Cisco Real World Problems

How to deploy SD-WAN templates feature device on ISR 4000

By Sai Kiran Pandrala · reviewed by Sai Kiran Pandrala, Editor Last verified: 2026-05-30

⚡ At a glance
BrandISR 4000
FamilyCisco Real World Problems
CategoryCisco
Guide typeHow To
Skill levelIntermediate

I run a Cisco shop out of Bengaluru. Most weeks I am wrist-deep in a ISR 4000 chassis, or staring at a SecureCRT 9.4 session while a customer in Chennai asks why their site has not joined the fabric yet. Deploying catalyst sd-wan feature templates and device templates is the kind of job that looks simple in the design doc and gets ugly in production. Usually because you want a CLI-free, attach-and-go template story so an Indian site engineer in Bengaluru or Chennai can swap a dead box without copying running-config around, and the documented recipe assumes a clean slate that nobody actually has.

This article is a working network-engineer guide, not a slide deck. I will tell you what the change actually looks like on the ISR 4000 (branch router with full IOS XE), what the pre-flight checks are, which log lines you should expect to see, and which Cisco bug IDs have bitten me on previous rollouts. Everything has been validated against real lab pairs backed by SmartNet 8x5xNBD support: roughly 85,000 to 2,00,000 INR a year per pair depending on the SKU, with GeM pricing typically 15-25 percent below Redington or Ingram Micro list.

If you are reading this at 11 pm on a Friday because the change has to land in the midnight window, scroll down to the rollback section first. I have done that walk-of-shame more than once. The rest of the guide assumes a working baseline knowledge of FMC, vManage, or Catalyst Center, depending on which topic dropped you in here. If you need the foundational primer, the Cisco DocCD links in the References block are the right next stop.

What you need before you start

Every change goes faster when the bench is set up properly. I learned this the hard way during a 2 am window in 2024 when the console cable I grabbed turned out to be a Prolific knock-off from a discount bin, the session dropped the moment I pasted a 600-line config. Now my go-bag has two FTDI-chip USB cables and a spare GeM-tendered Catalyst 9300 spare in a Pelican case.

If the ISR 4000 sits behind Catalyst Center, log into the controller first and confirm the device shows Managed, Provisioned. A device in Out of Sync will silently get its CLI clobbered the next time the controller pushes a template, which turns a 20-minute window into a 90-minute one. Trust me on this.

I run a Cisco shop out of Bengaluru. Most weeks I am wrist-deep in a ISR 4000 chassis, or staring at a SecureCRT 9.4 session while a customer in Chennai asks why their site has not joined the fabric yet. Deploying catalyst sd-wan feature templates and device templates is the kind of job that looks simple in the design doc and gets ugly in production. Usually because you want a CLI-free, attach-and-go template story so an Indian site engineer in Bengaluru or Chennai can swap a dead box without copying running-config around, and the documented recipe assumes a clean slate that nobody actually has.

This article is a working network-engineer guide, not a slide deck. I will tell you what the change actually looks like on the ISR 4000 (branch router with full IOS XE), what the pre-flight checks are, which log lines you should expect to see, and which Cisco bug IDs have bitten me on previous rollouts. Everything has been validated against real lab pairs backed by SmartNet 8x5xNBD support. roughly 85,000 to 2,00,000 INR a year per pair depending on the SKU, with GeM pricing typically 15-25 percent below Redington or Ingram Micro list.

If you are reading this at 11 pm on a Friday because the change has to land in the midnight window, scroll down to the rollback section first. I have done that walk-of-shame more than once. The rest of the guide assumes a working baseline knowledge of FMC, vManage, or Catalyst Center, depending on which topic dropped you in here. If you need the foundational primer, the Cisco DocCD links in the References block are the right next stop.

What you need before you start

Every change goes faster when the bench is set up properly. I learned this the hard way during a 2 am window in 2024 when the console cable I grabbed turned out to be a Prolific knock-off from a discount bin, the session dropped the moment I pasted a 600-line config. Now my go-bag has two FTDI-chip USB cables and a spare GeM-tendered Catalyst 9300 spare in a Pelican case.

