Step-by-Step Guide: Cisco SD-WAN PnP Onboarding

Cisco SD-WAN, previously known under the Viptela brand, is emerging as a dominant solution for wide area network modernization. Many enterprises are seeking to replace aging technologies like DMVPN and are finding Cisco SD-WAN to be a natural and seamless upgrade. This is largely because it supports existing Cisco Integrated Services Routers (ISR) running IOS-XE, allowing companies to upgrade software instead of replacing hardware. This approach minimizes disruption and leverages previous infrastructure investments.

Rather than focusing on the broader benefits of Cisco SD-WAN, this document offers a deep dive into the onboarding process using Plug and Play. This mechanism plays a central role in modern SD-WAN deployments, automating router discovery, authentication, and enrollment into the SD-WAN overlay network.

What Is Plug and Play Onboarding

Plug and Play, often abbreviated as PnP, is a Cisco onboarding method used to simplify and automate the deployment of ISR and CSR routers in SD-WAN environments. It provides a workflow where routers can autonomously discover the necessary controllers, authenticate securely, and establish the foundational connections needed to join the overlay network.

Each supported router is pre-installed with a secure identity certificate. This certificate is embedded at the factory level and is used during the onboarding process to verify the device’s authenticity. PnP replaces the manual, time-consuming process of configuring routers individually for onboarding. It is particularly effective in large-scale rollouts where operational consistency is vital.

This approach differs from the original Viptela method known as Zero Touch Provisioning, or ZTP. ZTP was used for vEdge devices and involved a dedicated ZTP server infrastructure. In contrast, ISR routers using IOS-XE do not rely on this legacy ZTP mechanism and instead use Plug and Play for enrollment. Understanding this distinction is important because the two methods involve different setup steps and supporting systems.

The Architecture of Cisco SD-WAN Controllers

A Cisco SD-WAN fabric is built on three main controllers: vManage, vSmart, and vBond. Each of these components plays a critical role in establishing and maintaining a functioning SD-WAN overlay.

vManage is the centralized management controller. It is the platform that network administrators interact with directly to configure devices, push templates, apply policies, and monitor the health of the SD-WAN fabric. It offers a graphical user interface and also serves as the coordination point for workflows such as onboarding.

vSmart is the control plane controller. It distributes control information to the routers in the SD-WAN network. This includes routing data, IPSec key exchanges, topology updates, and security policies. Each device must maintain a secure, authenticated control connection with vSmart to receive this data.

Bond is the orchestrator. It is the first point of contact for any edge router that is attempting to join the network. The primary job of vBond is to validate identity certificates and relay connectivity details to the router about where and how to reach the vManage and vSmart controllers. Without vBond, new routers would not know how to access the rest of the SD-WAN control infrastructure.

Understanding how these three controllers operate in tandem provides essential context for how Plug and Play functions. The onboarding process is tightly coupled with these components and depends on their coordination for proper execution.

Preparing the SD-WAN Environment for Onboarding

Before the onboarding of routers can begin, the SD-WAN control infrastructure must be provisioned and configured. Cisco provides a cloud-based self-service portal for this task. The portal allows organizations to create a new SD-WAN overlay, associate it with a Cisco Smart Account, and choose a preferred cloud provider—either AWS or Azure—for hosting the controllers.

Once the overlay is provisioned, critical information becomes available, including the URL to access vManage, the fully qualified domain name of the vBond orchestrator, and access control settings such as inbound IP rules. These settings are used to restrict which public IP addresses can communicate with the controllers and are necessary for secure onboarding. This information should be recorded and managed carefully, as it will be used in later steps of the onboarding process.

It is also recommended that organizations configure internal DNS records that map to the controller URLs. This makes the environment easier to administer and ensures that future updates or migrations can be abstracted behind DNS, reducing operational complexity.

With the SD-WAN controllers provisioned and accessible, the next phase of onboarding is to prepare the edge routers using the Plug and Play mechanism. This includes verifying device eligibility, gathering identity information, and uploading the router details into the Plug and Play portal.

