diff --git a/docs/_deploy_network_design.md b/docs/_deploy_network_design.md
new file mode 100644
index 0000000000..1b2e507c5f
--- /dev/null
+++ b/docs/_deploy_network_design.md
@@ -0,0 +1,24 @@
+
+
+The following IP addressing and naming scheme is used consistently throughout this guide. Substitute your own values when configuring your network.
+
+| Parameter | Example Value | Description |
+|-----------|--------------|-------------|
+| Authority Name | `AcmeCorp` | Organizational authority name |
+| Conductor Router Name | `conductor1` | Conductor system name |
+| Conductor Node Name | `node1` | Conductor node name |
+| Conductor IP Address | `192.168.100.10` | Static management IP on the conductor |
+| Conductor Subnet Mask | `/24` | Management network prefix |
+| Conductor Gateway | `192.168.100.1` | Management network gateway |
+| Conductor PCI (MGMT port) | `0000:03:00.0` | SSR1200 MGMT port PCI address |
+| Router Name | `branch1` | Branch router system name |
+| Router Node Name | `node1` | Router node name |
+| Router WAN Interface | `wan1` (`ge-0-0`) | WAN port — uses DHCP |
+| Router WAN PCI Address | `0000:04:00.3` | SSR130 Port 0 PCI address |
+| Router LAN Interface | `lan1` (`ge-0-3`) | LAN port |
+| Router LAN PCI Address | `0000:04:00.0` | SSR130 Port 3 PCI address |
+| Router LAN IP Address | `192.168.1.1/24` | LAN gateway address |
+| Tenant Name | `corp` | LAN-side user tenant |
+| Service Name | `internet` | Internet breakout service |
+| Service Address | `0.0.0.0/0` | All internet-bound traffic |
+| Neighborhood | `internet` | SVR neighborhood name |
diff --git a/docs/_deploy_ssr1200_port_map.md b/docs/_deploy_ssr1200_port_map.md
new file mode 100644
index 0000000000..5876e26dab
--- /dev/null
+++ b/docs/_deploy_ssr1200_port_map.md
@@ -0,0 +1,20 @@
+
+
+
+
+### Port Mapping
+
+| Name | Port | Description | PCI Address | Speed | Type |
+| --- | --- | --- | --- | --- | --- |
+| mgmt-0-0 | MGMT | Management interface | 0000:03:00.0 | 1000 | MGMT |
+| ge-0-0 | Port 0/0 | WAN 1 network interface | 0000:03:00.1 | 1000 | WAN |
+| ge-0-1 | Port 0/1 | WAN 2 network interface | 0000:03:00.2 | 1000 | WAN |
+| ge-0-2 | Port 0/2 | WAN 3 network interface | 0000:03:00.3 | 1000 | WAN |
+| ge-0-3 | Port 0/3 | LAN 1 network interface | 0000:01:00.0 | 1000 | LAN |
+| ge-0-4 | Port 0/4 | LAN 2 network interface | 0000:01:00.1 | 1000 | LAN |
+| ge-0-5 | Port 0/5 | HA Fabric network interface | 0000:01:00.2 | 1000 | HA Fabric |
+| ge-0-6 | Port 0/6 | HA Sync network interface | 0000:01:00.3 | 1000 | HASync |
+| xe-1-0 | Port 1/0 | LAN 3 network interface | 0000:07:00.3 | 10000 | LAN |
+| xe-1-1 | Port 1/1 | LAN 4 network interface | 0000:07:00.2 | 10000 | LAN |
+| xe-1-2 | Port 1/2 | LAN 5 network interface | 0000:07:00.1 | 10000 | LAN |
+| xe-1-3 | Port 1/3 | LAN 6 network interface | 0000:07:00.0 | 10000 | LAN |
diff --git a/docs/_deploy_ssr130_port_map.md b/docs/_deploy_ssr130_port_map.md
new file mode 100644
index 0000000000..66d09770ea
--- /dev/null
+++ b/docs/_deploy_ssr130_port_map.md
@@ -0,0 +1,18 @@
+
+
+The following image of the SSR130 includes Cellular and TAA subvariants.
