How does a Cisco SD-WAN device bootstrap using vBond during first-time enrollment?

The flow being tested is how a Cisco SD-WAN edge securely bootstraps using vBond to discover and enroll with the control plane. On first boot, the device uses its bootstrap certificate to contact vBond. vBond authenticates the device and then provides the addresses of the vSmart and vManage controllers along with a service URL. With those endpoints, the device establishes a TLS session with vManage and enrolls there, using its certificate for mutual authentication. This sequence—reach vBond, get vSmart/vManage addresses and service URL, authenticate, then enroll with vManage using certificates—is what ensures a secure, authenticated first-time enrollment. Options that skip vBond, connect directly to vSmart, or rely on a pre-shared key or DNS-only discovery don’t reflect this secure bootstrap flow.