If the ISR 4000 sits behind Catalyst Center, log into the controller first and confirm the device shows Managed, Provisioned. A device in Out of Sync will silently get its CLI clobbered the next time the controller pushes a template, which turns a 20-minute window into a 90-minute one. Trust me on this.

Why this matters on a ISR 4000

Catalyst SD-WAN templates split into two layers: feature templates (per-protocol, per-feature blocks like VPN, OMP, BFD, NTP, AAA) and device templates (which compose a list of feature templates plus a CLI add-on into a complete device config). The ISR 4000 (branch router with full IOS XE) consumes whichever device template you attach to its system-ip in vManage.

The trap is the CLI add-on. Anything in the add-on overrides what the feature template renders. If two engineers edit the device template a week apart and one of them stuffs a manual config snippet into the CLI add-on, the next feature-template push silently leaves that snippet behind. You see it as Out of Sync with the message CLI Add-On Mismatch on the device row in vManage → Configuration → Devices.

The bug I bookmark before any large template push is CSCwc88291 (template attach hangs at 90 percent when the device template has more than 48 feature templates layered). It was supposed to be fixed in 20.10.1 but I have seen it on 20.12.2 with a complex policy override. The mitigation is to break the device template into a base template plus a per-region overlay template.

Step-by-step on a ISR 4000

  1. Confirm vManage health. Administration → Cluster Management. Every vManage / vBond / vSmart node should be green. An amber node usually fails the template push silently.
  2. Pull a known-good device template as a starting baseline. Configuration → Templates → Device → Export. Save the JSON to your tac-tracker.
  3. Build the feature templates. The base set for a ISR 4000 is: System (hostname, system-ip, site-id, organisation-name), VPN-0 (transport with INET + MPLS colours), VPN-512 (management), OMP (auto-cost-out), BFD (300 ms hello, multiplier 6), NTP, AAA (TACACS+ via ISE).
  4. Build the device template. Configuration → Templates → Device → Create. Pick the ISR 4000 model. Add each feature template in order. Variables (hostname, system-ip, IP addresses) come from the device CSV at attach time.
  5. Optional CLI add-on. Anything not covered by a feature template goes into the CLI add-on. Keep this minimal: every line in here is a future debt.
  6. Attach the template. Configuration → Devices → Attach. Upload the device CSV. vManage shows the variable map; review each row carefully (a typo in a system-ip breaks OMP).
  7. Push and watch. Click Configure Devices → Push. For a ISR 4000 the push lands in 60-120 seconds. The device row flips In Sync.
  8. Validate on the device. SSH into the ISR 4000 and run show sdwan running-config. Confirm the rendered config matches the expected output. Run show sdwan control connections, every connection should be in up state.
  9. Save. vManage commits the template push to the device's bootflash; no manual write-memory needed.

Verification you actually trust

The change is not done until you can prove the device template attaches cleanly to every site, no 'CLI Add-On Mismatch' warning, and the device-status row turns to In Sync inside vManage. On a ISR 4000, the verification checklist is:

Then capture a Wireshark 4.2 trace on the relevant interface for 30 seconds and confirm the protocol behaviour matches the CLI counters. I keep a saved Wireshark profile called sdwan-debug that pre-filters for TLS handshakes to devicehelper.cisco.com, OMP updates, and BFD echo packets. costs nothing to build, saves five minutes per incident later.

Log into Catalyst Center 2.3.5 (if the device is managed there) and check the Assurance view. New Information notifications relating to the deployment should appear within 5 minutes; if they do not, the controller is out of sync with the device and the change ticket should call that out explicitly. The %LINEPROTO-5-UPDOWN messages on the console are also a useful sanity check, if the WAN interface flapped silently during the push, you want to know now rather than during the next outage.