Device Identity and the Plug and Play Portal

Each ISR or CSR router supported by Cisco SD-WAN contains an embedded secure identity certificate. This certificate is issued by Cisco’s high-assurance certificate authority and provides the foundational trust anchor used during onboarding. The Plug and Play portal is the system responsible for associating each router’s identity with a particular SD-WAN overlay.

For routers acquired as part of a Cisco SD-WAN bundle, the devices may already be pre-registered in the Plug and Play portal. However, it is good operational practice to verify this before deployment. If the devices are not listed, administrators will need to manually register them using a spreadsheet import method.

To begin, administrators can download a sample CSV template from the Plug and Play portal. This template includes the required fields such as product ID, serial number, certificate serial number, and the controller profile. The controller profile connects the router to the correct overlay environment and determines the onboarding behavior.

Gathering this information requires a short interaction with the router’s command line interface. Administrators extract the product ID and serial number using system-level diagnostic commands. The certificate serial number is retrieved by inspecting the installed identity certificates and locating the one issued by Cisco’s SUDI certificate authority. It is important to select the correct certificate, as routers may contain multiple identities for different purposes.

Once the CSV file is complete, it is uploaded into the Plug and Play portal, where the system validates each entry. Approved routers are then listed as eligible devices for onboarding. This process not only authorizes the router for SD-WAN enrollment but also links it securely to the organization’s Smart Account and overlay environment.

Setting Up the SD-WAN Overlay in the Self-Service Portal

Before routers can be onboarded using Plug and Play, the SD-WAN control infrastructure must be created and linked to your organization’s Smart Account. This process begins in the self-service portal. The portal provides a centralized interface where administrators can create new overlays, select hosting preferences, and define the base environment for SD-WAN operations. During this setup, administrators must choose between AWS and Azure as the hosting provider for the controllers. At the time of writing, both platforms function identically in this context. The choice is largely dependent on an organization’s internal cloud strategy or existing vendor relationships.

Once the cloud provider is selected and the overlay is created, the controllers—vManage, vSmart, and vBond—are instantiated automatically. The self-service portal then provides access details, such as the vManage login URL and the fully qualified domain name for the vBond orchestrator. These URLs are essential for ongoing administration and router bootstrapping. Additionally, the portal presents a configuration section for inbound firewall rules. This section allows administrators to define which public IP addresses are permitted to reach the SD-WAN controllers. If the correct IPs are not included, access to vManage or other controllers will be blocked, preventing successful onboarding.

It is highly recommended that DNS records be configured for both vManage and vBond. These records can serve as user-friendly aliases, simplifying access for administrators and helping standardize configuration references across documentation and scripts.

With the overlay created, access rules defined, and controller details saved, the environment is now ready to register devices for onboarding using Plug and Play.

Accessing the Plug and Play Portal and Verifying Devices

The Plug and Play portal is accessed through the Smart Account interface. It acts as the central repository for all routers that are authorized to onboard into Cisco SD-WAN. Each router added to this portal is validated based on a secure identity embedded in its hardware. When an ISR or CSR router is manufactured, it is provisioned with a cryptographically signed certificate known as the SUDI identity. This identity is what the Plug and Play process uses to verify that a router is genuine and belongs to the correct organization.

To begin working with the Plug and Play portal, administrators must ensure they are signed in to the correct Smart Account and Virtual Account. These selections affect what devices are visible and which overlays they are associated with. The portal includes a section labeled Devices, where registered routers are listed. If the target routers are not visible in this list, they will need to be manually added using the import process.

The manual import process is handled through a structured CSV upload. The system provides a downloadable template that includes required columns such as product ID, serial number, controller profile, and certificate serial number. The product ID and serial number can be retrieved directly from the router, as can the certificate information. Each entry in the CSV links a specific physical device to the SD-WAN overlay that was created earlier.

Gathering Router Identity Information for CSV Upload

The necessary identity information must be gathered from the router before completing the CSV file. Administrators connect to the router through the console or terminal and execute system commands to extract the data.

The product ID and serial number are tied to the hardware and are typically shown together. This information is unique to each router and forms the core of the identity used by the Plug and Play system.

