US Region

Grandmetric LLC
Brookfield Place Office
200 Vesey Street
New York, NY 10281
EIN: 98-1615498
Phone: +1 302 691 94 10

EMEA Region

ul. Metalowa 5, 60-118 Poznań, Poland
NIP 7792433527
+48 61 271 04 43

How does Zero-Touch-Provisioning (ZTP) in Cisco SD-WAN work?

How does Zero-Touch-Provisioning (ZTP) in Cisco SD-WAN work?



The Zero-Touch Provisioning (called ZTP) is one of the concept behind SD-WAN that I mentioned here in What is SD-WAN article that I wrote about year ago. Frankly speaking, ZTP is something that every (or almost every) SD-WAN vendor has implemented. In this post I am going to dig into detail to the Cisco SDWAN ZTP.

What is ZTP?

Shortly, the idea behind the ZTP is to streamline the WAN provisioning process. Starting about where ZTP is used, I can quote myself:

In traditional way, for example in DMVPN, network engineer had to prepare router config template, put on router via console, connect on site, and verify if it was connected to Hub with NHRP, IPSec SAs up. If there was an RSA type of ISAKMP phase authentication, certificate was manually loaded onto router or sometimes enrolled with SCEP. In ideal ZTP process, you unbox the SD-WAN, router connects to Ethernet, router gets an IP from DHCP, and it’s done – it is from now visible in ZTP portal and / or controllers.

So, provisioning with SD-WAN looks like it’s easy. Let’s move to the how does it work in Cisco SDWAN?


How does Cisco SD-WAN ZTP work?

In high level scheme, Zero Touch Provisioning process looks like below. Customer buys SD-WAN devices and Cisco assigns them to the Smart Account and Virtual Account of customer. This is reflected in Plug and Play connect portal (PnP). In the background, the SDWAN cloud provisioning process assigns the identity of the customer organization and starts the SD-WAN controllers provisioning. You can read more about the Cisco SD-WAN controllers and components in our different post from 2018! After device unboxing all needed to bring the device into WAN overlay is to connect the WAN port to the network making sure that the IP settings from DHCP are in place, including address, mask, gateway and DNS. Device looks for ZTP server (ZTP is aware of PnP portal inventory), is authenticated by server and redirected to right vBond controller. Onboarding process is fully-automated and ends with device presence in vManage orchestrator.

High-Level view of Cisco ZTP


Let’s go into details

Because above description depicts the idea, now I am going to present the process in detail (the Slide below is taken from Grandmetric 2-Days SD-WAN training). After assigning IP information, SD-WAN router looks for which is general ZTP server.

  • ZTP server redirects the router to right vBond controller
  • Router authenticates with vBond based on certificates and gets the IP address of vManage and vSmart
  • Parallely, vBond informs other controllers about new device
  • Router authenticates with vManage and can get the config file
  • Router authenticates with vSmart (SD-WAN routing policy controller)
  • Router is successfully onboarded to the SD-WAN overlay and is ready to exchange OMP messages
  • Router now establishes IPSec tunnels for the data plane traffic with other routers within overlay
  • BFD messages start to flow between the routers and particular TLOCs


The console snippet from ZTP process

As I am always curious and eager to demystify the network and automation processes behind the solutions, I verified the ZTP process looking at console during the router boot.