+
+
+
+### Port Mapping
+
+| Name | Port | Description | PCI Address | Speed | Type |
+| --- | --- | --- | --- | --- | --- |
+| ge-0-0 | Port 0 | WAN 1 network interface | 0000:04:00.3 | 1000 | WAN |
+| ge-0-1 | Port 1 | WAN 2 network interface | 0000:04:00.2 | 1000 | WAN |
+| ge-0-2 | Port 2 | WAN 3 network interface | 0000:04:00.1 | 1000 | WAN |
+| ge-0-3 | Port 3 | LAN 1 network interface | 0000:04:00.0 | 1000 | LAN |
+| ge-0-4 | Port 4 | LAN 2 network interface | 0000:03:00.1 | 1000 | LAN |
+| ge-0-5 | Port 5 | LAN 3 network interface | 0000:03:00.0 | 1000 | LAN |
+| ge-0-6 | Port 6 | HA Fabric network interface | 0000:02:00.1 | 1000 | HA Fabric |
+| ge-0-7 | Port 7 | HA Sync network interface | 0000:02:00.0 | 1000 | HASync |
diff --git a/docs/deploy/deploy_appendix_conductor.mdx b/docs/deploy/deploy_appendix_conductor.mdx
new file mode 100644
index 0000000000..baeb8b24e1
--- /dev/null
+++ b/docs/deploy/deploy_appendix_conductor.mdx
@@ -0,0 +1,171 @@
+---
+title: "Appendix A - Conductor Configuration"
+sidebar_label: "Conductor Configuration"
+---
+import NetworkDesign from '../_deploy_network_design.md';
+
+This appendix contains the complete conductor configuration in SSR PCLI format for the `conductor1` system described in this guide. This configuration reflects the state after completing [Step 2 — Configure the Conductor](deploy_conductor_config.mdx) and [Step 3 — Configure the Router on the Conductor](deploy_router_config.mdx).
+
+## Network Design Reference
+
+
+
+## Applying This Configuration
+
+This configuration can be applied to a fresh conductor using the **import** function:
+
+1. Save the configuration below to a file, for example `acmecorp-conductor.cfg`.
+2. Copy the file to the conductor at `/etc/128technology/config-exports/`.
+3. From the conductor PCLI, run:
+
+ ```bash
+ import config acmecorp-conductor.cfg
+ ```
+
+4. Review any validation warnings, then commit:
+
+ ```bash
+ commit
+ ```
+
+Alternatively, copy and paste each configuration block into the PCLI in configuration mode (`configure` → `edit`).
+
+## Complete Conductor Configuration
+
+```
+config
+ authority
+ name AcmeCorp
+
+ conductor-address 192.168.100.10
+
+ tenant corp
+ name corp
+ exit
+
+ service internet
+ name internet
+ scope public
+ security internal
+
+ access-policy
+ source corp
+ exit
+
+ address 0.0.0.0/0
+ exit
+
+ router conductor1
+ name conductor1
+ inter-node-security internal
+
+ node node1
+ name node1
+ role conductor
+
+ device-interface mgmt-dev
+ name mgmt-dev
+ type ethernet
+ pci-address 0000:03:00.0
+
+ network-interface mgmt-intf
+ name mgmt-intf
+ type management
+
+ address 192.168.100.10
+ ip-address 192.168.100.10
+ prefix-length 24
+ gateway 192.168.100.1
+ exit
+ exit
+ exit
+ exit
+ exit
+
+ router branch1
+ name branch1
+ inter-node-security internal
+
+ dns-config automatic
+ mode automatic
+ exit
+
+ node node1
+ name node1
+ role combo
+ asset-id SSR130-ABC1234567
+
+ device-interface wan-dev
+ name wan-dev
+ type ethernet
+ pci-address 0000:04:00.3
+ forwarding true
+
+ network-interface wan1
+ name wan1
+ type external
+ conductor true
+ default-route true
+ source-nat true
+ management true
+ dhcp v4
+
+ management-vector mgmt-vec-wan
+ name mgmt-vec-wan
+ priority 10
+ exit
+
+ neighborhood internet
+ name internet
+ topology spoke
+ exit
+ exit
+ exit
+
+ device-interface lan-dev
+ name lan-dev
+ type ethernet
+ pci-address 0000:04:00.0
+ forwarding true
+
+ network-interface lan1
+ name lan1
+ type external
+ tenant corp
+
+ address 192.168.1.1
+ ip-address 192.168.1.1
+ prefix-length 24
+ exit
+ exit
+ exit
+ exit
+
+ service-route internet-route
+ name internet-route
+ service-name internet
+ type service-agent
+
