Contributor:  Mike Ketabforoosh

SD-WAN is a must-have for IT teams around the world. In fact, Cisco expects that 95% of its customers will implement SD-WAN within two years. The demand is incredible.

One of the most impressive capabilities in SD-WAN is Zero-Touch Provisioning or “ZTP.” With its ability to remotely provision a router anywhere in the WAN, ZTP lowers IT costs while increasing network control and convenience—but only if designed and delivered as a secure and truly zero-touch solution.

So what does “zero touch” mean, exactly?

When evaluating an SD-WAN solution for your network, there are three main capabilities that identify true ZTP:

Plug N’ Play

SD-WAN is about improving customer experience. ZTP should eliminate the need to send an expert to deploy SD-WAN devices. In fact, the only action that a customer needs to take with a true ZTP product is to connect a cable to the WAN port of a new SD-WAN device. This simple, one-step capability is called Plug N’ Play (see Figure 1), a cloud-based service that provides both a discovery and activation mechanism for a network device.

Any other step—such as connecting to every device and then pushing a file via email or mobile app to provision the device—should be considered extraneaous and not a true ZTP process. Often, this non-ZTP model will need additional intervention from specialist technicians, defeating the whole purpose behind ZTP.


In any cloud service such as SD-WAN, security is a non-negotiable concern that must be addressed in the solution. In the case of ZTP, the device should self-authenticate and receive provisioning information from a centralized management plane.

This secure process minimizes malicious actions on the network, such as adding an unauthorized or infected device into the SD-WAN overlay. Requiring provisioning information through email or a mobile application is not a secure ZTP mechanism, and should be avoided.

Air-Gapped Ability

While SD-WAN is best known for utilizing direct internet connections as a means to improve performance and reduce cost, organizations with air-gapped networks can still enjoy the benefits of centralized WAN management, segmentation, and ZTP. Some SD-WAN solutions cannot accomodate air-gapped networks, only offering a staging environment with internet connectivity—which is contrary to both ZTP and air-gapped principles. Cisco SD-WAN provides a true ZTP process for isolated, air-gapped networks by providing a standalone ZTP server, which acts as Cisco “Cloud” ZTP server complete with a PnP Portal. This provides the same, simple ZTP provisioning process so that sensitive, air-gapped networks can benefit from SD-WAN’s remote discovery and activation. As a result, isolated networks will see reduced costs, increased control, and added convenience.

Cisco Zero Touch provisioning via PnP Connect Portal in SD-WAN

Cisco SD-WAN is built with these principles, making our ZTP an efficient, secure and consistent process.

When evaluating SD-WAN vendors, be sure to select a solution for your network that includes a true ZTP process.

Check out Cisco SD-WAN for more benefits of implementing a software-defined WAN with centralized management.


New! See the Cisco SD-WAN Onboarding Guide today!



Muninder Sambi

VP, Product Management

Cisco Enterprise Switching