Skip to main content
Cisco SD-WAN
Product Documentation
Viptela Documentation

Start the Enterprise ZTP Server

If you are hosting the Viptela zero-touch-provisioning (ZTP) vBond server in your enterprise, you must configure one vBond orchestrator to perform this role. This vBond server provides the vEdge routers in the overlay network with the IP address of your enterprise vBond orchestrator and with the enterprise root CA chain. You can think of this vBond server as a top-level vBond orchestrator, analogous to a top-level domain server in the Internet.

If you are using the Viptela ZTP hosted service, there is no need to set up a top-level vBond orchestrator.

This article provides step-by-step instructions on how to start the vBond server and perform initial configuration.


To start the vBond orchestrator software, you need the following hardware and software components:

  • A vEdge router on which the vEdge software has been installed or the vBond VM instance on the hypervisor.
  • Appropriate power cables. See the packing list for your hardware platform.
  • An enterprise DNS server that has been configured with an A record that redirects the URL to your enterprise ZTP server. The recommended URL for this enterprise server is
  • Certificate generated as a result of a Certificate Signing Request (CSR).
  • Enterprise root CA chain.
  • A CSV file that contains the vEdge router chassis information required by the vBond orchestrator that is acting as the ZTP server. Each row in the CSV file must contain the following information for each vEdge router:
    • vEdge router chassis number
    • vEdge router serial number
    • Validity (either valid or invalid)
    • vBond IP address
    • vBond port number (entering a value is optional)
    • Organization name as specified in the device certificate
    • Path to the enterprise root certification (entering a value is optional)

Optionally, you can configure the vEdge router information manually using the request device command.


To start the top-level vBond orchestrator software and perform initial configuration:

  1. Boot the vEdge router.
  2. Use a console cable to connect a PC to the vEdge router.
  3. Log in to the vEdge router using the default username, which is admin, and the default password, which is admin. The CLI prompt is displayed.
  4. Configure the vEdge router to be a top-level vBond orchestrator:
    vBond# config
    vBond(config)# system vbond ip-address local ztp-server

    The IP address must be a public address so that the vBond orchestrator is reachable by all vSmart controllers and vEdge routers through the transport network. The local option indicates that this vEdge router is acting as the vBond orchestrator. It is this option that starts the vBond orchestrator software process on the vEdge router. The ztp-server option establishes this vBond orchestrator as the ZTP server.
  5. Configure an IP address for the interface that connects to the transport network:​
    vBond(config)# vpn 0 interface geslot/port
    vBond(config-ge)# ip address prefix/length
    vBond(config-ge)# no shutdown
  6. Commit the configuration:
    vBond(config)# commit
  7. Exit configuration mode:
    vBond(config)# exit
  8. Verify that the configuration is correct and complete:
    vBond# show running-config
  9. If the certificate has been signed by your enterprise CA authority, install the device's chain of trust:
    vBond# request root-cert-chain install path
    path is the directory path to a local file or a file on a remote device that is reachable via FTP, TFTP, HTTP, or SCP.
  10. Install the signed certificate:
    vBond# request certificate install filepath
     file-path can be one of the following:
    • filename—Path to a file in your home directory on the local Viptela device.
    • ftp:file-path—Path to a file on an FTP server.
    • http://url/file-path—Path to a file on a webserver.
    • scp:user@host:file-path
    • tftp:file-path—Path to a file on a TFTP server.
  11. Upload the CSV chassis file to the ZTP server:
    vBond# request device-upload chassis-file path
    path is the path to a local file or a file on a remote device that is reachable via FTP, TFTP, HTTP, or SCP.

  12. Verify that the list of vEdge router chassis numbers are present on the vBond orchestrator using one of the following commands:
    vBond# show ztp entries
    vBond# show orchestrator valid-devices

Here is an example of the configuration of a top-level vBond orchestrator:

vBond# show running-config vpn 0
interface ge0/0
  ip address
  no shutdown

vBond#  show running-config system
  vbond local ztp-server

Additional Information

Bringup Sequence of Events

  • Was this article helpful?