initial switch access

Arista network switches provide two initial configuration methods:
  • Zero Touch Provisioning (ZTP) configures the switch without user interaction ( Zero Touch Provisioning).
  • Manual provisioning configures the switch through commands entered by a user through the CLI ( Manual Provisioning).

Zero Touch Provisioning

Zero Touch Provisioning (ZTP) configures a switch without user intervention by downloading a startup configuration file (startup-config) or a boot script from a location specified by a DHCP server. Configuring the Network for ZTP describes network tasks required to set up ZTP.

The switch enters ZTP mode when it boots if flash memory does not contain a startup-config or zerotouch-config file. It remains in ZTP mode until a user cancels ZTP mode or until the switch retrieves a startup-config or a boot script. After downloading a file through ZTP, the switch reboots again, using the retrieved file.

Security Considerations

The ZTP process cannot distinguish an approved DHCP server from a rogue DHCP server. For secure provisioning, you must ensure that only approved DHCP servers can communicate with the switch until after the complete ZTP process. Arista also recommends validating the eos image on your ZTP server by confirming that its MD5 checksum matches the MD5 checksum found on the eos download page of the Arista website.

On a UNIX server, the md5sum command calculates this checksum:

% md5sum eos.swi
3bac45b96bc820eb1d10c9ee33108a25  eos.swi

This command is available on Arista switches from the CLI or within the Bash shell.

switch#bash md5sum /mnt/flash/eos-4.18.0F.swi 
73435f0db3af785011f88743f4c01abd  /mnt/flash/eos-4.18.0F.swi

switch#[admin@switch ~]$ md5sum /mnt/flash/eos-4.18.0F.swi
73435f0db3af785011f88743f4c01abd /mnt/flash/eos-4.18.0F.swi
[admin@switch ~]$
To provision the switch through Zero Touch Provisioning:
  1. Mount the switch in its permanent location.
  2. Connect at least one management or Ethernet port to a network that can access the DHCP server and the configuration file.
  3. Provide power to the switch.
Note: ZTP will not initiate if flash memory contains either a startup-config or zerotouch-config file.

You can monitor ZTP provisioning progress on the console port. Console Port provides information for setting up the console port. Canceling Zero Touch Provisioning provides information for monitoring ZTP progress and canceling ZTP mode.

Manual Provisioning

initial manual switch provisioning requires the cancellation of ZTP mode, the assignment of an IP address to a network port, and the establishment of an IP route to a gateway. The serial console and Ethernet management ports perform the initial provisioning.
  • The console port is used for serial access to the switch. These conditions may require serial access:
    • Management ports are not assigned IP addresses.
    • The network is inoperable.
    • The password for the user's login is not available.
    • The password to access the enable mode is not available.
  • It uses the Ethernet management ports for out-of-band network management tasks. That port must have IP address before using a management port for the first time.

Console Port

The console port is a serial port located on the front of the switch. Figure 1 shows the console port on the DCS-7050T-64 switch. Use a serial or RS-232 cable to connect to the console port. The accessory kit also includes an RJ-45 to DB-9 adapter cable connecting to the switch.

Figure 1. switch Ports

Port Settings

Use these settings when connecting the console port:
  • 9600 baud
  • no flow control
  • 1 stop bit
  • no parity bits
  • 8 data bits

Admin Username

The initial configuration provides one username, admin, that is not assigned a password. You can only log into the switch through the console port using the admin username without a password. After assigning a password to the admin username, it can log into the switch through any port.

The username command modifies a specified username and can be used to create or delete usernames, including admin.

Example

This command assigns the password pxq123 to the admin username:
switch(config)#username admin secret pxq123
switch(config)#

When the switch reboots, it will lose the passwords unless startup configuration saves the new or altered passwords.

Note: It accesses the Aboot shell through the console port to log in to the switch when all usernames get deleted from the configuration.

Canceling Zero Touch Provisioning

Zero Touch Provisioning (ZTP) installs a startup-config file from a network location if flash memory does not contain a startup-config or zerotouch-config file when the switch reboots. Canceling ZTP is required if the switch cannot download a startup-config or boot script file.

When the switch boots without a startup-config or zerotouch-config file, it displays the following message through the console port:

No startup-config was found.

The device is in Zero Touch Provisioning mode and is attempting to
download the startup-config from a remote system. The device will not
be fully functional until a valid startup-config is downloaded
from a remote system or Zero Touch Provisioning is cancelled. To cancel
Zero Touch Provisioning, login as admin and type 'zerotouch cancel'
at the CLI.

localhost login:

To cancel ZTP mode, log into the switch with the admin password, then enter the zerotouch cancel command. The switch immediately boots without installing a startup-config file.