The certificate serial number is taken from the installed identity certificate on the device. Routers often have multiple certificates for different functions, so it is important to select the certificate issued by Cisco’s High Assurance SUDI Certificate Authority. This certificate is the one used during Plug and Play onboarding and is the only one accepted by the vBond orchestrator.

In addition to the required fields, administrators may choose to include additional information in the CSV file, such as descriptions or hostnames. This metadata is optional but can be helpful when managing large inventories of routers across multiple sites or regions.

Once the CSV file is complete and validated, it is uploaded through the Plug and Play portal interface. The system will check each entry, validate its formatting, and associate the devices with the selected controller profile. Upon successful upload, the routers appear in the portal and are marked as ready for onboarding.

Syncing Devices from Plug and Play Portal into vManage

After the routers have been added to the Plug and Play portal and associated with the appropriate Smart Account, they must be synchronized into the vManage system. This is a crucial step because while the Plug and Play portal contains the identity information, vManage is the platform used to manage configurations, policies, and device lifecycles.

Administrators log in to vManage and navigate to the Configuration section. Within this section is the Devices tab, where a subsection labeled WAN Edge List is available. At the top of this interface, an option labeled Sync Smart Account is present. Clicking this option triggers a synchronization between vManage and the Plug and Play portal.

The synchronization process requires a Cisco CCO login that has appropriate permissions for the Smart Account. This account is not stored in vManage; it is only used during the synchronization session. Once the login is authenticated, vManage retrieves the list of registered devices from the Plug and Play portal and displays them in the WAN Edge List.

Each device appears in this list along with its product ID, serial number, and validation status. Initially, newly synchronized routers are unvalidated. Administrators must explicitly set a validation state for each router before it can begin forming tunnels with controllers and other routers.

There are two validation states to choose from: valid and staging. A valid state indicates that the router is approved for full operation within the SD-WAN overlay. It can establish secure tunnels to other devices and participate in routing decisions. A staging state allows the router to communicate only with the SD-WAN controllers. This is useful during testing or deployment preparation phases, where routers are being placed at remote locations but are not yet ready to carry live traffic.

Applying Validation States and Completing Synchronization

After reviewing the devices in the WAN Edge List, administrators assign a validation state to each router. This is done through a selection field in the interface. Once all desired routers have been updated with a state, administrators select the option labeled Send to Controllers. This command propagates the validation settings to vBond, vSmart, and vManage, completing the onboarding preparation from the controller side.

At this point, the SD-WAN overlay infrastructure is in place, the devices are registered in the Plug and Play portal, and vManage has been updated with the correct device information. The only remaining step is to bootstrap the routers so that they can initiate the onboarding process and join the SD-WAN fabric.

Introduction to Router Bootstrapping in Cisco SD-WAN

Once the SD-WAN overlay has been provisioned, the routers have been added to the Plug and Play portal, and synchronization with vManage is complete, the final critical step is bootstrapping the routers. Bootstrapping refers to the process of giving a router just enough information to begin communication with the SD-WAN control plane—specifically, the vBond orchestrator. From that point onward, the router is guided through the onboarding sequence, authenticated using its identity certificate, and directed to connect with vManage and vSmart for further configuration.

Bootstrapping is the mechanism that triggers a router to leave its standalone or default state and join the SD-WAN fabric securely. This is an essential step in the onboarding lifecycle and must be executed with precision, especially in environments where routers are being deployed to remote sites or provisioned in large batches.

Understanding What Bootstrapping Requires

At its core, the router bootstrapping process requires only a minimal configuration. The most critical component is the identity of the vBond orchestrator. This is usually supplied as a fully qualified domain name, which the router will resolve to an IP address. In addition to the vBond identifier, the router may require other optional settings, such as the organization name associated with the Smart Account and the system IP assigned to the router.

However, in most plug-and-play workflows, these secondary parameters are handled automatically by the controllers once the router establishes its initial communication with vBond. For this reason, the only configuration that typically needs to be placed on the router at the time of bootstrapping is the vBond hostname.

There are two common methods for bootstrapping a router. One involves manually entering the required configuration at the router’s command line. The other, and more scalable option, is to load a prepared configuration file into the router’s storage prior to boot. The router will then automatically detect and apply this configuration upon startup.

