Zero Touch Provisioning on IOS XE Based Secure Routers - Uplink Auto-Configuration and Configuration Updater
Introduction
Zero Touch Provisioning (ZTP) is a Day Zero technology that facilitates automated onboarding and configuration. When a IOS XE based Secure Router is added to a network in Device Configuration: Cloud mode, the device will receive and update its configuration from Dashboard.
For devices running in Configuration Source: Device mode: After the device has been re-added to a dashboard network in Device Configuration: Cloud mode (while still connected to an uplink and able to resolve the cloud), operating mode conversion will begin, initiating a factory reset procedure and restricting the console to read-only mode.
Supplemental Documentation
Safe Configuration
A 30-minute timer is started after configuration is applied. If Dashboard connectivity has been maintained for this duration the following will occur:
- A new checksum value is created and stored
- If the checksum value stored in startup config matches this value, as detected at boot, it will be used. If not, day-0 config is applied and config fetch will be attempted again in accordance with day-0 behavior
- Running configuration is written to startup configuration & rollback configuration
- Rollback & active configuration is stored within the bootflash:/meraki directory
Syslog notifications are generated at each step during connectivity testing & configuration deployment:
- Config_fetched
- Config_new_staged
- Config_prev_staged
- Config_startup_saved
- Config_applied
Status of config fetch can be checked via: the following:
When operating in configuration source: cloud local CLI/SSH is not permitted. The following may be viewed via the Cloud CLI terminal.
Router#show cloud-mgmt Chassis Serial Migration Num PID Number Cloud ID Mac Address Status Mode ----------------------------------------------------------------------------------------------- 1 C8235-G2 FGL2914L1CX Q4LL-V7GQ-CF6J E4A4.1C83.5E40 Registered C8K-M
Registered state of the device indicates that the device is able to reach dashboard. Not that functionality is fully enabled. Subsequent show commands will provide additional information for the operational status.
If the cloud-mgmt service is not running, the device will not attempt to reach dashboard. The most common scenario for this is that the auto-install process was interrupted by console input. A factory reset will remediate this, alternatively the service may be manually enabled.
Router#show cloud-mgmt config updater
Config Updater
------------------------------------
Current state: Ready
Last config save time(UTC): 2026-02-26 15:38:20
No config save scheduled.
Latest operation
------------------------------------
Cloud config ready
Download running config: Fail
start time(UTC): 2026-02-26 18:20:47
result time(UTC): 2026-02-26 18:36:43
dashboard status code: 500
Apply running config: Not started
Get running config: Not started
Get presigned url: Not started
Upload config: Not started
