Cisco Catalyst SD-WAN Control Components and Device Management Guide, Releases 26.x and Later

PDF

Configure and manage devices using SD-WAN Manager

Updated: June 9, 2026

Want to summarize with AI?

Log in

Describes device configuration using SD-WAN Manager, describing mode changes, device authorization via serial files or Smart Account, exporting device data, viewing configurations, and so on.

Use the Devices screen to add and delete devices, toggle the mode of a device between CLI and SD-WAN Manager, upload the WAN edge serial number file, export bootstrap configuration and, and perform other device-related tasks.

1 Menu
2 CloudExpress
3 Tasks
4 Alarms
5 Help
6 User Profile

Change configuration modes

A device can be in either of these configuration modes:

  • Cisco SD-WAN Manager mode–A template is attached to the device and you cannot change the configuration on the device by using the CLI.

  • CLI mode – No template is attached to the device and the device can be configured locally by using the CLI.

When you attach a template to a device from Cisco SD-WAN Manager, it puts the device in Cisco SD-WAN Manager mode. You can change the device back to CLI mode if needed to make local changes to its configuration.

Procedure

1.

Follow these steps to toggle a router from Cisco SD-WAN Manager mode to CLI mode.

  1. From the Cisco SD-WAN Manager menu, choose Configuration > Devices.

  2. Click WAN Edge List, and select a device.

  3. Click the Change Mode drop-down list and select CLI mode.

    • The Config Lock (Provision Device) option appears only if a template is attached to the device or if a configuration group is deployed to the device.

    • Starting from Cisco IOS XE SD-WAN Release 17.11.1a, click the ... icon adjacent to the device that you want to change fromCisco SD-WAN Manager mode to the CLI mode and click Config Lock (Provision Device).
2.

Follow these steps to toggle a controller device from Cisco SD-WAN Manager mode to CLI mode:

  1. From the Cisco SD-WAN Manager menu, choose Configuration > Devices.

  2. Click Controllers, and select a device.

    Starting from Cisco IOS XE Catalyst SD-WAN Release 17.13.1a, the Controllers tab is renamed as the Control Components tab to stay consistent with Cisco Catalyst SD-WAN rebranding.

  3. Click the Change Mode drop-down list.

  4. Select CLI mode and then select the device type. The Change Mode - CLI window opens.

  5. From the Manager mode pane, select the device and click the right arrow to move the device to the CLI mode pane.

  6. Click Update to CLI Mode.

An SSH window opens. To log in to the device, enter a username and password. You can then issue CLI commands to configure or monitor the device.

Upload WAN edge router authorized serial number file

To upload the WAN edge router authorized serial number file to SD-WAN Manager and then download it to controllers in the network

  • The WAN eEdge router authorized serial number file contains, as applicable, the subject SUDI serial number, the chassis number, and the certificate serial numbers of all valid Cisco IOS XE Catalyst SD-WAN devices in the overlay network.

  • You retrieve a serial number file from the Cisco Plug-and-Play (PnP) portal and upload it to SD-WAN Manager. (For more information about Cisco PnP, see Cisco Plug and Play Support Guide for Cisco Catalyst SD-WAN Products.)

  • From SD-WAN Manager, you send the file to the controllers in the network. This file is required to allow the Cisco Catalyst SD-WAN overlay network components to validate and authenticate each other and to allow the overlay network to become operational.

Procedure

1.

From the Cisco SD-WAN Manager menu, choose Configuration > Devices.
2.

Click WAN Edge List, and click Upload WAN Edge List.

The Quick Connect workflow opens, enabling you to upload the serial number file. Refer information about the Quick Connect workflow in the Cisco Catalyst SD-WAN Getting Started Guide.
3.

(This step applies only for releases earlier than Cisco Catalyst SD-WAN Manager Release 20.14.1) Under the Upload WAN Edge List screen:

  1. Click Choose File and select the WAN edge router authorized serial number file you received from Cisco PnP.

  2. To automatically validate the routers and send their chassis and serial numbers to the controllers, ensure that the Validate the uploaded vEdge List and send to controllers check box is selected. If you do not select this option, you must individually validate each router in Configuration > Certificates > WAN Edge List.

  1. Click Upload.

A list of routers in the network is displayed in the router table, with details about each router.

What to do next

Starting from Cisco vManage Release 20.9.2, you can monitor the newly added WAN Edge devices in the Monitor > Devices page.

