As part of a lab for Arista, I have created a DHCP server on the Checkpoint firewall. This is specifically to get DHCP options 66 and 67 to the Arista switch for Zero Touch Provisioning (ZTP).
DHCP option 66 and 67 direct devices to download configuration.
Option 66: provides a TFTP address. This would be the URL – tftp://10.10.10.10
Option 67: provides the path to the file. This could be the URI – test.cfg
tftp://10.10.10.10/test.cfg
Enable and Basic DHCP Configuration
DHCP has been enabled on CPGW3, interface 172.17.3.0/24.
To do this, navigate to the web page of the Checkpoint firewall. Do not use the Checkpoint Smart Console, DHCP configuration is not here.
https://172.17.2.103
Add a new DHCP server, the options are basic. Once configured this will start handing out DHCP addresses.
Adding DHCP Options
Checkpoint uses ISC DHCPD, so options must be set in the Linux side of Checkpoint using the expert bash shell.
If this is the first time using the expert bash shell, it will need to have a password applied.
|
0 1 2 3 4 5 6 7 8 9 10 |
CPGW3> expert Expert password has not been defined. To set expert password, use the command "set expert-password". CPGW3> set expert-password CLINFR0519 Configuration lock present. Can not execute this command. To acquire the lock use the command 'lock database override'. CPGW3> lock database override CPGW3> set expert-password Enter new expert password: Enter new expert password (again): |
Once inside the expert shell, we can view the current DHCP configuration.
|
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
[Expert@CPGW3:0]# cat /etc/dhcpd.conf ddns-update-style none; subnet 172.17.3.0 netmask 255.255.255.0 { default-lease-time 43200; max-lease-time 86400; option host-name= pick(option host-name, concat("dhcp-", binary-to-ascii(10, 8, "-", leased-address))); range 172.17.3.101 172.17.3.199; option routers 172.17.3.1; option domain-name-servers 172.17.4.10; } |
To add in the options, the following needs to be added. A full list of the options and names can be found here. If you look at that link, the option names match to what the configuration needs to be.
|
0 1 2 3 4 5 6 |
#option 66 option tftp-server-name "172.17.2.10"; #option 67 option bootfile-name "config-ztp-fix.cfg"; |
The new configuration for the DHCP server will look like…
|
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
[Expert@CPGW3:0]# cat /etc/dhcpd.conf ddns-update-style none; subnet 172.17.3.0 netmask 255.255.255.0 { default-lease-time 43200; max-lease-time 86400; option host-name= pick(option host-name, concat("dhcp-", binary-to-ascii(10, 8, "-", leased-address))); range 172.17.3.101 172.17.3.199; option routers 172.17.3.1; option domain-name-servers 172.17.4.10; #option 66 option tftp-server-name "172.17.2.10"; #option 67 option bootfile-name "config-ztp-fix.cfg"; } |
Now that has been completed, the next step is to restart the DHCP service. Do nor disable/enable DHCP from the GUI, this will remove the DHCP options that were added and only add in the configuration that can be applied from the GUI.
|
0 1 2 |
/etc/init.d/dhcpd restart |
Now the options will be there are ready to be provided if they are requested. To test, I booted up a brand-new Arista virtual switch and when requesting the DHCP, the return included options 66 and 67.
From the Arista console it shows it has found the bootfile; Boot File: tftp://172.17.2.10/test.cfg
|
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
Model and Serial Number: unknown System RAM: 2006808 kB Flash Memory size: 3.9G No startup-config was found. The device is in Zero Touch Provisioning mode and is attempting to download the startup-config from a remote system. The device will not be fully functional until either a valid startup-config is downloaded from a remote system or Zero Touch Provisioning is cancelled. To cancel Zero Touch Provisioning, login as admin and type 'zerotouch cancel' at the CLI. Alternatively, to disable Zero Touch Provisioning permanently, type 'zerotouch disable' at the CLI. Note: The device will reload when these commands are issued. localhost login: Dec 12 13:01:51 localhost ZeroTouch: %ZTP-6-DHCPv4_QUERY: Sending DHCPv4 request on [ Ethernet1, Ethernet2, Ethernet3, Ethernet4, Ethernet5, Ethernet6, Ethernet7, Ethernet8, Ethernet9, Ethernet10, Ethernet11, Ethernet12, Management1 ] Dec 12 13:01:52 localhost ZeroTouch: %ZTP-6-DHCPv4_SUCCESS: DHCPv4 response received on Management1 [ Ip Address: 172.17.3.196/24; Hostname: dhcp-172-17-3-196; Nameserver: 172.17.4.10; Gateway: 172.17.3.1; Boot File: tftp://172.17.2.10/test.cfg ] |
TFTP Server Configuration
And finally, the last part to make this work, is to configure the TFTP server where the DHCP options are pointing. I have used Tftpd64 as my tftp server.
