2.1 Initial Switch Access
Arista network switches provide two initial configuration methods:
Zero Touch Provisioning (ZTP) configures the switch without user interaction ( Section 2.1.1).
Manual provisioning configures the switch through commands entered by a user through the CLI ( Section 2.1.2).
2.1.1 Zero Touch Provisioning
Zero Touch Provisioning (ZTP) configures a switch without user intervention by downloading a startup configuration file (startup-config) or a boot script from a location specified by a DHCP server. Section 7.5.2 describes network tasks required to set up ZTP.
The switch enters ZTP mode when it boots if flash memory does not contain startup-config. It remains in ZTP mode until a user cancels ZTP mode, or until the switch retrieves a startup-config or a boot script. After downloading a file through ZTP, the switch reboots again, using the retrieved file.
Security Considerations
The ZTP process cannot distinguish an approved DHCP server from a rogue DHCP server. For secure provisioning, you must ensure that only approved DHCP servers are able to communicate with the switch until after the ZTP process is complete. Arista also recommends validating the EOS image on your ZTP server by confirming that its MD5 checksum matches the MD5 checksum that can be found on the EOS download page of the Arista website.
On a UNIX server, the md5sum command calculates this checksum:
% md5sum EOS.swi
3bac45b96bc820eb1d10c9ee33108a25  EOS.swi
 
This command is also available on Arista switches from the CLI or from within the Bash shell.
switch#bash md5sum /mnt/flash/EOS-4.18.0F.swi
73435f0db3af785011f88743f4c01abd  /mnt/flash/EOS-4.18.0F.swi
switch#
 
[admin@switch ~]$ md5sum /mnt/flash/EOS-4.18.0F.swi
73435f0db3af785011f88743f4c01abd /mnt/flash/EOS-4.18.0F.swi
[admin@switch ~]$
 
To provision the switch through Zero Touch Provisioning:
Step 1 Mount the switch in its permanent location.
Step 2 Connect at least one management or Ethernet port to a network that can access the DHCP server and the configuration file.
Step 3 Provide power to the switch.
ZTP provisioning progress can be monitored through the console port. Section 2.1.2.1 provides information for setting up the console port. Section 2.1.2.2 provides information for monitoring ZTP progress and canceling ZTP mode.
2.1.2 Manual Provisioning
Initial manual switch provisioning requires the cancellation of ZTP mode, the assignment of an IP address to a network port, and the establishment of an IP route to a gateway. Initial provisioning is performed through the serial console and Ethernet management ports.
The console port is used for serial access to the switch. These conditions may require serial access:
management ports are not assigned IP addresses
the network is inoperable
the password for the user’s log on is not available
the password to access the enable mode is not available
The Ethernet management ports are used for out-of-band network management tasks. Before using a management port for the first time, an IP address must be assigned to that port.
2.1.2.1 Console Port
The console port is a serial port located on the front of the switch. Figure 2-1 shows the console port on the DCS-7050T-64 switch. Use a serial or RS-232 cable to connect to the console port. The accessory kit also includes an RJ-45 to DB-9 adapter cable for connecting to the switch.
Figure 2-1: Switch Ports
Port Settings
Use these settings when connecting the console port:
9600 baud
no flow control
1 stop bit
no parity bits
8 data bits
Admin Username
The initial configuration provides one username, admin, that is not assigned a password. When using the admin username without a password, you can only log into the switch through the console port. After a password is assigned to the admin username, it can log into the switch through any port.
The username command assigns a password to the specified username.
Example
This command assigns the password pxq123 to the admin username:
switch(config)#username admin secret pxq123
switch(config)#
New and altered passwords that are not saved to the startup configuration file are lost when the switch is rebooted.
2.1.2.2 Canceling Zero Touch Provisioning
Zero Touch Provisioning (ZTP) installs a startup-config file from a network location if flash memory does not contain a startup-config when the switch reboots. Canceling ZTP is required if the switch cannot download a startup-config or boot script file.
When the switch boots without a startup-config file, it displays the following message through the console port:
No startup-config was found.
 
The device is in Zero Touch Provisioning mode and is attempting to
download the startup-config from a remote system. The device will not
be fully functional until either a valid startup-config is downloaded
from a remote system or Zero Touch Provisioning is cancelled. To cancel
Zero Touch Provisioning, login as admin and type 'zerotouch cancel'
at the CLI.
 