Upload WAN edge router serial numbers from Cisco Smart Account

To upload the WAN edge router authorized serial numbers from a Cisco Smart account to SD-WAN Manager and then download it to all the controllers in the overlay network:

  • To allow Cisco Catalyst SD-WAN overlay network components to validate and authenticate each other and to allow the overlay network to become operational, Cisco Catalyst SD-WAN requires chassis numbers of all valid Cisco IOS XE Catalyst SD-WAN devices in the overlay network.

    In addition, certificate serial numbers, subject SUDI serial numbers, or both numbers are required for all devices.

Procedure

1.

From the SD-WAN Manager menu, choose Configuration > Devices.
2.

Click WAN Edge List, and click Sync Smart Account.
3.

In the Sync Smart Account window:s

  1. Enter the Username and Password for your Smart account.

  2. To automatically validate the routers and send their chassis and serial numbers to the controllers, check the Validate the Uploaded WAN Edge List and Send to Controllers check box. If you do not select this option, you must individually validate each router in Configuration > Certificates > WAN Edge List .

  3. Click Sync

A list of routers in the network is displayed in the router table, with details about each router.

Starting from Cisco vManage Release 20.9.2, you can monitor the newly added WAN Edge devices in the Monitor > Devices page.

Export device data in CSV format

In an overlay network, you might deploy multiple devices of the same type that share identical or nearly identical configurations.

  • Example 1: In a network with redundant SD-WAN Controllers, you must configure each controller with identical policies.

  • Example 2: In a network with Cisco IOS XE Catalyst SD-WAN devices at multiple sites, each device provides identical services at each site.

Using templates for identical configurations

As these devices have essentially identical configurations:

  • You can create one set of feature templates.

  • You can consolidate them into one device template.

  • You can use this single device template to configure all devices.

To assign unique values per device, you can:

  • Create an Excel file in CSV format.

  • List all the variables.

  • Define each device-specific variable value for every device.

  • Load this file when you attach the device template to the devices.

How to export data in CSV format

The Export icon lets you create and download device data in a CSV file. This icon, which is a downward-pointing arrow, is located to the right of the filter criteria both in the WAN Edge List and in the Controllers tab.

SD-WAN Manager downloads all data from the device table to an Excel file in CSV format.

View a device's running configuration

Running configuration is configuration information that SD-WAN Manager obtains from the memory of a device. This information can be useful for troubleshooting.

Use these steps to view a device's running configuration:

Procedure

1.

From the Cisco SD-WAN Manager menu, choose Configuration > Devices.
2.

Click WAN Edge List or Controllers, and select the device.
3.

Click , and click Running Configuration.

View a device's local configuration

Local configuration refers to the configuration that the SD-WAN Manager stores for a device.This information helps troubleshoot issues or determine how to access a device when it is not reachable from SD-WAN Manager.

To view a device's local configuration created using Configuration ► Templates:

Procedure

1.

From the Cisco SD-WAN Manager menu, choose Configuration > Devices.
2.

Click WAN Edge List or Controllers, and select the device.
3.

Click ..., and click Local Configuration.

Copy router configuration

Copy the configuration from the old router to the new router.

When you are replacing one router at a site with another router, you copy the old router's configuration to the new router. Then you remove the old router from the network and add the new one.

Procedure

1.

From the Cisco SD-WAN Manager menu, choose Configuration > Certificates.
2.

Mark the new Cisco IOS XE Catalyst SD-WAN device as invalid.
3.

From the Cisco SD-WAN Manager, choose Configuration > Devices.
4.

Under WAN Edge List, select the old router.
5.

Click , and click Copy Configuration.
6.

In the Copy Configuration window, select the new router.
7.

To confirm the copy of the configuration, click Update.

After you have copied the configuration to the new router, you can add the new router to the network. First, delete the old router from the network, as described below. Then add the new router to the network:

8.

From the Cisco SD-WAN Manager, choose Configuration > Certificates.

Mark the new router as valid.
9.

Click Send to Controller.

Delete a WAN edge router

Delete a router to remove it from your deployment. This action also removes the following items associated with the router from the WAN Edge router serial number list:

  • Chassis number

  • Certificate serial number

  • Subject SUDI serial number

Deleting a router also permanently removes the router configuration from SD-WAN Manager.

Procedure

1.

From the Cisco SD-WAN Manager menu, Configuration > Certificates.
2.

