Configuration Guide
Overview
This guide explains how to configure network devices and clients to use the NVIDIA Config Manager ZTP Server for Zero Touch Provisioning.
Prerequisites
Before configuring devices for ZTP, ensure:
- Devices are registered in the device management system
- Device IP addresses are correctly configured in the device management system
- Firmware images are available for your device platform and version
- Configuration files are prepared and stored in the configuration store
Device Configuration
DHCP Configuration
Configure your DHCP server to provide the ZTP boot file URL in the boot-file-name option:
Replace ztp.example.com with your ZTP server URL and {device_uuid} with the device UUID from the device management system.
ONIE Configuration
For ONIE-based devices, the boot file URL can point to either:
- Boot script:
http://ztp.example.com/v1/device/{device_uuid}/boot-script - Firmware image:
http://ztp.example.com/v1/device/{device_uuid}/onie
The ONIE installer will automatically append .ztp to the URL if it points to a firmware image.
Network Requirements
Ensure devices can reach the ZTP server:
- DHCP traffic: Devices must be able to exchange DHCP packets with the Config Manager DHCP service on UDP 67/68.
- ZTP service traffic: Devices must be able to access the ZTP server on TCP 80 and/or TCP 443 for boot scripts, configuration, and firmware fetches.
- DNS resolution: Devices must be able to resolve the ZTP server hostname, which requires UDP/TCP 53 if hostnames are used.
- IP address registration: Device IP addresses must be registered in the device management system.
API Usage
Authentication
Device endpoints accept either a registered device request or an authenticated user request:
- Device-originated requests must come from IP addresses registered for the device
- Device-originated requests do not require additional authentication headers
- User-originated requests must come through the Envoy gateway as authenticated users when SSO is enabled for the deployment
- Admin endpoints require authenticated user access
Request Headers
Standard HTTP headers are used:
Content-Type: application/jsonfor JSON request bodiesAccept: application/jsonfor JSON responses (where applicable)
Error Handling
Handle common error responses:
- 403 Forbidden: Check that the device IP address is registered correctly
- 404 Not Found: Verify the device UUID and resource path are correct
- 500 Internal Server Error: Contact system administrator
Firmware Verification
Always verify firmware images using the checksum endpoint:
Configuration Files
Configuration files are retrieved using:
Common configuration file names:
boot-script: Initial boot scriptsystem.cfg: System configurationinterfaces.cfg: Interface configuration
Contact your system administrator for the specific configuration file names for your environment.
Troubleshooting
Device Cannot Access ZTP Server
Symptoms:
- Device cannot download boot script or firmware
- Connection timeouts or DNS resolution failures
Solutions:
- Verify network connectivity from device to ZTP server
- Check DNS resolution:
nslookup ztp.example.com - Verify firewall rules allow HTTP/HTTPS traffic
- Check that device IP is registered in device management system
Authorization Failures
Symptoms:
- 403 Forbidden responses
- “Unauthorized” error messages
Solutions:
- Verify device IP address is registered in device management system
- Check that requests are coming from the registered IP address
- Ensure device is using the correct device UUID
- Contact system administrator if IP address has changed
Missing Resources
Symptoms:
- 404 Not Found responses
- “Device not found” or “File not found” errors
Solutions:
- Verify device UUID is correct
- Check that device is registered in device management system
- Verify firmware version is available for the device platform
- Ensure configuration files exist in the configuration store
Firmware Download Issues
Symptoms:
- Incomplete firmware downloads
- Checksum verification failures
Solutions:
- Use
curlwith-Oflag for reliable downloads - Verify checksum after download
- Check network stability during large file transfers
- Retry download if checksum verification fails
Best Practices
Security
- Use HTTPS: Always use HTTPS endpoints in production
- Verify Checksums: Always verify firmware checksums before installation
- Validate Serial Numbers: Use the serial validation endpoint before provisioning
- Monitor Provisioning: Monitor device provisioning status and logs
Reliability
- Retry Logic: Implement retry logic for transient failures
- Timeout Handling: Set appropriate timeouts for large file downloads
- Error Logging: Log all API errors for troubleshooting
- Status Monitoring: Monitor device provisioning status
Performance
- Parallel Downloads: Download firmware and configurations in parallel when possible
- Connection Reuse: Reuse HTTP connections for multiple requests
- Caching: Cache boot scripts and configuration metadata locally
- Streaming: Use streaming for large firmware files
Support
For additional support:
- Check the API Documentation for endpoint details
- Review the Architecture Documentation for system overview
- Contact your system administrator for environment-specific configuration