localhost login:
To cancel ZTP mode, log into the switch with the admin password, then enter the zerotouch cancel command. The switch immediately boots without installing a startup-config file.
localhost login: admin
admin
localhost>Apr 15 21:28:21 localhost ZeroTouch: %ZTP-5-DHCP_QUERY: Sending DHCP request on  [ Ethernet10, Ethernet13, Ethernet14, Ethernet17, Ethernet18, Ethernet21, E-thernet22, Ethernet23, Ethernet24, Ethernet7, Ethernet8, Ethernet9, Management1, Management2 ]
Apr 15 21:28:51 localhost ZeroTouch: %ZTP-5-DHCP_QUERY_FAIL: Failed to get a valid DHCP response
Apr 15 21:28:51 localhost ZeroTouch: %ZTP-5-RETRY: Retrying Zero Touch Provisioning from the beginning (attempt 1)
Apr 15 21:29:22 localhost ZeroTouch: %ZTP-5-DHCP_QUERY: Sending DHCP request on  [ Ethernet10, Ethernet13, Ethernet14, Ethernet17, Ethernet18, Ethernet21, Ethernet22, Ethernet23, Ethernet24, Ethernet7, Ethernet8, Ethernet9, Management1, Management2 ]
 
 
localhost>zerotouch cancel
zerotouch cancel
localhost>Apr 15 21:29:39 localhost ZeroTouch: %ZTP-5-CANCEL: Canceling Zero Touch Provisioning
Apr 15 21:29:39 localhost ZeroTouch: %ZTP-5-RELOAD: Rebooting the system
Broadcast messagStopping sshd: [  OK  ]
watchdog is not running
SysRq : Remount R/O
Restarting system
ø
 
Aboot 1.9.0-52504.EOS2.0
Press Control-C now to enter Aboot shell
To avoid entering ZTP mode on subsequent reboots, create a startup-config file as described in step 8 of Section 2.1.2.3.
2.1.2.3 Ethernet Management Port
Arista switches provide one or more Ethernet management ports for configuring the switch and managing the network out of band. Figure 2-1 shows the location of the Ethernet management ports on a DCS-7050T-64 switch. Only one port is required to manage the switch.
You can access the Ethernet management port(s) remotely over a common network or locally through a directly connected PC. Before you can access the switch through a remote connection, an IP address and a static route to the default gateway are required. On a modular switch with dual supervisors, a virtual IP address can also be configured to access the management port on whichever supervisor is active.
Assigning a Virtual IP Address to Access the Active Ethernet Management Port
On modular switches with dual supervisors, this procedure assigns a virtual IP address which will connect to the Ethernet management port of the active supervisor. (To assign a physical IP address to an individual Ethernet management port, see Assigning an IP Address to a Specific Ethernet Management Port below.)
Step 1 Connect a PC or terminal server to the console port. Use the settings listed in Section 2.1.2.1 under Port Settings.
Step 2 Type admin at the login prompt to log into the switch. Initial login through the console port does not require a password.
Arista EOS
switch login:admin
Last login: Fri Apr 9 14:22:18 on Console
 
switch>
Step 3 Type enable at the command prompt to enter Privileged EXEC mode.
switch>enable
switch#
Step 4 Type configure terminal (or config) to enter global configuration mode.
switch#configure terminal
switch(config)#
Step 5 Type interface management 0 to enter interface configuration mode for the virtual interface which accesses management port 1 on the currently active supervisor.
switch(config)#interface management 0
switch(config-if-Ma0)#
Step 6 Type ip address, followed by the desired address, to assign a virtual IP address for access to the active management port.
This command assigns IP address 10.0.2.5 to management port 0.
switch(config-if-Ma0)#ip address 10.0.2.5/24
Step 7 Type exit at both the interface configuration and global configuration prompts to return to Privileged EXEC mode.
switch(config-if-Ma0)#exit
switch(config)#exit
switch#
Step 8 Type write (or copy running-config startup-config) to save the new configuration to the startup-config file.
switch# write
switch#
Assigning an IP Address to a Specific Ethernet Management Port
This procedure assigns an IP address to a specific Ethernet management port:
Step 1 Connect a PC or terminal server to the console port. Use the settings listed in Section 2.1.2.1 under Port Settings.
Step 2 Type admin at the login prompt to log into the switch. The initial login does not require a password.
Arista EOS
switch login:admin
Last login: Fri Apr 9 14:22:18 on Console
 
switch>
Step 3 Type enable at the command prompt to enter Privileged EXEC mode.
switch>enable
switch#
Step 4 Type configure terminal (or config) to enter global configuration mode.
switch#configure terminal
Step 5 Type interface management 1 to enter interface configuration mode. (Any available management port can be used in place of management port 1.)
switch(config)#interface management 1
switch(config-if-Ma1)#
Step 6 Type ip address, followed by the desired address, to assign an IP address to the port.
This command assigns the IP address 10.0.2.8 to management port 1.
switch(config-if-Ma1)#ip address 10.0.2.8/24
Step 7 Type exit at both the interface configuration and global configuration prompts to return to Privileged EXEC mode.
switch(config-if-Ma1)#exit
switch(config)#exit
switch#
Step 8 Type write (or copy running-config startup-config) to save the new configuration to the startup-config file.
switch# write
switch#
Configuring a Default Route to the Gateway
This procedure configures a default route to a gateway located at 10.0.2.1.
Step 1 Enter global configuration mode.
switch>enable
switch#configure terminal
Step 2 Create a static route to the gateway with the IP route command.
switch(config)#ip route 0.0.0.0/0 10.0.2.1
Step 3 Save the new configuration.
switch#write
switch#