TTechclick ⚡ XP 0% All lessons
Versa · Secure SD-WAN · Branch OnboardingInteractive · L1 / L2 / L3

Versa SD-WAN Branch Onboarding — Zero-Touch Provisioning & How a Box Joins the Fabric

Bringing up a new branch should not need a skilled engineer on site. Versa Zero-Touch Provisioning (ZTP) lets a non-technical person cable WAN and power, and the box phones home, proves who it is with a certificate, pulls its Day-0 staging config, registers a control connection to the Controller, and finishes with its Day-1 service config. This lesson walks the whole join, the certificate trust behind it, and the manual-staging fallback.

📅 2026-06-18 · ⏱ 15 min · 5 infographics · live onboarding demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

A clear, interactive guide to Versa SD-WAN branch onboarding (2026): how Zero-Touch Provisioning (ZTP) brings up a new branch with no engineer on site, the certificate and serial identity that makes trust possible, the Day-0 staging to control-connection to Day-1 service-config flow, and when you fall back to manual staging.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

Why onboarding matters

Bring up a branch with no engineer on site.

 2

The ZTP join, step by step

Pre-register, phone home, Day-0, control, Day-1.

 3

Trust & manual staging

Certificate identity, and the fallback path.

 4

Joining the fabric & failures

Managed in Director, route distribution, fixes.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Does ZTP need a skilled engineer at the branch?

Answered in Why onboarding matters.

2. What does the box do first when it boots at the branch?

Answered in The ZTP join, step by step.

3. How does Versa stop a random device from joining?

Answered in Trust & manual staging.

Most engineers think…

Most people picture branch rollout as 'an engineer drives to site, plugs in a laptop, and types config into the router'. With Versa SD-WAN that mental model is exactly what Zero-Touch Provisioning removes.

Versa onboarding is an automated join: you pre-register the device's identity (serial / certificate) in Director first, ship the box, and a non-technical person only cables WAN and power. The device phones home over the Internet transport, proves who it is with a device certificate, pulls a Day-0 staging config, registers a secure control connection to the Controller, then downloads its Day-1 service config. Understanding that chain — and the certificate trust under it — is what lets you roll out hundreds of branches and debug the one that will not join.

① Why branch onboarding matters — no engineer on site

The single most important idea: with Versa SD-WAN you do not send a skilled engineer to every new branch. Zero-Touch Provisioning (ZTP) lets a non-technical person — a shop manager, a courier, anyone — simply cable the WAN link and power, and the box configures itself by talking to your head-end.

This matters because rollout is the expensive, slow part of SD-WAN. A retail chain opening fifty stores cannot fly an engineer to each one. With ZTP the work moves to the data centre: you pre-register each device once in Director, ship it, and it comes up on its own. Versa also supports a manual staging path for sites where ZTP prerequisites are not met.

Quick check · Q1 of 10 · Understand

What is the point of Zero-Touch Provisioning?

Correct: a. ZTP moves the work to the data centre: you pre-register the device once, ship it, and a non-technical person only cables WAN and power. The box configures itself by phoning home.
👉 So far: Versa onboarding = bring up a branch with no engineer on site; someone cables WAN and power, and ZTP does the rest. Manual staging is the fallback.

② The ZTP join — step by step

Here is the typical chain. First, the device is pre-registered in Director by its serial number / device identity. It ships to site and someone cables WAN plus power. On boot it gets an IP via DHCP on the Internet transport and reaches a known staging / ZTP address.

From authentication to live

The box authenticates with its device certificate / serial identity — only a known, pre-staged device is admitted. It then pulls its Day-0 staging config, registers a secure control connection to the Versa Controller, and finally downloads its Day-1 service config (templates and policies) from Director. No one at the branch typed a single command.

Figure 1 — The ZTP join — phone home to live branch
Every Versa ZTP onboarding runs this same chain, with no engineer on site.The ZTP join — phone home to live branchPre-registerserial in DirectorPhone homeDHCP + staging URLCert authdevice certificateDay-0staging configDay-1control + service cfg
Every Versa ZTP onboarding runs this same chain, with no engineer on site.
Figure 2 — Three layers of the onboarding config
Versa onboarding pulls config in stages — each layer adds more than the last.Three layers of the onboarding configIdentitySerial / certificate pre-registered in DirectorDay-0 stagingMinimal bootstrap to reach the ControllerDay-1 serviceFull templates, routing and security policy
Versa onboarding pulls config in stages — each layer adds more than the last.
🗂️
Director
tap to flip

The management and orchestration brain — holds device records, templates and policies, and pushes the Day-1 service config to the branch.

🛂
Staging / ZTP server
tap to flip

The known address the new box phones home to first; it authenticates the device by certificate and hands over the Day-0 staging config.

🔗
Controller
tap to flip

The control-plane element the branch registers a secure control connection to; it distributes routes and tunnels across the SD-WAN fabric.

🔐
Device certificate
tap to flip

The serial / certificate identity pre-registered in Director — proof that this exact box is the one you trust, so a random device cannot join.