Mark the WAN Edge router as invalid.
3.

From the SD-WAN Manager menu, choose Configuration > Devices.
4.

Click WAN Edge List, and select the router.
5.

Click ..., and click Delete WAN Edge.
6.

To confirm deletion of the device, click OK.
7.

From the Cisco SD-WAN Manager menu, choose Configuration > Certificates.
8.

Click Send to Controller.

Decommission a cloud router

Decommissioning a cloud router (such as a C8000v) removes the device's serial number from SD-WAN Manager and generates a new token for the device.

  • The Decommission WAN Edge feature applies only to cloud WAN edge devices and retains the cloud WAN Edge's UUID generated on the PnP Portal.

  • Physical devices do not support the Decommission WAN Edge functionality.

Procedure

1.

From the Cisco SD-WAN Manager menu, choose Configuration > Devices.
2.

Click WAN Edge List, and select a cloud router.
3.

Click , and click Decommission WAN Edge.
4.

To confirm the decommissioning of the router, click OK.

Note

From Cisco Catalyst SD-WAN Manager Release 20.15.1, the process to decommision a WAN edge router has been modified. The scenarios below highlight the updates.

Table 1. Updates to deleting a WAN edge router
Scenario Action
Decommision a compromised device Click Delete WAN Edge
Device is reachable Perform a mandatory configuration unlock before proceeding with the decommissioning process.
Device is unreachable

The device will be unlocked after certain time when the device is unreachable.

If you no longer have the device onboarded, with no Cisco SD-WAN Manager visibility, you can hold the power button for 5–10 seconds for a config reset, or 10-20 seconds for a software reset.

If you have console/terminal access, you can run the request config reset command.

Reuse of UUID is only possible after decommissioning a device. In this case, the Decommission option is not available since the device is offline.

View log of template activities

The template activity log records details about creating, editing, and deleting configuration templates, as well as the status of attaching templates to devices. This information helps in troubleshooting.

Procedure

1.

From the Cisco SD-WAN Manager menu, choose Configuration > Devices.
2.

Click WAN Edge List or Controllers, and select the device.
3.

Click , and click Template Log.

View status of device bring up

You can view the status of operations that bring a router or controller online in the overlay network. This helps you monitor and track their progress effectively.

Procedure

1.

From the Cisco SD-WAN Manager menu, choose Configuration > Devices.
2.

Click WAN Edge List or Controllers, and select the device.
3.

Click , and click Device Bring Up.

Add a Cisco SD-WAN Validator

A Cisco SD-WAN Validator automatically orchestrates connectivity between Cisco IOS XE Catalyst SD-WAN devices and Cisco SD-WAN Manager. If any Cisco IOS XE Catalyst SD-WAN device or SD-WAN Controller is behind a NAT, the SD-WAN Validator also serves as an initial NAT-traversal orchestrator.

Procedure

1.

From the Cisco SD-WAN Manager menu, choose Configuration > Devices.
2.

Click Controllers.
3.

Click Add Validator.
4.

In the Add Validator window:

  1. Enter Validator Management IP Address of the SD-WAN Validator.

  2. Enter the Username and Password to access the SD-WAN Validator.

  3. To allow the certificate-generation process to occur automatically, check the Generate CSR check box.

  4. Click Add.
5.

Repeat Steps 2, 3 and 4 to add additional SD-WAN Validators.

The new SD-WAN Validator is added to the list of controllers in the Controllers screen.

Configure Cisco SD-WAN Controllers

Add an SD-WAN Controller

After the SD-WAN Validator authenticates Cisco IOS XE Catalyst SD-WAN devices, the SD-WAN Validator provides Cisco IOS XE Catalyst SD-WAN device information that they need to connect to the SD-WAN Controller. A SD-WAN Controller controls the flow of data traffic throughout the network via data and app-route policies.

Procedure

1.

From the Cisco SD-WAN Manager menu, choose Configuration > Devices.
2.

Click Controllers.
3.

Click Add Controller.
4.

In the Add Controller window:

  1. Enter the system IP address of the Cisco Catalyst SD-WAN Controller.

  2. Enter the username and password to access the SD-WAN Controller.

  3. Select the protocol to use for control-plane connections. The default is DTLS. The DTLS (Datagram Transport Layer Security) protocol is designed to provide security for UDP communications.