+ next-hop node1 wan1
+ node-name node1
+ interface wan1
+ exit
+ exit
+ exit
+ exit
+exit
+```
+
+## Configuration Notes
+
+| Item | Note |
+|------|------|
+| `asset-id` | Replace `SSR130-ABC1234567` with the actual serial number from the SSR130 device label |
+| `conductor-address` | Replace `192.168.100.10` with the actual static IP assigned to the conductor's MGMT port |
+| `gateway` | Replace `192.168.100.1` with your management network gateway |
+| LAN address | Replace `192.168.1.1/24` with the LAN subnet for each branch site |
+| Coordinates | The `location` field is not shown here; add ISO 6709 coordinates for your conductor and each branch site |
+
+## Adding Additional Routers
+
+To add a second SSR130 router (`branch2`), copy the `router branch1` block, change the router name to `branch2`, update the `asset-id` to the second device's serial number, and change the LAN IP to a different subnet (for example, `192.168.2.1/24`). All other authority-level objects (`tenant`, `service`) are shared.
diff --git a/docs/deploy/deploy_appendix_router.mdx b/docs/deploy/deploy_appendix_router.mdx
new file mode 100644
index 0000000000..11ac68781b
--- /dev/null
+++ b/docs/deploy/deploy_appendix_router.mdx
@@ -0,0 +1,142 @@
+---
+title: "Appendix B - Router Configuration"
+sidebar_label: "Router Configuration"
+---
+import NetworkDesign from '../_deploy_network_design.md';
+
+This appendix contains the SSR130 branch router configuration in SSR PCLI format. This is the router-scoped portion of the configuration staged on the conductor for `branch1`. It reflects the final state after completing [Step 3 — Configure the Router on the Conductor](deploy_router_config.mdx) and [Step 5 — Upgrade Routers to 7.1.4](deploy_router_upgrade.mdx).
+
+The complete authority-level configuration (including the service and tenant objects that the router depends on) is in [Appendix A — Conductor Configuration](deploy_appendix_conductor.mdx).
+
+## Network Design Reference
+
+
+
+## Router Configuration
+
+The following block shows the `branch1` router section in isolation, as it would appear within the authority configuration.
+
+```
+config
+ authority
+
+ router branch1
+ name branch1
+ inter-node-security internal
+
+ dns-config automatic
+ mode automatic
+ exit
+
+ node node1
+ name node1
+ role combo
+ asset-id SSR130-ABC1234567
+
+ device-interface wan-dev
+ name wan-dev
+ type ethernet
+ pci-address 0000:04:00.3
+ forwarding true
+
+ network-interface wan1
+ name wan1
+ type external
+ conductor true
+ default-route true
+ source-nat true
+ management true
+ dhcp v4
+
+ management-vector mgmt-vec-wan
+ name mgmt-vec-wan
+ priority 10
+ exit
+
+ neighborhood internet
+ name internet
+ topology spoke
+ exit
+ exit
+ exit
+
+ device-interface lan-dev
+ name lan-dev
+ type ethernet
+ pci-address 0000:04:00.0
+ forwarding true
+
+ network-interface lan1
+ name lan1
+ type external
+ tenant corp
+
+ address 192.168.1.1
+ ip-address 192.168.1.1
+ prefix-length 24
+ exit
+ exit
+ exit
+ exit
+
+ service-route internet-route
+ name internet-route
+ service-name internet
+ type service-agent
+
+ next-hop node1 wan1
+ node-name node1
+ interface wan1
+ exit
+ exit
+ exit
+
+ exit
+exit
+```
+
+## Interface Summary
+
+| Interface | Device | PCI Address | Type | Configuration |
+|-----------|--------|-------------|------|--------------|
+| `wan1` | `wan-dev` (`ge-0-0`, Port 0) | `0000:04:00.3` | External | DHCP; conductor=true; management over forwarding; neighborhood `internet` |
+| `lan1` | `lan-dev` (`ge-0-3`, Port 3) | `0000:04:00.0` | External | Static `192.168.1.1/24`; tenant `corp` |
+
+## Service Forwarding Summary
+
+| Service | Route | Type | Egress Interface |