Say the join as one sentence

In an interview, recite the chain: pre-register the serial in Director, ship, the box phones home over the Internet transport, certificate auth, Day-0 staging, control connection to the Controller, then Day-1 service config. No engineer on site, trust is certificate based.

▶ Watch a new branch box join the fabric

How a freshly shipped Versa box onboards end-to-end. Press Play for the healthy path, then Break it to see the classic failure.

① Phone homeThe box boots, gets a DHCP IP on the Internet transport, resolves the staging URL and contacts the known staging / ZTP address.
② Cert authIt presents its device certificate / serial; Director confirms the identity was pre-registered and admits only this known box.
③ Day-0 + controlThe box pulls its Day-0 staging config and registers a secure control connection to the Versa Controller.
④ Day-1 + managedDirector pushes the Day-1 service config; the box appears as managed and the Controller distributes its routes to peers.
Press Play to step through the healthy onboarding path. Then press Break it.
Quick check · Q2 of 10 · Remember

In the ZTP flow, what does the device do right after it authenticates with its certificate?

Correct: c. After certificate auth the box pulls its Day-0 staging config, registers a secure control connection to the Controller, and only then downloads the Day-1 service config from Director.
👉 So far: ZTP chain: pre-register serial in Director ▸ phone home (DHCP + staging URL) ▸ certificate auth ▸ Day-0 staging ▸ control connection to Controller ▸ Day-1 service config.

③ Trust and the manual-staging fallback

Onboarding only works because trust is certificate-based. The device's serial / certificate identity must be pre-provisioned in Director, so a random device that turns up on the Internet cannot join the fabric. Many deployments add an optional staging passphrase or token for an extra factor.

When ZTP prerequisites are not met — no DHCP, blocked control ports, or no path to the staging URL — you use manual staging instead. An engineer applies a minimal staging config (or a USB / CLI bootstrap) so the device can reach the Controller; the full post-staging config is then pushed exactly as in ZTP. Same destination, different first step.

Figure 3 — Zero-Touch Provisioning vs manual staging
Same destination — a managed branch on the fabric — but the first step differs.Zero-Touch Provisioning vs manual stagingZero-Touch (ZTP)No engineer at siteDHCP on Internet transportDevice phones home automaticallyBest for large fast rolloutsManual stagingEngineer applies minimal configUsed when no DHCP / ports blockedCLI or USB bootstrapBest for tricky one-off sites
Same destination — a managed branch on the fabric — but the first step differs.
'ZTP trusts any device' is wrong

ZTP is not open enrolment. The device's serial / certificate identity must be pre-provisioned in Director, so only a known, pre-staged box is admitted. A random device that phones the staging address is rejected — optionally there is also a staging passphrase or token.

Quick check · Q3 of 10 · Apply

A branch site has no DHCP and the control ports are blocked. What should you do?

Correct: d. ZTP needs DHCP and open control ports. When prerequisites are missing you fall back to manual staging — an engineer applies a minimal bootstrap config so the device can reach the Controller, then the full config is pushed.
👉 So far: Trust is certificate / serial based — the identity must be pre-provisioned in Director, so a random device cannot join. No DHCP or blocked ports? Use manual staging.

④ Joining the fabric — and why a box fails to onboard

Once the control connection is up and the Day-1 config lands, the device appears in Director as managed. The Controller then distributes its routes to peer branches, so the new site can reach the rest of the fabric and the overlay tunnels form. The branch is live.

The classic failure

By far the most common onboarding failure is simple: the device cannot reach staging or the Controller. A firewall blocks the control ports, there is no DHCP on the transport, or DNS for the staging URL is wrong — so the box never authenticates and never gets config. Always check transport IP, DNS resolution of the staging address, and that the control ports are open end to end before blaming the device.

Figure 4 — What the branch talks to
A new box talks to staging, Director and the Controller — each plays a distinct role in the join.What the branch talks toNew branchVersa CPE boxStaging / ZTPDirector (records)Controller (control)DHCP on transportDNS lookupPeer branches
A new box talks to staging, Director and the Controller — each plays a distinct role in the join.
Figure 5 — Why a box fails to onboard
Most ZTP failures are a broken path to staging or the Controller — not the device itself.Why a box fails to onboardNo DHCPno transport IPBad DNSstaging URL failsPorts blockedcontrol deniedNo authnever admittedNo configbranch dead
Most ZTP failures are a broken path to staging or the Controller — not the device itself.

Vikram at a Pune retail chain faces this

A newly shipped Versa box at a Pune store powers on but never shows up as managed in Director after an hour.

Likely cause

The store's broadband router hands out DHCP, but the site firewall blocks the Versa control ports and the staging URL does not resolve on the store's DNS.

Diagnosis

On-site staff confirm power and WAN cabling; from the box console the transport has an IP but cannot resolve or reach the staging address, so certificate auth never starts.

Director ▸ Devices (no record live) + branch console ▸ transport IP / DNS / control-port reachability
Fix

Open the Versa control ports outbound at the store firewall and point the box at a DNS that resolves the staging URL (or use a fixed staging address); confirm DHCP gives a working transport IP.

