US Region

Grandmetric LLC
Lewes DE 19958
16192 Coastal Hwy USA
EIN: 98-1615498
+1 302 691 94 10

EMEA Region

ul. Metalowa 5, 60-118 Poznań, Poland
NIP 7792433527
+48 61 271 04 43


Grandmetric LTD
Office 584b
182-184 High Street North
E6 2JA
+44 20 3321 5276

  • en
  • pl
  • How does Zero-Touch-Provisioning (ZTP) in Cisco SD-WAN work?

    How does Zero-Touch-Provisioning (ZTP) in Cisco SD-WAN work?

    Date: 23.03.2020


    Zero-Touch Provisioning (called ZTP) is one of the concepts behind SD-WAN that I mentioned here in What is SD-WAN article that I wrote about a year ago. Frankly speaking, ZTP is something that every (or almost every) SD-WAN vendor has implemented. In this post, I am going to dig into detail about the Cisco SDWAN ZTP.

    What is ZTP?

    Shortly, the idea behind the ZTP is to streamline the WAN provisioning process. Starting about where ZTP is used, I can quote myself:

    Case study Grandmetric

    In the traditional way, for example in DMVPN, the network engineer had to prepare a router config template, put on the router via console, connect on-site, and verify if it was connected to Hub with NHRP, IPSec SAs up. If there was an RSA type of ISAKMP phase authentication, the certificate was manually loaded onto the router or sometimes enrolled with SCEP. In the ideal ZTP process, you unbox the SD-WAN, the router connects to Ethernet, gets an IP from DHCP, and it’s done – it is from now visible in ZTP portal and/or controllers.

    So, provisioning with SD-WAN looks like it’s easy. Let’s move to how does it work in Cisco SDWAN?

    How does Cisco SD-WAN ZTP work?

    In a high-level scheme, the Zero Touch Provisioning process looks like below. The customer buys SD-WAN devices and Cisco assigns them to the Smart Account and Virtual Account of the customer. This is reflected in Plug and Play connect portal (PnP). In the background, the SDWAN cloud provisioning process assigns the identity of the customer organization and starts the SD-WAN controller provisioning. You can read more about the Cisco SD-WAN controllers and components in our different post from 2018! After the device unboxing all needed to bring the device into WAN overlay is to connect the WAN port to the network making sure that the IP settings from DHCP are in place, including address, mask, gateway and DNS. The device looks for the ZTP server (ZTP is aware of the PnP portal inventory), is authenticated by the server and redirected to the right vBond controller. The onboarding process is fully-automated and ends with device presence in the vManage orchestrator.

    The high-Level view of Cisco ZTP


    Let’s go into details

    Because the above description depicts the idea, now I am going to present the process in detail (the Slide below is taken from Grandmetric 2-Days SD-WAN training). After assigning IP information, the SD-WAN router looks for which is a general ZTP server.

    • ZTP server redirects the router to the right vBond controller
    • Router authenticates with vBond based on certificates and gets the IP address of vManage and vSmart
    • Parallely, vBond informs other controllers about the new device
    • Router authenticates with vManage and can get the config file
    • Router authenticates with vSmart (SD-WAN routing policy controller)
    • Router is successfully onboarded to the SD-WAN overlay and is ready to exchange OMP messages
    • Router now establishes IPSec tunnels for the data plane traffic with other routers within overlay
    • BFD messages start to flow between the routers and particular TLOCs

    The console snippet from the ZTP process

    As I am always curious and eager to demystify the network and automation processes behind the solutions, I verified the ZTP process by looking at the console during the router boot.