  4. If you select TLS, enter the port number to use for TLS connections. The default is 23456.

  5. The TLS (Transport Socket Layer) protocol that provides communications security over a network.

  6. Check the Generate CSR check box to allow the certificate-generation process to occur automatically.

  7. Click Add.
5.

Repeat Steps 2, 3 and 4 to add additional SD-WAN Controllers. Cisco SD-WAN Manager can support up to 20 SD-WAN Controllers in the network.

The new SD-WAN Controller is added to the list of controllers in the Controllers screen.

Edit SD-WAN Controller details

You can edit controller details to update the controller’s IP address and login credentials.

Procedure

1.

From the Cisco SD-WAN Manager menu, choose Configuration > Devices.
2.

Click Controllers, and select the controller.
3.

Click , and click Edit.
4.

In the Edit window, edit the IP address and the login credentials.
5.

Click Save.

Delete an SD-WAN Controller

Deleting a controller removes it from the overlay. Delete the controller when you replace it or no longer need it in your network.

Procedure

1.

From the Cisco SD-WAN Manager menu, choose Configuration > Devices.
2.

Click Controllers, and select the controller.
3.

Click , and click Invalidate.
4.

To confirm the removal of the device and all its control connections, click OK.

Configure reverse proxy on SD-WAN Controllers

To configure reverse proxy on an individual SD-WAN Manager and SD-WAN Controller:

Procedure

1.

From the Cisco SD-WAN Manager menu, choose Configuration > Devices.
2.

Click Controllers, and select the controller.
3.

Click , and click Add Reverse Proxy.

The Add Reverse Proxy dialog box is displayed.
4.

Configure the private IP address and port number for the device.

The private IP address is the IP address of the transport interface in VPN 0. The default port number is 12346. This is the port used to establish the connections that handle control and traffic in the overlay network.
5.

Configure the proxy IP address and port number for the device, to create the mapping between the private and public IP addresses and port numbers.
6.

If the SD-WAN Manager NMS or SD-WAN Controller has multiple cores, repeat Steps 5 and 6 for each core.
7.

Click Add.

To enable reverse proxy in the overlay network, from the Cisco SD-WAN Manager menu, choose Administration > Settings > Proxy > Reverse Proxy. Now enable Reverse Proxy and click Save.

Configure UCSE using a configuration group

Use these steps to configure UCSE using a configuration group.

Before you begin

On the Configuration > Configuration Groups page, choose SD-WAN as the solution type.

Procedure

1.

From the Cisco SD-WAN Manager menu, choose Configuration > Configuration Groups.
2.

Create and configure a UCSE feature in Other profile.

  1. Configure parameter scope.

    Table 2. Parameter

    Parameter Scope

    Scope Description

    Global (Indicated by a globe icon)

    Enter a value for the parameter and apply that value to all devices.

    Examples of parameters that you might apply globally to a group of devices are DNS server, syslog server, and interface MTUs.

    Device Specific (Indicated by a host icon)

    Use a device-specific value for the parameter.

    Choose Device Specific to provide a value for the key in the Enter Key field. The key is a unique string that helps identify the parameter. To change the default key, type a new string in the Enter Key field.

    Examples of device-specific parameters are system IP address, host name, GPS location, and site ID.

    Default (indicated by a check mark)

    The default value is shown for parameters that have a default setting.

  2. Configure options for the UCSE feature.

    Table 3. Settings

    Field

    Description

    Type

    Choose a feature from the drop-down list.

    Feature Name*

    Enter a name for the feature. The name can be up to 128 characters and can contain only alphanumeric characters.

    Description

    Enter a description of the feature. The description can be up to 2048 characters and can contain only alphanumeric characters.

  3. Configure basic settings.

    Table 4. Basic Configuration

    Field

    Description

    Bay*

    		 Specify the number for the SAS drive bays. The input value must be an integer.

    Slot*

    		 Specify the slot numbers for the mezzanine adapters. The input value must be an integer.

  4. Configure IMC.

    Table 5. IMC

    Field

    Description

    Access Port

    Configure the interface as an access port. You can configure only one VLAN on an access port, and the port can carry traffic for only one VLAN.

    Not all hardware models have a dedicated access port. See the release notes for your Cisco Catalyst SD-WAN release for the supported hardware.

    Available options:

    • Dedicated

    • Shared

      Configure the appropriate port (GE or TE) based on the hardware module.