Verify

The box phones home, certificate auth succeeds, Day-0 then Day-1 land, and the branch appears as managed in Director with routes distributed to peers.

Prove the path before blaming the box

Never RMA a device on a hunch. From the branch, confirm the transport has a DHCP IP, the staging URL resolves in DNS, and the control ports are open outbound. Most 'dead' onboardings are a blocked path, not a bad device.

Quick check · Q4 of 10 · Analyze

A new box never appears as managed in Director. What is the most likely cause?

Correct: b. The classic failure is a broken path: no transport IP (no DHCP), the staging URL does not resolve (wrong DNS), or a firewall blocks the control ports — so the box never authenticates and never gets config.
👉 So far: After the join the box is managed in Director and the Controller distributes its routes to peers. The classic failure is a broken path to staging or the Controller.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

Where is a Versa device's identity pre-registered before it ships?

Correct: a. You pre-register the device by its serial / certificate identity in Director. That is what lets Director admit only a known, pre-staged box during ZTP.
Q6 · Understand

What does the Day-0 staging config provide?

Correct: b. Day-0 staging is the minimal bootstrap — it gets the device to the Controller. The full templates and policies come later as the Day-1 service config from Director.
Q7 · Apply

On boot during ZTP, how does the device get onto the network to phone home?

Correct: c. In ZTP the device gets an IP via DHCP on the Internet transport and reaches a known staging / ZTP address. No engineer types anything; manual staging is the alternative when DHCP is absent.
Q8 · Analyze

Why can a random device that phones the staging address not join the fabric?

Correct: d. Trust is certificate-based: the serial / certificate identity must be pre-provisioned in Director. An unknown device is not admitted, optionally backed by a staging passphrase or token.
Q9 · Evaluate

A box at a new site cannot onboard. Which is the best first check?

Correct: a. The classic failure is a broken path to staging or the Controller — no DHCP, wrong DNS, or blocked control ports. Prove the path before blaming the device.
Q10 · Evaluate

What happens on the fabric once a branch finishes onboarding?

Correct: b. After the control connection and Day-1 config, the box is managed in Director and the Controller distributes its routes to peers so overlay tunnels form and the branch is reachable across the fabric.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: how does a brand-new Versa box join the fabric with no engineer on site? Then compare with the expert version.

Expert version: You pre-register the device's serial / certificate identity in Director, then ship it; a non-technical person cables WAN and power. On boot it gets a DHCP IP on the Internet transport, reaches a known staging / ZTP address, and authenticates with its device certificate — so only that known, pre-staged box is admitted. It pulls its Day-0 staging config, registers a secure control connection to the Versa Controller, then downloads its Day-1 service config (templates and policies) from Director. It now shows as managed in Director and the Controller distributes its routes to peers. Trust is certificate / serial based, which is exactly why a random device cannot join — and when DHCP or the control ports are missing, you fall back to manual staging.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Zero-Touch Provisioning (ZTP)
Automated branch onboarding where a non-technical person only cables WAN and power; the pre-registered device configures itself by phoning home.
Director
Versa management and orchestration — holds device records, templates and policies and pushes the Day-1 service config to branches.
Controller
Control-plane element a branch registers a secure control connection to; it distributes routes and tunnels across the SD-WAN fabric.
Staging / ZTP server
A known address the new device phones home to first; it authenticates the device by certificate and hands over the Day-0 staging config.
Device certificate / serial identity
The pre-provisioned identity that proves this exact box is the one you trust, so only a known, pre-staged device is admitted.
Day-0 staging config
The minimal bootstrap configuration that gets the device up and able to reach and register to the Controller.
Day-1 service config
The full service configuration — templates, routing, security and SD-WAN policy — pushed from Director after the control connection is up.
Control connection
The secure registration session between a branch and the Controller, used to exchange reachability and distribute routes.
Manual staging
The fallback when ZTP prerequisites are missing — an engineer applies a minimal config via CLI or USB so the device can reach the Controller.
DHCP on transport
Automatic IP assignment on the Internet transport that lets the new box get online and phone home during ZTP.

📚 Sources

  1. Versa Networks — Zero Touch Provisioning (ZTP) for branch onboarding. versa-networks.com
  2. Versa Networks Documentation — Director, Controller and the device onboarding workflow. docs.versa-networks.com
  3. Versa Networks Documentation — Staging and Day-0 / Day-1 configuration concepts. docs.versa-networks.com
  4. Versa Networks Documentation — Device identity, certificates and secure registration to the Controller. docs.versa-networks.com
  5. Versa Networks — Manual staging and bootstrap alternatives when ZTP prerequisites are not met. docs.versa-networks.com
  6. Versa Networks — Secure SD-WAN architecture overview (Director, Controller, branch). versa-networks.com

What's next?

Got onboarding? Next, go deep on the Versa control plane — how the Controller distributes routes and tunnels between branches, and how SD-WAN traffic-steering policies actually pick a path.

Next · All interview lessons → Practice on exam.techclick.in →