Router#show cloud-mgmt connect Service cloud-mgmt connect: enable Cloud-Mgmt Tunnel Config ------------------------------------ Fetch State: Config fetch succeeded Fetch Fail: Last Fetch(UTC): 2026-02-26 17:41:50 Next Fetch(UTC): 2026-02-26 19:03:44 Config Server: cs219-2037.meraki.com Primary: usw.nt.meraki.com Secondary: use.nt.meraki.com Client IPv6 Addr: FD0A:9B09:1F7:1:E6A4:1CFF:FE83:5E40 Network Name: Branch Router Cloud-Mgmt Tunnel State ------------------------------------ Primary: Up Secondary: Up Primary Last Change(UTC): 2026-02-26 15:08:13 Secondary Last Change(UTC): 2026-02-26 15:08:13 Client Last Restart(UTC): 2026-02-26 15:08:06 Cloud-Mgmt Tunnel Interface ------------------------------------ VRF: Status: Enable Rx Packets: 26816 Tx Packets: 26436 Rx Errors: 0 Tx Errors: 0 Rx Drop Packets: 0 Tx Drop Packets: 0 Rx Packets (Last 5s): 14 Tx Packets (Last 5s): 14 Rx Errors (Last 5s): 0 Tx Errors (Last 5s): 0 Rx Drop Packets (Last 5s): 0 Tx Drop Packets (Last 5s): 0 Cloud-Mgmt Device Registration ------------------------------------ url: https://catalyst.meraki.com/nodes/register Device Number: 1 PID: C8235-G2 Serial Number: FGL2914L1CX Cloud ID: Mac Address: E4:A4:1C:83:5E:40 Status: Registered Timestamp(UTC): 2026-02-26 15:07:09
Configuration File Verification
Router#dir bootflash:meraki
Directory of bootflash:/meraki/
914252 -rw- 32 Feb 26 2026 18:20:45 +00:00 md5hash
913937 -rw- 95 Feb 26 2026 15:38:19 +00:00 .uac_uplink_data
913959 -rw- 0 Feb 26 2026 15:06:12 +00:00 consent_token_config_tmp.conf
913970 drwx 4096 Feb 25 2026 19:23:29 +00:00 storage
914349 drwx 4096 Feb 25 2026 19:23:29 +00:00 config_updater
913969 -rw- 0 Feb 18 2026 14:40:05 +00:00 startup_config_feature_enabled
Router#dir bootflash:meraki/config_updater
Directory of bootflash:meraki/config_updater/
914350 drwx 4096 Feb 26 2026 18:36:43 +00:00 monitor
913940 -rw- 20524 Feb 26 2026 18:20:45 +00:00 get_config.conf
913962 -rw- 20524 Feb 26 2026 15:38:20 +00:00 startup_config.conf
Router#more bootflash:meraki/config_updater/get_config.conf
<?xml version="1.0" ?>
<data xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">
<native xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-native">
<system>
<mode>
<insecure>true</insecure>
</mode>
</system>
<version>26.2</version>
<boot-start-marker/>
<boot>
<system>
<bootfile>
<filename-list-ordered-by-user>
<filename>bootflash:packages.conf</filename>
</filename-list-ordered-by-user>
</bootfile>
</system>
</boot>
<boot-end-marker/>
<memory>
<free>
--More--
Other Helpful Commands
show cloud-mgmt config updater
Uplink Auto-Config (UAC)
UAC Enables auto configuration for various interfaces, defined by a list of ‘allowed interfaces’. These allowed interfaces support auto-addressing and have an associated policy based/static routing configuration for Dashboard connectivity.
Prerequisites & Requirements
- UAC is only enabled when the device is operating in Configuration Source: Cloud mode
- If connectivity fails on the primary uplink, failover to backup uplinks will occur. Fail back to the primary uplink will only occur with a reboot of the device.
The ‘allowed interfaces’ list for a platform is defined as the WAN interfaces associated with each platform. Note that the interface defined as ‘Primary’ shall be preferred and used when possible. Once an interface is UP within UAC UAC shall notify the cloud-mgmt service that it should start, and that configuration download may begin.
An ‘uplink ipv4/6’ config is applied to ports which are eligible to be used as Dashboard uplink interfaces. Additionally, subsequent interfaces other than the primary WAN interface will receive a ‘uplink backup’ config. The highest ID L3 interfaces shall receive this config, with the absolute highest being marked primary.
All uplinks exist within the Global VRF.
