Network Topology Requirements

Regardless of which hosting option is used, the network topology must satisfy the requirements below for the Config Manager DHCP and ZTP services to function correctly.

Defined ZTP provisioning order

Every topology managed by Config Manager must have a clear, documented provisioning order — the sequence in which switches can be ZTP-provisioned starting from the Config Manager cluster outward.

ZTP relies on DHCP relay chains: a switch can only be provisioned once the path between it and the Config Manager DHCP/ZTP services is routable. This means the switches closest to Config Manager must come up first, and provisioning fans out layer by layer.

Example Management Architecture

The Mgmt switches provision via Front Panel Ports (FPP) first, then the rest of the network comes up from there. Since the MAC address of FPPs is usually not available ahead of time (for example, by inspecting a chassis label) DHCP cannot rely on a MAC address-based reservation, so a DHCP pool of size 1 is used on the /31 downlink to ensure the switch gets the expected IP configured in Nautobot. Non-Mgmt switches should have known mgmt port MAC addresses that can be used to create their DHCP reservations. See the DHCP guide for more information on how to configure DHCP in Nautobot.

1. OOB Switch — directly connected to the Config Manager cluster; provides the first hop for DHCP relay.
2. Mgmt Core Switch — receives DHCP relay from the OOB-Switch and forwards toward Config Manager (relay target points to the Config Manager DHCP VIP or cloud address).
3. Mgmt Spine Switch — provisions once the core layer is up and relaying.
4. Mgmt Leaf Switch — provisions once spines are up.
5. Rest of fabric — endpoint switches whose ethernet management interfaces connect back to Mgmt Leaf switches for DHCP/ZTP reachability.

Key principles:

• Layer-by-layer fan-out. Each layer must be provisioned and routing before the next layer can reach Config Manager.
• DHCP relay is the gate. A switch cannot ZTP until a working DHCP relay path exists between it and Config Manager. The provisioning order is therefore dictated by the relay chain topology.
• Management network first. The management network must be provisioned before production fabrics because production switches use management interfaces to reach ZTP.
• Document the order. Any topology to be supported by Config Manager must include documentation of its provisioning order so that operators (and automation) know which devices to bring up first during initial deployment or disaster recovery.

DHCP relay chain

The Config Manager DHCP service generates ISC Kea configurations from Nautobot data. For ZTP to work, the network must provide a DHCP relay path from every managed switch back to the Config Manager DHCP service:

1. Switch boots with factory defaults and sends a DHCP discover on its management interface.
2. Nearest relay agent (typically a Mgmt Leaf or Mgmt Core) forwards the request toward the Config Manager DHCP VIP.
3. Config Manager DHCP responds with an IP assignment and a ZTP boot-script URL.
4. Switch fetches its boot script and configuration from the ZTP service and applies it.

If any link in this relay chain is down, the downstream switches cannot provision. This is why the provisioning order matters — each relay hop must be operational before the switches behind it can ZTP.

See Firewall Ports for the ports that must be permitted between the device network and Config Manager.