Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
302
Views
1
Helpful
4
Replies

IOS-XR ZTP expected behavior

Scott.ODonnell@gmail.com
Level 1
Level 1

‎12-04-2025 12:04 PM

I'm working through getting IOS-XR devices to ZTP.
I'm using DHCP Option 67 to pass the URL for a ztp python script.
The DHCP offer also includes DNS server options.

It seems that if the URL uses FQDN in the URL, the ZTP script will not be downloaded.
Once I change the url to use an IP address in the DHCP offer, it does download the file.

Just needed to confirm if that is expected behavior.

 

Labels:
4 Replies 4

Enes Simnica
Spotlight
Spotlight

‎12-04-2025 11:24 PM

Scott.ODonnell@gmail.com Yes, that’s expected. IOS-XR ZTP won’t resolve FQDNs during the very early boot phase, even if DHCP provides DNS servers. So using an IP address in Option 67 is the reliable method.......

hope it helps and PEACE!!!!!

 

-Enes

more Cisco?!
more Gym?!



If this post solved your problem, kindly mark it as Accepted Solution. Much appreciated!
0 Helpful

Scott.ODonnell@gmail.com
Level 1
Level 1
In response to Enes Simnica

‎12-05-2025 07:15 AM

@Enes Simnica Thank you for the confirmation.
Can I ask one more point to clarify?
If the URL provided is https: (opposed to http:) , what requirements are there?
I was able to get https: to work using "-k https://x.x.x.x" in option 67
I think this was due to the certificate offered was using a FQDN instead of IP.
If I reissue the certificate using IP , can I avoid using "-k" ?
I'd like to ensure there is some level of validation of the certificate offered during https connection.

0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni
In response to Scott.ODonnell@gmail.com

‎12-08-2025 01:46 PM

Hi,

  You need the '-k' switch if you use self-signed certificates, has nothing to do with certificate attributes using FQDN or IP as CN / SAN values.  There is built-in validation happening, meaning certificate must be valid / not expired and the IPv4 address inside the certificate must match the IPv4 address of the HTTPS server provided in the URL of option 67.

Thanks,

Cristian.

0 Helpful

Thomasanderson33
Level 1
Level 1

‎12-07-2025 07:56 AM

It’s actually expected behavior on many IOS-XR ZTP setups early in the boot process, the device may not perform DNS resolution even if DHCP provides DNS servers. That’s why FQDN-based URLs often fail while direct IP URLs work consistently. Using the IP address in Option 67 is the recommended and most reliable approach for ZTP on XR, unless you’re handling DNS resolution later in the workflow.

0 Helpful
Customers Also Viewed These Support Documents