Example Routing & Interface Configuration
Router#show ip route
Gateway of last resort is 10.8.31.1 to network 0.0.0.0
S* 0.0.0.0/0 [254/0] via 10.8.31.1
[254/0] via 10.8.30.1
10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
C 10.8.30.0/24 is directly connected, TenGigabitEthernet0/0/8
L 10.8.30.54/32 is directly connected, TenGigabitEthernet0/0/8
C 10.8.31.0/24 is directly connected, TenGigabitEthernet0/0/9
L 10.8.31.51/32 is directly connected, TenGigabitEthernet0/0/9
S 10.14.0.251/32 [254/0] via 10.8.31.1, TenGigabitEthernet0/0/9
[254/0] via 10.8.30.1, TenGigabitEthernet0/0/8
43.0.0.0/25 is subnetted, 2 subnets
S 43.192.139.128 [1/0] via 10.8.31.1, TenGigabitEthernet0/0/9
S 43.196.13.128 [1/0] via 10.8.31.1, TenGigabitEthernet0/0/9
103.0.0.0/27 is subnetted, 3 subnets
S 103.204.73.160 [1/0] via 10.8.31.1, TenGigabitEthernet0/0/9
S 103.204.75.128 [1/0] via 10.8.31.1, TenGigabitEthernet0/0/9
S 103.204.75.160 [1/0] via 10.8.31.1, TenGigabitEthernet0/0/9
139.220.0.0/16 is variably subnetted, 2 subnets, 2 masks
S 139.220.194.0/26 [1/0] via 10.8.31.1, TenGigabitEthernet0/0/9
S 139.220.242.192/27 [1/0] via 10.8.31.1, TenGigabitEthernet0/0/9
158.115.0.0/16 is variably subnetted, 4 subnets, 2 masks
S 158.115.128.0/19 [1/0] via 10.8.31.1, TenGigabitEthernet0/0/9
S 158.115.131.188/32 [1/0] via 10.8.31.1, TenGigabitEthernet0/0/9
S 158.115.133.33/32 [1/0] via 10.8.31.1, TenGigabitEthernet0/0/9
S 158.115.141.127/32 [1/0] via 10.8.31.1, TenGigabitEthernet0/0/9
S 209.206.48.0/20 [1/0] via 10.8.31.1, TenGigabitEthernet0/0/9
209.206.48.0/32 is subnetted, 2 subnets
S 209.206.48.7 [1/0] via 10.8.31.1, TenGigabitEthernet0/0/9
S 209.206.48.221 [1/0] via 10.8.31.1, TenGigabitEthernet0/0/9
209.206.61.0/32 is subnetted, 1 subnets
S 209.206.61.9 [1/0] via 10.8.31.1, TenGigabitEthernet0/0/9
S 216.157.128.0/20 [1/0] via 10.8.31.1, TenGigabitEthernet0/0/9
Router#show run int TenGigabitEthernet0/0/9
Building configuration...
Current configuration : 168 bytes
!
interface TenGigabitEthernet0/0/9
ip address dhcp
ipv6 address autoconfig
ipv6 enable
ipv6 nd autoconfig default-route
uplink allow ipv6
uplink allow ipv4
Connectivity Check Example
2024/11/06 18:34:34.852395710 {iosrp_R0-0}{3}: [uac] [3064]: (note): IPV4 Uplink Set uac_configured_uplink_vlan_id 30
2024/11/06 18:34:35.298628690 {iosrp_R0-0}{3}: [uac] [3064]: (note): Vlan 50: IPv4 State transition UPLINK_SELECTED -> UPLINK_SCORING
2024/11/06 18:35:01.723933324 {iosrp_R0-0}{3}: [uac] [3064]: (note): Vlan 30: IPv4 State transition ROUTE_DONE -> PING_TEST_INIT
2024/11/06 18:35:11.376942999 {iosrp_R0-0}{3}: [uac] [3064]: (note): Uplink is found, Stop searching for new uplink
2024/11/06 18:35:11.376918142 {iosrp_R0-0}{3}: [uac] [3064]: (note): Vlan 30: IPv4 State transition PING_TEST_INIT -> PING_TEST_DONE
2024/11/06 18:35:11.380074214 {iosrp_R0-0}{3}: [uac] [3064]: (note): Sending msg NONE->UPLINK_UP to Meraki Mgrd src:30.30.30.49
Connection Monitoring & Uplink Selection
Dashboard connectivity is monitored by connection monitoring, where ICMP is employed in order to validate connectivity.
- If Dashboard connectivity is down for more than 20 minutes, the cloud-mgmt service is restarted.
