0 5"
# ----------------------------------------------------------
# DNS (optional as we have a built-in policy that automatically sets it to 8.8.8.8)
# ---------------------------------------------------------
- "cli:en;conf t; ip name-server 8.8.8.8"
# ----------------------------------------------------------
# Write to the memory and reboot
# ----------------------------------------------------------
- "cli:en;conf t;write memory;reboot noconfirm"
# ----------------------------------------------------------
Example 4 - Orchestrator as a Proxy Server with a Private IP Address
This spcustom.yml files sets Orchestrator as a proxy server with a private IP address. This use case instantiates an EC gateway using Orchestrator as a proxy to connect to the internet to access the Cloud Portal through WAN0. Management 0 is not connected.
silverpeak_vxoa_init:
config_vars:
HOSTNAME: <HOSTNAME>
ACCNAME: <ACCOUNT NAME>
ACCKEY: <ACCOUNT KEY>
SYS_TAG: <APPLIANCE TAG>
ILRM: true
# ------------------------------------------------------------
# Management Plane IPs
# Did not use initially DHCP for mgmt0
# Once obtained, provision statically
# ------------------------------------------------------------
MGMT0_IP: 10.10.0.20
MGMT0_MASK_LENGTH: 24
# ------------------------------------------------------------
# Data Plane IPs
# No DHCP, provisioned statically
# ------------------------------------------------------------
WAN0_IP: 192.168.0.34
WAN0_MASK_LENGTH: 24
WAN0_IP_DEFAULT_GATEWAY: 192.168.0.1
WAN0_NEXTHOP: 192.168.0.1
LAN0_IP: 192.168.1.25
LAN0_MASK_LENGTH: 24
LAN0_NEXTHOP: 192.168.1.11
# ----------------------------------------------------------
pre_mgmtd_tasks:
- "configdb:/system/hostname,hostname,_$HOSTNAME$"
- "configdb:/cn/tunneld/portal/config/registration/account,string,_$ACCNAME$"
- "configdb:/cn/tunneld/portal/config/registration/key,string,_$ACCKEY$"
- "configdb:/cn/tunneld/portal/config/registration/site,string,_$SYS_TAG$"
- "configdb:/cn/tunneld/system/config/routing_inline,bool,_$ILRM$"
# ----------------------------------------------------------
# Set up Management and data plane Plane using DHCP for WAN0
# Management plane next hop can NOT be assigned with the interface command.
# system router commands required on wan/lan interfaces
# only specify for initial management-plan access when required to contact Orchestrator
# security-mode <security mode for interface>
# 0 Open
# 1 Harden
# 2 Stateful Firewall
# 3 Stateful Firewall with SNAT
# ---------------------------------------------------------
post_mgmtd_tasks:
- "cli:en;conf t; system router rtr1 create interface wan0 wan"
- "cli:en;conf t; no system router rtr1 dhcp"
- "cli:en;conf t; system router rtr1 ip _$WAN0_IP$ /_$WAN0_MASK_LENGTH$ nexthop _$WAN0_NEXTHOP$"
- "cli:en;conf t; system router rtr1 ip _$WAN0_IP$ security-mode 1"
- "cli:en;conf t; ip mgmt-ip _$WAN0_IP$"
# ---------------------------------------------------------
# Use the cli command to set the IP address to reach cloud portal
# ---------------------------------------------------------
- "cli:en;conf t; internal set modify - /cn/tunneld/portal/config/host value string 10.91.120.174"
# ---------------------------------------------------------
# Use the cli command to set IP address for the Orchestrator private IP address
# ---------------------------------------------------------
- "cli:en;conf t; internal set modify - /cn/jsond/config/gms/10.91.120.174 value string 10.91.120.174"
# ---------------------------------------------------------
# Use CLI commands to bypass the security certificates for portal and Orchestrator
# ---------------------------------------------------------
# Setup Orchestrator IP address and not pass the ssl certificates
# These CLI commands were added in 8.3.2.0, 9.0.1.0
# SET:
# conf t> security csrf enable
# conf t> security certificate verify [portal|orchestrator|all]
# UNSET:
# conf t> no security csrf enable
# conf t> no security certificate verify [portal|orchestrator|all]
# ---------------------------------------------------------
- "cli:en;conf t; no security csrf enable"
- "cli:en;conf t; no security certificate verify orchestrator"
- "cli:en;conf t; no security certificate verify portal"
- "cli:en;conf t; no security certificate verify stats-collector"
# ---------------------------------------------------------
# Write to the memory and reboot
# ---------------------------------------------------------
- "cli:en; conf t; write memory; reboot noconfirm"
# ----------------------------------------------------------