+|---------|-------|------|-----------------|
+| `internet` (0.0.0.0/0) | `internet-route` | `service-agent` | `wan1` (direct breakout) |
+
+## Configuration Notes
+
+| Item | Note |
+|------|------|
+| `asset-id` | Replace `SSR130-ABC1234567` with the device serial number |
+| LAN address | Replace `192.168.1.1/24` with the actual LAN subnet for this branch |
+| `source-nat` | Must be `true` on the management interface; management traffic originates from `169.254.x.x` |
+| `default-route` | Must be `true`; causes Linux to forward all OS-originated traffic through the SSR engine |
+| `conductor` | Must be `true` on the WAN interface for the router to reach the conductor over the forwarding plane |
+| Neighborhood | The `internet` neighborhood on the WAN interface allows this router to peer with hub routers via SVR if added later |
+
+## Verifying the Running Configuration
+
+To view the running configuration for this router from the conductor PCLI:
+
+```bash
+show config running authority router branch1
+```
+
+To compare the running configuration against the candidate (uncommitted changes):
+
+```bash
+show config candidate authority router branch1
+```
+
+To export the entire authority configuration to a file:
+
+```bash
+export config running filename acmecorp-export.cfg
+```
+
+The exported file is saved to `/etc/128technology/config-exports/` on the conductor.
diff --git a/docs/deploy/deploy_conductor_config.mdx b/docs/deploy/deploy_conductor_config.mdx
new file mode 100644
index 0000000000..11e52f3bdb
--- /dev/null
+++ b/docs/deploy/deploy_conductor_config.mdx
@@ -0,0 +1,88 @@
+---
+title: Configure the Conductor
+sidebar_label: Configure the Conductor
+---
+import NetworkDesign from '../_deploy_network_design.md';
+import AuthorityName from '../_set_authority_name.md';
+import SetConductorIP from '../_set_conductor_ip.md';
+import ConductorAuthority from '../_conductor_to_authority.md';
+
+This section configures the authority-level settings on the conductor: the authority name, conductor address, internet service, and corporate tenant. These objects are global to all routers in the authority.
+
+All steps are performed from the **Conductor GUI** at `https://192.168.100.10` unless otherwise noted.
+
+## Network Design Reference
+
+
+
+## 1. Connect the Conductor to the Authority
+
+
+
+## 2. Set the Authority Name
+
+
+
+:::note
+Use your organization's name as the authority name (for example, `AcmeCorp`). The authority name cannot be changed after routers have been provisioned without re-onboarding them.
+:::
+
+## 3. Set the Conductor Address
+
+The conductor address is the IP address that managed routers use to connect to this conductor. It must be reachable from each branch router's WAN interface.
+
+
+
+For this guide, enter `192.168.100.10` as the conductor address.
+
+## 4. Create the Internet Service
+
+The *service* configuration element defines the IP destinations that the SSR will route. This guide creates a single service representing all internet-bound traffic.
+
+1. Log in to the Conductor GUI.
+2. Select **Configuration**.
+3. Select **Authority** from the left panel.
+4. Scroll down to **Services** and select **ADD**.
+5. Enter the name `internet` and select **SAVE**.
+6. On the Service screen, verify **Enabled** is set to `true`.
+7. Set **Scope** to `public`.
+8. Scroll down to **Security Policy** and select `internal`.
+9. Scroll down to **Service Addresses** and select **ADD**.
+10. Enter `0.0.0.0/0` and select **SAVE**.
+11. Scroll down to **Access Policy** and select **ADD**.
+ - Set **Source** to `corp` (the tenant you will create in the next step).
+ - Select **SAVE**.
+12. At the top of the screen, select **VALIDATE** and then **COMMIT**.