Checking for PCIe device presence...done
System integrity status: 0x610
Rom image verified correctly
System Bootstrap, Version 16.12(1r), RELEASE SOFTWARE
Copyright (c) 1994-2019 by cisco Systems, Inc.
Current image running: Boot ROM0
Last reset cause: LocalSoft
ISR4321/K9 platform with 8388608 Kbytes of main memory........
Located packages.conf
*Nov 18 09:21:17.362: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback65528, changed state to up
*Nov 18 09:21:17.390: %SYS-5-LOG_CONFIG_CHANGE: Buffer logging: level debugging, xml disabled, filtering disabled, size (262144)
*Nov 18 09:21:17.455: %SYS-5-CONFIG_P: Configured programmatically by process iosp_vty_100001_dmi_nesd from console as NETCONF on vty31266
*Nov 18 09:21:17.468: SDWAN INFO: PNP start, status: success
*Nov 18 09:21:17.466: %DMI-5-ACTIVE: R0/0: nesd: process is in steady state.
*Nov 18 09:21:18.499: %NDBMAN-5-ACTIVE: R0/0: ndbmand: All data providers active.
*Nov 18 09:21:18.861: %IOSXE_OIR-6-INSSPA: SPA inserted in subslot 0/0
*Nov 18 09:21:18.861: %IOSXE_OIR-6-INSSPA: SPA inserted in subslot 0/5
*Nov 18 09:21:18.868: SDWAN INFO: Interface = GigabitEthernet0 mgmt
*Nov 18 09:21:18.868: SDWAN INFO: SDWAN system init done
*Nov 18 09:21:19.091: %SYS-5-RESTART: System restarted --
Cisco IOS Software [Gibraltar], ISR Software (X86_64_LINUX_IOSD-UCMK9-M), Version 16.12.1d, RELEASE SOFTWARE (fc2)
Technical Support:
Copyright (c) 1986-2019 by Cisco Systems, Inc.
Compiled Sat 21-Sep-19 01:08 by mcpre
*Nov 18 09:21:19.150: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
*Nov 18 09:21:19.150: %CRYPTO-6-GDOI_ON_OFF: GDOI is OFF
*Nov 18 09:21:53.980: %SYS-5-CONFIG_P: Configured programmatically by process PnP Agent Discovery from console as vty0
*Nov 18 09:21:53.981: %PNP-6-HTTP_CONNECTING: PnP Discovery trying to connect to PnP server
*Nov 18 09:21:54.480: %PNP-6-HTTP_CONNECTED: PnP Discovery connected to PnP server
*Nov 18 09:21:55.488: %SYS-5-CONFIG_P: Configured programmatically by process PnP Agent Discovery from console as vty0
*Nov 18 09:22:18.749: %AN-6-AN_ABORTED_BY_CONSOLE_INPUT: Autonomic disabled due to User intervention on console. configure 'autonomic' to enable it.
*Nov 18 09:22:20.282: SDWAN INFO: SDWAN pnp send vbond info: Org name EXAMPLE-ORGANIZATION - 31XXX9 Host port 12346 intf GigabitEthernet0/0/0
*Nov 18 09:22:23.031: %PNP-6-PNP_REDIRECTION_DONE: PnP Redirection Done successfully
*Nov 18 09:22:23.036: %DMI-5-SYNC_START: R0/0: syncfd: External change to running configuration detected. The running configuration will be synchronized to the NETCONF running data store.

How to check vSmart, vManage and vBond connections?

Despite the SD-WAN is about automation and operations streamlining it is worth to know how to verify SD-WAN controllers connection from router perspective. This can be done from router console.


ZTP and PnP portal from GUI perspective

Plug and Play portal just before router redirection (first provisioning)


And after router’s onboarding (redirection)


The PnP portal is not where SD-WAN is orchestrated. All configuration is done from the vManage controller. We can see the final shape of certificate installation process during overlay provisioning




Marcin Bialy

Marcin Biały is Network and Security Architect with over 14 years of experience, with Service Provider and Enterprise networking background. He used to work for large service providers, global vendors and integration services companies as Network Architect, Leading Architect and Techincal Solution Manager positions. He designed, implemented and supported dozens large scale projects and infrastructure migrations, solved hundreds of tickets and spent hours with CLI and GUI of many flavors. Marcin is also holding industry recognizable certificates such as CCNP, CCNA, CCSI #35269, FCNSP #7207, FCNSA and more.

Leave a Reply

Your email address will not be published. Required fields are marked *

Sign up to our newsletter!