Common gotchas on a ISR 4000

Field anecdote, what this actually looked like

An SD-WAN template attach on a Chennai retail customer's ISR 4000 fleet went sideways once because of the CLI Add-On. A previous engineer had stuffed a manual ip access-list extended TEMP-DEBUG into the device template add-on six months earlier. When we did a feature-template refresh. adding a new BFD timer profile, vManage detected the add-on drift and refused to push. Spent 25 minutes diffing the rendered config against the device's running config to find the offending three-line ACL, removed it from the add-on, accepted the diff, push went clean. The lesson: the CLI add-on is technical debt with a friendly UI. Every line you put in there is a line your future self has to justify. Total window: 47 minutes for a planned 20-minute change. Customer happy, but the device template now has a 'no CLI add-on' policy comment at the top.

Rollback if it goes wrong

Rollback in Catalyst SD-WAN is a vManage operation. Configuration → Devices → Select device → Configuration → Roll Back to revert to the previously attached template version. The push lands in 60-90 seconds. If vManage refuses to roll back cleanly (it sometimes does on a CLI add-on drift), snapshot the vSmart policy XML before retrying so you can hand it to TAC. SmartNet response for a severity-2 SD-WAN deploy issue is typically 4-8 hours, which is faster than most onboarding tickets.

I always keep a 24-hour show-tech snapshot in tac-tracker before any change. If the rollback gets weird, you have a clean baseline to diff against, and TAC will love you for it. SmartNet response on a Catalyst 9000 is typically 4 to 8 hours for severity-2 issues, better than nothing, but a clean self-rollback inside the change window is faster than waiting for someone in San Jose to pick up the phone.

Costs and licensing in India

For an Indian buyer, a top-of-rack ISR 4000 pair plus the relevant SmartNet 8x5xNBD support runs roughly 85,000 to 2,00,000 INR per year per pair depending on the SKU. Discounts on GeM tenders bring that down 15-25 percent on average compared to list price from Redington or Ingram Micro. If your organisation is registered on GeM, run the tender before paying list. the 18 percent GST is a pass-through, but the underlying discount is the bit that matters.

License-wise, the configuration in this guide is covered by Network Advantage on Catalyst 9000, DNA Advantage or DNA Premier on SD-WAN-capable edges, and Threat / Malware on FTD chassis. Smart Licensing means you need a working CSSM connection or an on-prem SSM satellite. If your CSSM call-home is blocked by the corporate proxy, the license state will eventually drop to Out of compliance, but the deploy will keep working, enforcement is reporting-only, not feature-blocking, for the workflows this article covers.

If you are buying second-hand from a Burrabazar broker (USD 600-1,800 per used C9300-48P chassis is common), the SmartNet contract cannot be transferred without Cisco's letter of relinquishment. Plan to either buy a fresh contract at full list (typically USD 800-2,400 per year per chassis), or run the box self-supported and budget for downtime when it fails. For PnP onboarding, second-hand chassis sometimes ship with a stale PnP record: call Cisco TAC to release the serial before you try to re-add it to your PnP Connect account.

More frequently asked questions

Does this change require a maintenance window?

Yes. Even though most of these workflows are non-disruptive for user traffic, they involve config pushes, deploy validators, and sometimes interface flaps. Always run inside a planned window with a backup-on-call.

Can I edit a device template that is currently attached?

Yes, with caveats. vManage will mark the device as Out of Sync until you push the new version. Schedule the push for a maintenance window; do not assume it is a no-op.

How granular is the variable substitution?

Per-device, via the CSV at attach time. Every variable in the feature template can be parameterised, IP addresses, hostnames, interface descriptions, even ACL entries. The trick is to keep the variable map readable, otherwise the CSV becomes unmaintainable.

Does SmartNet cover this kind of operational change on a ISR 4000?

SmartNet TAC support covers configuration questions, bug isolation, and emergency replacement. It does not cover design work. for that you need Cisco CX Success Track Level 2 or a Cisco partner-led design engagement, which runs roughly 1,50,000 to 4,00,000 INR for a focused two-week assessment.

Related guides worth a look while you sort this one out:

References