- An interface must receive two successful ICMP responses before being considered eligible, thus initial interface selection shall take approximately 20-25 seconds.
- A total of 3 ICMP responses must fail prior to an interface being considered as invalid. Once an interface is considered invalid it is deprioritized for Dashboard connectivity
The following priority is assigned to interfaces, both for Day0 and DayN
- User Preferred Uplink Routed port OR Preferred Uplink SVI
- Backup Routed port with Static IP
- Backup Routed port with Dynamic IP
- Configured SVI or Routed Port with Static IP
- Configured SVI or Routed Port with Dynamic IP
- Discovered SVI with Dynamic IP
A Preferred interface is that which is configured as ‘primary’, while alternative interfaces are those designated ‘backup’ in the IOS XE interface configuration. Should ICMP testing fail, the score of the interface is decreased by 1.
UAC Uplink Verification
Router#show uac uplink
Uplink Autoconfig: Enable
Uplink Allow-list enforce: IPv4:Yes IPv6:Yes
Configured IPv4 Uplink interface: TenGigabitEthernet0/0/9 (Default)
Uplink IPv4 interface: TenGigabitEthernet0/0/9
IP Address: 10.8.31.51/255.255.255.0
Type: DHCP
SVI: NotApplicable
Port Used: NotApplicable
GW IP: 10.8.31.1
GW MAC: 0007.b421.0ca0
Score: 8
VRF:
Configured IPv6 Uplink interface: TenGigabitEthernet0/0/9 (Default)
Uplink IPv6 interface: None
Uplink Reachable: IPv4
Router#show uac uplink db
Uplink Autoconfig: Enable
Uplink Allow-list enforce: IPv4:Yes IPv6:Yes
IPV4 Uplink: TenGigabitEthernet0/0/9
Ping Pass Count: 104
GW ARP Pass Count:207
IPv4 Preferred Uplink : Same as Selected Uplink
IPV6 Uplink: None
Ping Pass Count: 0
GW ARP Pass Count:0
IPv6 Preferred Uplink: TenGigabitEthernet0/0/9
Ping Pass Count: 0
GW ARP Pass Count:0
IfName Score State IPAddress Subnet/Prefix ARPFail PingFail GWProbe Ping ReScore Allowed
Te0/0/8 4 9 10.8.30.54 255.255.255.0 0 0 2C084 2C084 0 1
Te0/0/9 8 11 10.8.31.51 255.255.255.0 0 0 C02AC8 C02AC8 0 1
Additional Helpful Commands
show ip dns
show ip route {management_vrf}
show tech meraki
show logging process-helper cloud-mgmt-mgrd
show logging process cloud-mgmt
show cloud-mgmt connect uplink
show cloud-mgmt connect
Serial / Console Access
Serial/Console access is disabled when the device is operating in Configuration Source: Cloud. Console access may be enabled via support with limited read/write functionality if the local status page is not responsive. This process is known as consent-token access.
The following functions are available via console once consent token has been performed:
|
|
IOS CLI Command |
Description |
|
1 |
show |
All Show Commands |
|
3 |
copy |
IOS File copy |
|
4 |
delete |
Delete Files |
|
5 |
write erase |
Erase saved startup config – Device will boot with Day-0 config |
|
6 |
reload |
Reload the IOS-XE device |
-
Following is the list of IOS CLI Config commands available for recovering the device in the recovery parser view
|
|
IOS CLI Command |
Description |
|
1 |
Interface |
Select interface |
|
2 |
Switchport |
Switchport commands |
|
3 |
ip |
IP Commands |
|
4 |
uplink ipv4/ipv6 |
Select uplink interfaces |
|
5 |
no uplink ipv4/ipv6 |
Remove uplink interfaces |
Consent token generation is bi-directional (An origin token is provided from the device, and an authentication token is given to the device) and permits limited access/functionality if the device is both offline and the local status page is unresponsive. Scenarios permitting consent token access should be limited to those which all other available options have been exhausted.