    Checking for PCIe device presence...done
    System integrity status: 0x610
    Rom image verified correctly
    System Bootstrap, Version 16.12(1r), RELEASE SOFTWARE
    Copyright (c) 1994-2019 by cisco Systems, Inc.
    Current image running: Boot ROM0
    Last reset cause: LocalSoft
    ISR4321/K9 platform with 8388608 Kbytes of main memory........
    Located packages.conf
    *Nov 18 09:21:17.362: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback65528, changed state to up
    *Nov 18 09:21:17.390: %SYS-5-LOG_CONFIG_CHANGE: Buffer logging: level debugging, xml disabled, filtering disabled, size (262144)
    *Nov 18 09:21:17.455: %SYS-5-CONFIG_P: Configured programmatically by process iosp_vty_100001_dmi_nesd from console as NETCONF on vty31266
    *Nov 18 09:21:17.468: SDWAN INFO: PNP start, status: success
    *Nov 18 09:21:17.466: %DMI-5-ACTIVE: R0/0: nesd: process is in steady state.
    === OUTPUT OMMITED ===
    *Nov 18 09:21:18.499: %NDBMAN-5-ACTIVE: R0/0: ndbmand: All data providers active.
    *Nov 18 09:21:18.861: %IOSXE_OIR-6-INSSPA: SPA inserted in subslot 0/0
    *Nov 18 09:21:18.861: %IOSXE_OIR-6-INSSPA: SPA inserted in subslot 0/5
    *Nov 18 09:21:18.868: SDWAN INFO: Interface = GigabitEthernet0 mgmt
    *Nov 18 09:21:18.868: SDWAN INFO: SDWAN system init done
    *Nov 18 09:21:19.091: %SYS-5-RESTART: System restarted --
    Cisco IOS Software [Gibraltar], ISR Software (X86_64_LINUX_IOSD-UCMK9-M), Version 16.12.1d, RELEASE SOFTWARE (fc2)
    Technical Support:
    Copyright (c) 1986-2019 by Cisco Systems, Inc.
    Compiled Sat 21-Sep-19 01:08 by mcpre
    *Nov 18 09:21:19.150: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
    *Nov 18 09:21:19.150: %CRYPTO-6-GDOI_ON_OFF: GDOI is OFF
    === OUTPUT OMMITED ===
    *Nov 18 09:21:53.980: %SYS-5-CONFIG_P: Configured programmatically by process PnP Agent Discovery from console as vty0
    *Nov 18 09:21:53.981: %PNP-6-HTTP_CONNECTING: PnP Discovery trying to connect to PnP server
    *Nov 18 09:21:54.480: %PNP-6-HTTP_CONNECTED: PnP Discovery connected to PnP server
    *Nov 18 09:21:55.488: %SYS-5-CONFIG_P: Configured programmatically by process PnP Agent Discovery from console as vty0
    *Nov 18 09:22:18.749: %AN-6-AN_ABORTED_BY_CONSOLE_INPUT: Autonomic disabled due to User intervention on console. configure 'autonomic' to enable it.
    *Nov 18 09:22:20.282: SDWAN INFO: SDWAN pnp send vbond info: Org name EXAMPLE-ORGANIZATION - 31XXX9 Host port 12346 intf GigabitEthernet0/0/0
    *Nov 18 09:22:23.031: %PNP-6-PNP_REDIRECTION_DONE: PnP Redirection Done successfully
    *Nov 18 09:22:23.036: %DMI-5-SYNC_START: R0/0: syncfd: External change to running configuration detected. The running configuration will be synchronized to the NETCONF running data store.

    How to check vSmart, vManage and vBond connections?

    Despite the SD-WAN being about automation and operations streamlining it is worth knowing how to verify SD-WAN controllers connection from a router perspective. This can be done from the router console.


    ZTP and PnP portal from a GUI perspective

    Plug and Play portal just before router redirection (first provisioning)


    And after router’s onboarding (redirection)


    The PnP portal is not where SD-WAN is orchestrated. All configuration is done from the vManage controller. We can see the final shape of the certificate installation process during overlay provisioning



    Marcin Bialy

    Marcin Biały is Network and Security Architect with over 14 years of experience, with Service Provider and Enterprise networking background. He used to work for large service providers, global vendors and integration services companies as Network Architect, Leading Architect and Techincal Solution Manager positions. He designed, implemented and supported dozens large scale projects and infrastructure migrations, solved hundreds of tickets and spent hours with CLI and GUI of many flavors. Marcin is also holding industry recognizable certificates such as CCNP, CCNA, CCSI #35269, FCNSP #7207, FCNSA and more.

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    Cisco SD-WAN Offer

    Grandmetric delivers Cisco SD-WAN
    and SD-WAN as a service.
    We provide full portfolio
    of Cisco sdwan routers from
    C1000, ISR and industrial series.

    Get a Quote