    IPv4 Address*

    		 Provide the UCS-E management port address.

    Default Gateway*

    Gateway tracking determine, for static routes, whether the next hop is reachable before adding that route to the device’s route table.

    Default: Enabled.

    VLAN ID

    		 Provide the VLAN number, which can be a value from 1 through 4094.

    Assign Priority

    		 Assign the priority.

  5. Configure advanced settings.

    Table 6. Advanced Configuration

    Field

    Description

    Interface Name*

    		 Specify the name of the interface.

    Layer

    		 Specify the layer details necessary for traffic exchange between different VLANs.

    UCSE Interface VPN

    Specify the details of the UCS-E interface VPN.
    IPv4 Address

    Provide the UCS-E management port address.

What to do next

Refer to Deploy a configuration group in the Cisco Catalyst SD-WAN Configuration Groups Reference Guide.

Create a UCS-E Template

For more information about the Cisco Unified Computing System (UCS) E-Series Servers, see the Cisco UCS E-Series Servers and the Cisco UCS E-Series Network Compute Engine Hardware Installation Guide.

Procedure

1.

From the Cisco SD-WAN Manager menu, choose Configuration > Templates .
2.

Click Feature Templates.

In Cisco vManage Release 20.7.x and earlier releases, Feature Templates is titled Feature.
3.

Click Add Template.
4.

Select a Cisco IOS XE Catalyst SD-WAN device from the list.
5.

From the Other Templates section, click UCSE.

The UCSE Feature template opens. The top of the form contains fields for naming the template, and the bottom contains fields for configuring the Integrated Management Controller (IMC).
6.

In the Template Name field, enter a name for the template.

The name can be up to 128 characters and can contain only alphanumeric characters.
7.

In the Description field, enter a description of the template.

The description can be up to 2048 characters and can contain only alphanumeric characters.
8.

Configure bay and slot for template

Click the Basic Configuration tab to configure the bay and the slot for the template.

Parameter name Description
Bay Specify the number for the SAS drive bays.
Slot Specify the slot numbers for the mezzanine adapters
9.

Configure IMC.

Click the IMC tab to configure the IMC parameters for the template.

Parameter name Description
Access port

Configure the interface as an access port. You can configure only one VLAN on an access port, and the port can carry traffic for only one VLAN.

Not all hardware models have a dedicated access port. See the Release Notes for your Cisco Catalyst SD-WAN release for the supported hardware.

Available options:

  • Dedicated

  • Shared

    The type of port, GE or TE, depends on the hardware model.

    For example:

    Router(config-ucse)# imc access-port shared-lom ?
GE1 GE1
TE2 TE2
TE3 TE3
console Console
failover Failover

    Some hardware models have GE ports whereas some have TE ports.

    Depending on the hardware module, the appropriate port (GE or TE) needs to be configured. Otherwise you will get an error.

  • You can obtain the UCS-E module hardware model type by using the following commands:

    show inventory

    show platform

  • Failover - sub-option under Shared.

    For example:

    Router(config)#ucse subslot 1/0
    Router(config-ucse)#imc access-port ?
MGMT MGMT Interface
shared-lom Shared LOMRouter(config-ucse)#imc access-port shared-lom ?
GE1 GE1
TE2 TE2
TE3 TE3
console Console
failover Failover
IPv4 address Provide the UCS-E management port address.
Default gateway

Gateway tracking determine, for static routes, whether the next hop is reachable before adding that route to the device’s route table.

Default: Enabled.
VLAN ID Provide the VLAN number, which can be a value from 1 through 4094.
Assign priority Assign the priority.
Parameter scope Scope description
Global (indicated by a globe icon) Enter a value for the parameter and apply that value to all devices.
Device specific (indicated by a host icon)

Use a device-specific value for the parameter.

For device-specific parameters, you cannot enter a value in the feature template. You enter the value when you attach a Cisco Catalyst SD-WAN device to a device template.

When you click Device Specific, the Enter Key box opens. This box displays a key, which is a unique string that identifies the parameter in a CSV file that you create. This file is an Excel spreadsheet that contains one column for each key. The header row contains the key names (one key per column), and each row after that corresponds to a device and defines the values of the keys for that device. You upload the CSV file when you attach a Cisco Catalyst SD-WAN device to a device template.

To change the default key, type a new string and move the cursor out of the Enter Key box.
Default When Default is selected, this field is not enabled.