+
+:::tip
+The `internal` security policy allows SVR traffic between routers in the same authority without requiring additional encryption configuration. For production deployments requiring payload encryption, select an appropriate security policy. See [Security Policy](../config_reference_guide.md) for details.
+:::
+
+## 5. Create the Corporate Tenant
+
+Tenants logically partition the network. The `corp` tenant represents corporate LAN users in this deployment and is referenced by the LAN interface configuration on each branch router.
+
+1. In the Conductor GUI, select **Configuration**.
+2. Select **Authority**.
+3. Scroll to **Tenants** and select **ADD**.
+4. Enter the name `corp` and select **SAVE**.
+5. At the top of the screen, select **VALIDATE** and then **COMMIT**.
+
+:::info
+Tenants are authority-wide. A single `corp` tenant definition applies to all routers that assign it to a LAN interface.
+:::
+
+## What Was Configured
+
+At the end of this step your authority contains:
+
+| Object | Name | Value |
+|--------|------|-------|
+| Authority | `AcmeCorp` | |
+| Conductor Address | | `192.168.100.10` |
+| Service | `internet` | `0.0.0.0/0`, scope `public`, security `internal` |
+| Tenant | `corp` | LAN-side user population |
+
+## Next Step
+
+Proceed to [Step 3 — Configure the Router on the Conductor](deploy_router_config.mdx) to pre-stage the branch router configuration before onboarding.
diff --git a/docs/deploy/deploy_conductor_install.mdx b/docs/deploy/deploy_conductor_install.mdx
new file mode 100644
index 0000000000..80217233c3
--- /dev/null
+++ b/docs/deploy/deploy_conductor_install.mdx
@@ -0,0 +1,152 @@
+---
+title: Install the Conductor
+sidebar_label: Install the Conductor
+---
+import SSR1200Ports from '../_deploy_ssr1200_port_map.md';
+import VerifyConductorInstall from '../_install_verify_conductor_install.md';
+import ChangeDefaultPasswords from '../_change_def_passwords.md';
+import ConfigureToken from '../_configure_token.md';
+
+This section covers the physical hardware setup and software installation for the SSR1200 being used as the conductor. The SSR1200 conductor provides centralized management for all SSR130 branch routers in the network.
+
+SSR 7.1.4 uses the **Universal ISO** installation process. If your SSR1200 shipped with SSR 6.3.0 or later pre-installed, skip the [Install the Software](#install-the-software) section and proceed directly to [Initialize the Conductor](#initialize-the-conductor).
+
+## SSR1200 Port Reference
+
+
+
+## Physical Setup
+
+Connect the SSR1200 before powering it on:
+
+1. **Connect the MGMT port** (`mgmt-0-0`, PCI `0000:03:00.0`) to a management network switch port that provides:
+ - A static IP assignment or DHCP lease for the conductor
+ - Connectivity to the internet (required for software downloads)
+
+2. **Connect a laptop** to any LAN port (Port 0/3 through Port 0/5) using a standard Ethernet cable. The laptop will be used to access the device initialization web interface at `https://192.168.128.1` during setup.
+
+ :::note
+ Assign your laptop a static IP address in the range `192.168.128.2`–`192.168.128.254` with a subnet mask of `255.255.255.0` before connecting. The initialization web interface is only accessible on the LAN-side ports prior to initialization.
+ :::
+
+3. Do **not** power on the device yet.
+
+## Install the Software
+
+:::note
+Skip this section if your SSR1200 already has SSR 6.3.0 or later installed.
+:::
+
+### Download the ISO
+
+Download the SSR 7.1.4 Universal ISO from the Juniper software repository:
+
+- URL: [https://software.128technology.com/artifactory/list/generic-128t-isos-release-local/](https://software.128technology.com/artifactory/list/generic-128t-isos-release-local/)
+- You will be prompted for your Artifactory username and software access token.
+- Select the `7.1.4` ISO file.
+
+For instructions on creating a bootable USB from the ISO, see [Creating a Bootable USB](../intro_creating_bootable_usb.md).
+
+### Boot from USB
+
+1. Connect the bootable USB to a USB port on the SSR1200.