Using the Configuration File Method for Bootstrapping

Cisco ISR routers that support Plug and Play are designed to look for a specific configuration file during the boot process. This file must be named in a predefined way and placed in the correct directory on the router’s internal storage. When the router powers on, it searches for the file, applies the configuration it contains, and initiates contact with the SD-WAN control infrastructure.

The configuration file is a plain text document that includes a few key directives. Its contents instruct the router to contact the vBond orchestrator using a specific hostname. This hostname must be resolvable via DNS, so network connectivity and proper DNS resolution must be in place before booting.

In addition to the vBond hostname, the file may include a system IP, site ID, and organization name. These values can either be pre-filled by the administrator or assigned dynamically by vManage once the initial handshake is complete. The more values that are preconfigured, the faster the onboarding process, though it is not strictly necessary to include everything for initial contact.

Administrators typically prepare this configuration file ahead of deployment. The file is copied to the router’s storage, and its name must follow the convention expected by the IOS-XE SD-WAN image. Once in place, the router is restarted. During the next boot cycle, the device reads the configuration, initiates contact with the vBond orchestrator, and begins the onboarding sequence.

Network and DNS Prerequisites for Bootstrapping

For the bootstrapping process to succeed, several network prerequisites must be met. The most important thing is that the router must have IP connectivity to the internet or the SD-WAN controller environment, depending on where the overlay is hosted. This includes proper routing, NAT traversal if applicable, and access through any firewalls or security appliances that may be in place.

The router must also be able to resolve the hostname of the vBond orchestrator. If this hostname is not resolvable, the router will be unable to begin the onboarding sequence. Organizations often configure internal DNS entries for this purpose, particularly if the routers are deployed behind corporate firewalls. If the default internet-facing DNS services are used, public DNS records must be in place for the vBond hostname.

In addition to connectivity and DNS, administrators should verify that there are no outbound filtering rules that could block the router’s connection to the controller ports. The SD-WAN onboarding process uses specific TCP and UDP ports, and these must be open between the router and the cloud-hosted overlay.

The last prerequisite is ensuring the router is running a supported IOS-XE version with SD-WAN capabilities. If the router was recently purchased with SD-WAN licensing, it likely already includes the necessary image. Otherwise, administrators may need to upgrade the software before proceeding with bootstrapping.

What Happens During Bootstrapping

Once the router is powered on and the configuration file is read, the device begins by attempting to resolve the vBond orchestrator’s hostname to an IP address. After resolution, it initiates a secure communication with vBond using its embedded SUDI certificate. vBond verifies the certificate against the Plug and Play portal and determines whether the router is allowed to proceed. If the certificate matches an entry in the Plug and Play database, the router is authenticated.

After authentication, vBond provides the router with the IP addresses and hostnames of the other SD-WAN controllers: vManage and vSmart. The router then establishes secure control connections to each of these components. If the router has been validated in vManage and assigned the proper configuration or template, it proceeds to download the necessary settings and install the SD-WAN configuration.

From this point forward, the router becomes a functioning node in the SD-WAN fabric. It establishes secure tunnels with other routers, exchanges routing and policy data, and begins forwarding traffic based on the centralized policies defined in vManage.

This completes the router’s journey from a default factory state to a fully integrated SD-WAN edge device. All of this occurs with minimal manual intervention, which is the primary advantage of Plug and Play onboarding.

Troubleshooting Bootstrapping Failures

In environments where multiple moving parts are involved, issues may occasionally occur during the bootstrapping process. Common points of failure include DNS resolution errors, connectivity issues, certificate mismatches, or validation problems within vManage.

If the router fails to contact vBond, the first area to inspect is DNS. Verify that the vBond hostname is resolvable from the router’s point of view and that the response is returning the correct IP address. If DNS is functioning correctly, verify that the router has internet access and that outbound connections are not blocked by a firewall.

Another possible issue is a mismatch in the identity certificate. If the certificate on the router does not match the one uploaded to the Plug and Play portal, vBond will deny the connection request. Similarly, if the certificate was uploaded incorrectly or with the wrong profile, the onboarding will fail.