localhost login: admin
admin
localhost>Apr 15 21:28:21 localhost ZeroTouch: %ZTP-5-DHCP_QUERY: Sending DHCP 
request on  [ Ethernet10, Ethernet13, Ethernet14, Ethernet17, Ethernet18, 
Ethernet21, E-thernet22, Ethernet23, Ethernet24, Ethernet7, Ethernet8, 
Ethernet9, Management1, Management2 ]
Apr 15 21:28:51 localhost ZeroTouch: %ZTP-5-DHCP_QUERY_FAIL: Failed to get a 
valid DHCP response
Apr 15 21:28:51 localhost ZeroTouch: %ZTP-5-RETRY: Retrying Zero Touch 
Provisioning from the beginning (attempt 1)
Apr 15 21:29:22 localhost ZeroTouch: %ZTP-5-DHCP_QUERY: Sending DHCP request on  
[ Ethernet10, Ethernet13, Ethernet14, Ethernet17, Ethernet18, Ethernet21, 
Ethernet22, Ethernet23, Ethernet24, Ethernet7, Ethernet8, Ethernet9, 
Management1, Management2 ]

localhost>zerotouch cancel
zerotouch cancel
localhost>Apr 15 21:29:39 localhost ZeroTouch: %ZTP-5-CANCEL: Canceling Zero 
Touch Provisioning
Apr 15 21:29:39 localhost ZeroTouch: %ZTP-5-RELOAD: Rebooting the system
Broadcast messagStopping sshd: [  OK  ]
watchdog is not running
SysRq : Remount R/O
Restarting system

Aboot 1.9.0-52504.eos2.0
Press Control-C now to enter the Aboot shell

To avoid entering ZTP mode on subsequent reboots, create a startup-config file described in Step 8 of the Ethernet Management Port.

Ethernet Management Port

Arista switches provide one or more Ethernet management ports for configuring the switch and managing the network out of the band. Figure 1 shows the location of the Ethernet management ports on a DCS-7050T-64 switch. Only one port is required to manage the switch.

You can access the Ethernet management port(s) remotely over a common network or locally through a connected PC. Before you can access the switch through a remote connection, an IP address and a static route to the default gateway are required. You can configure a virtual IP address on a modular switch with dual supervisors to access the management port on whichever supervisor is active.

Assigning a Virtual IP Address to access the Active Ethernet Management Port

This procedure assigns a virtual IP address on modular switches with dual supervisors, which connects to the Ethernet management port of the active supervisor. (See the following section to assign a physical IP address to an Ethernet management port.)

  1. Connect a PC or terminal server to the console port. Use the settings listed in Console Port under Port Settings.
  2. Type admin at the login prompt to log into the switch. initial login through the console port does not require a password.
    Arista eos
    switch login:admin 
    Last login: Fri Apr 9 14:22:18 on Console
    switch>
  3. Type enable at the command prompt to enter Privileged EXEC mode.
    switch>enable 
    switch#
  4. Type configure terminal (or config) to enter global configuration mode.
    switch#configure terminal 
    switch(config)#
  5. Type interface management 0 to enter interface configuration mode for the virtual interface which accesses management port 1 on the currently active supervisor.
    switch(config)#interface management 0
    switch(config-if-Ma0)#
  6. Type ip address, followed by the desired address, to assign a virtual IP address to access to the active management port. This command assigns IP address 10.0.2.5 to management port 0.
    switch(config-if-Ma0)#ip address 10.0.2.5/24
  7. Type exit at both the interface and global configuration prompts to return to Privileged EXEC mode.
    switch(config-if-Ma0)#exit 
    switch(config)#exit 
    switch#
  8. Type write (or copy running-config startup-config) to save the new configuration to the startup-config file.
    switch# write 
    switch#

Assigning an IP Address to a Specific Ethernet Management Port

This procedure assigns an IP address to a specific Ethernet management port:

  1. Connect a PC or terminal server to the console port. Use the settings listed in Console Port under Port Settings.
  2. Type admin at the login prompt to log into the switch. The initial login does not require a password.
    Arista eos
    switch login:admin 
    Last login: Fri Apr 9 14:22:18 on Console
    switch>
  3. Type enable at the command prompt to enter Privileged EXEC mode.
    switch>enable
    switch# 
  4. Type configure terminal (or config) to enter global configuration mode.
    switch#configure terminal 
  5. Type interface management 1 to enter interface configuration mode. (Use the available management port for management port 1.)
    switch(config)#interface management 1
    switch(config-if-Ma1)# 
  6. Type ip address, followed by the desired address, to assign an IP address to the port. This command assigns the IP address 10.0.2.8 to management port 1.
    switch(config-if-Ma1)#ip address 10.0.2.8/24 
  7. Type exit at both the interface and global configuration prompts to return to Privileged EXEC mode.
    switch(config-if-Ma1)#exit
     switch(config)#exit 
    switch#
  8. Type write (or copy running-config startup-config) to save the new configuration to the startup-config file.
    switch# write
    switch# 

Configuring a Default Route to the Gateway

This procedure configures a default route to a gateway located at 10.0.2.1.

  1. Enter global configuration mode.
    switch>enable
    switch#configure terminal 
  2. Create a static route to the gateway with the IP route command.
    switch(config)#ip route 0.0.0.0/0 10.0.2.1 
  3. Save the new configuration.
    switch#write 
    switch#