Validation status within vManage must also be checked. If the router has not been validated as either staging or valid, vManage and vSmart will refuse to establish control connections. Administrators should ensure that validation has been completed and that the settings have been sent to the controllers.

Router logs can be reviewed to trace the sequence of onboarding events. These logs will usually indicate where in the process the failure occurred and provide clues for remediation.

Introduction to Post-Onboarding Tasks in Cisco SD-WAN

Once a router has been successfully bootstrapped and joined the Cisco SD-WAN overlay, the onboarding process is technically complete. However, several important tasks remain to bring the router into full operational readiness. These tasks include assigning configuration templates, verifying controller connectivity, activating policies, and ensuring the router can forward traffic as expected. Proper execution of these post-onboarding steps ensures that the router functions within the broader SD-WAN architecture as intended.

The steps that follow are designed to bring consistency across all devices, enforce security and routing policies, and enable centralized management through vManage. While some of these actions are optional during initial testing or staging, they are essential in production deployments.

Assigning Configuration Templates to Onboarded Routers

Templates are one of the most powerful features of Cisco SD-WAN. They allow administrators to standardize device configuration across all routers in the overlay. Once a router is validated and connected to vManage, the next step is to assign it a configuration template. Templates are created within vManage and can be either feature-based or device-based, depending on the administrative model being used.

Feature templates break the router configuration into modular pieces. Each template defines a specific function, such as system parameters, interfaces, VPN settings, or routing protocols. These modular templates are then assembled into a device template, which is applied to the router as a whole. This model provides high flexibility and reusability across different router models and deployment scenarios.

Device templates are more straightforward and contain all configuration elements in a single object. While less modular than feature templates, they can be easier to manage in smaller environments or during pilot deployments.

After selecting or creating a suitable template, the router is associated with it through the vManage interface. During this process, variable fields within the template (such as hostnames, IP addresses, or site IDs) are filled out for the specific router. Once complete, the configuration is pushed to the device.

The router then receives the configuration via a secure channel and applies it to its running system. The status of the configuration push is visible in vManage, where administrators can confirm whether it succeeded or failed. A successful configuration push signals that the router is now fully integrated into the SD-WAN overlay and operating with standardized settings.

Verifying Controller Connections and Tunnel Status

Once the router has received its configuration, it must establish and maintain active connections with the SD-WAN controllers—vManage, vSmart, and vBond. These connections are vital for the operation of the control plane and for the router to participate in encrypted data plane communications.

Administrators can verify these connections through the vManage dashboard. Each router is monitored continuously, and its status is updated in real time. The dashboard provides metrics on control connections, tunnel status, and device reachability. If any controller connection is down, the dashboard will flag the issue and indicate which connection is affected.

The router itself also maintains internal logs that reflect the state of its control plane connections. These logs can be accessed through the command line and provide detailed insight into events such as successful handshakes, key exchanges, or dropped sessions.

In addition to controller connectivity, administrators should verify that data plane tunnels are being established between routers in the SD-WAN overlay. These tunnels are encrypted and form the core of how traffic is routed across the WAN. Tunnel status can be checked in vManage or from the router itself.

If tunnels are not forming as expected, administrators should revisit configuration settings, validate IP address reachability between sites, and confirm that policies are not inadvertently blocking traffic.

Activating Centralized Policies and Security Services

Policies are used in Cisco SD-WAN to control traffic behavior, enforce segmentation, apply security features, and manage service chaining. Once routers are onboarded and operational, policies can be activated to align with business requirements.

There are two major types of policies in SD-WAN: centralized and localized. Centralized policies are defined and deployed through vManage. They affect traffic as it transits the SD-WAN fabric and are used for functions such as traffic engineering, application-aware routing, and segmentation. Localized policies are applied directly on the device and govern traffic entering or leaving specific interfaces.

To activate a centralized policy, administrators navigate to the policy section in vManage, define match conditions and actions, and assign the policy to a group of devices. These policies can define path selection based on performance metrics, implement VPN segmentation between business units, or direct traffic to a firewall before reaching its destination.

Security services such as firewall filtering, URL filtering, and intrusion prevention can also be integrated into SD-WAN routers. These features are configured through templates and applied as part of the overall configuration. Cloud security services or on-premises security nodes can also be integrated into the SD-WAN fabric using service chaining.

Once policies are created and verified, they are activated in vManage and pushed to the relevant routers. Routers begin enforcing these rules immediately. Monitoring tools within vManage provide insights into policy performance and help administrators troubleshoot misconfigurations or unintended behavior.

Monitoring and Maintaining SD-WAN Routers

The final phase of post-onboarding involves monitoring the health and performance of the router over time. Cisco SD-WAN provides a comprehensive suite of monitoring tools that track device status, control connections, tunnel health, and traffic metrics. These tools are available through the vManage interface and include real-time dashboards, historical reports, and alerting mechanisms.

Monitoring helps identify performance issues before they impact users. Metrics such as packet loss, jitter, and latency are continuously collected and displayed in graphical form. These metrics are particularly useful when troubleshooting application performance problems or validating policy effectiveness.

Administrators can also configure alert thresholds to receive notifications when critical metrics cross defined boundaries. This enables proactive management and faster resolution of network issues.

Firmware updates and configuration changes are also managed through vManage. The system supports scheduled upgrades and rollback capabilities, allowing organizations to test new releases and maintain version consistency across all routers.

As part of ongoing maintenance, administrators may periodically review device logs, update policies, and adjust templates to reflect changing business needs. The centralized nature of Cisco SD-WAN simplifies these tasks and ensures that changes can be rolled out quickly and accurately.

Final Thoughts 

Cisco SD-WAN continues to redefine how organizations deploy and manage wide-area networks across distributed environments. Its plug-and-play onboarding process offers a streamlined and scalable approach to provisioning routers, especially for enterprises transitioning away from traditional WAN technologies. By simplifying the initial deployment steps, PnP minimizes the time, effort, and technical overhead traditionally associated with bringing devices online.

The onboarding journey, however, is more than just device registration. It includes a broader architectural shift, introducing centralized control, template-driven configuration, policy enforcement, and real-time monitoring. When executed properly, the onboarding process ensures that each router not only joins the SD-WAN fabric but also operates in harmony with the larger enterprise network objectives.

This guide explored the full lifecycle of onboarding a router into Cisco SD-WAN using PnP—from understanding the underlying concepts, to accessing the self-service and PnP portals, to configuring the bootstrap process, and finally integrating the router into a fully managed environment. Each step serves a specific purpose, and when followed methodically, leads to a successful deployment.

Organizations planning to scale their SD-WAN deployments should view PnP not just as an automation tool, but as a foundation for operational consistency. With features like identity-based authentication, centralized templates, and policy-driven routing, Cisco SD-WAN allows for secure, resilient, and intelligent WAN design across the enterprise.

While the onboarding process can be adapted depending on the organization’s size, technical expertise, or infrastructure model, the structured approach presented in this guide helps ensure that no critical steps are missed. It is always advisable to test onboarding workflows in a staging environment before applying them at scale in production.

In closing, embracing the Cisco SD-WAN PnP onboarding methodology not only accelerates deployment but also reinforces network agility, reliability, and security—all of which are essential attributes in today’s evolving IT landscape.

Related posts:

  1. Choosing Between Cloud and Hybrid Cloud: Advantages & Disadvantages
  2. Top Project Management Jobs You Should Know About in 2025
  3. Launch Your Career: Software Engineering Bootcamp with Cisco
  4. Threat Actors Explained: A 101 Guide for Cybersecurity Professionals
  5. Is an MCSE Certification Worth It? Here Are the Benefits
  6. Implementing 802.1X Authentication with Cisco ISE for Wired and Wireless Networks
  7. Advanced Notepad++ Techniques for the Modern Network Engineer
  8. Mobile Malware Protection: How to Safeguard Your Phone from Malicious Threats
  9. PMI-ACP Certification: A Detailed Walkthrough of the Application Process
  10. Mastering the ASIS PSP Certification
By Post