+2. Connect a console cable (RJ-45 rollover) to the **CONSOLE** port on the SSR1200 and to your laptop or console server. Set the baud rate to **115200 bps**.
+3. Power on the SSR1200.
+4. When the prompt `Press ESC for boot menu` appears, press **ESC**.
+5. From the boot menu, select the USB device number and press **Enter**.
+6. From the boot menu, press **TAB** or **DEL** to enter Setup if required.
+
+### Run the Installer
+
+1. At the boot image selection screen, select the SSR 7.1.4 image and press **Enter**.
+
+ 
+
+2. At the Install menu, select **VGA** or **Serial** depending on your console connection.
+
+ 
+
+3. At the Install Options screen, press **Enter** to accept the default (standard physical installation, no FIPS).
+
+ 
+
+4. The installation runs to completion automatically.
+
+ 
+
+5. When prompted to reboot, allow the device to restart. Remove the USB drive before the next boot.
+
+ 
+
+## Initialize the Conductor
+
+The SSR1200 exposes a web-based initialization interface on its LAN ports after the first boot. Use this interface to configure the conductor role, management IP address, and admin credentials.
+
+1. Ensure your laptop is connected to a LAN port on the SSR1200 and has a static IP in the `192.168.128.0/24` subnet.
+
+2. Open a web browser and navigate to:
+
+ ```
+ https://192.168.128.1
+ ```
+
+ Accept the self-signed certificate warning.
+
+ 
+
+3. Under **SSR Managed**, select **SSR Conductor**.
+
+ 
+
+4. Select **STANDALONE** for a single-conductor deployment. Select the **STATIC** address type.
+
+ 
+
+5. Enter the following information:
+
+ | Field | Example Value | Notes |
+ |-------|--------------|-------|
+ | Conductor Name | `conductor1` | Used as the router name in the authority |
+ | Node IP Address | `192.168.100.10` | Static management IP |
+ | Node Gateway | `192.168.100.1` | Management network gateway |
+ | Interface Name | `mgmt-0-0` | Management interface |
+ | DNS Server | `8.8.8.8` | Optional; required for software downloads |
+ | Admin Password | _(your choice)_ | Minimum 8 chars, 1 upper, 1 lower, 1 number |
+ | Artifactory Username | _(your username)_ | Juniper software access |
+ | Artifactory Password | _(your token)_ | Juniper software access token |
+
+ :::note
+ The admin, root, and t128 accounts are all set to the password you enter here.
+ :::
+
+6. Click **ASSOCIATE**.
+
+7. The SSR1200 reboots and comes online as a conductor. This process takes approximately 5–10 minutes.
+
+## Verify the Installation
+
+After the device restarts, connect your laptop to the management network and verify the conductor is running:
+
+
+
+You can also access the conductor GUI from the management network using:
+
+```
+https://192.168.100.10
+```
+
+Log in with username `admin` and the password set during initialization.
+
+## Change the Default Passwords
+
+
+
+## Configure the Software Access Token
+
+If Artifactory credentials were not entered during initialization, configure them now from the conductor PCLI so that routers can download software updates.
+
+
+
+## Next Step
+
+Proceed to [Step 2 — Configure the Conductor](deploy_conductor_config.mdx).
diff --git a/docs/deploy/deploy_overview.mdx b/docs/deploy/deploy_overview.mdx
new file mode 100644
index 0000000000..4242c4bf73
--- /dev/null
+++ b/docs/deploy/deploy_overview.mdx
@@ -0,0 +1,84 @@
+---
+title: Conductor-Managed Network Deployment Guide
+sidebar_label: Overview
+---
+import Mermaid from '@theme/Mermaid';
+import NetworkDesign from '../_deploy_network_design.md';
+
+This guide walks a network engineer through every step required to stand up a conductor-managed SSR network using an **SSR1200 as the Conductor** and one or more **SSR130 branch routers**. By the end of the guide, each branch router will be online, managed by the conductor, forwarding internet traffic for LAN users, and reachable by the conductor over the same WAN interface used for internet breakout.
+
+## Guide Sections
+
+| Step | Topic | Description |
+|------|-------|-------------|
+| 1 | [Install the Conductor](deploy_conductor_install.mdx) | Install SSR 7.1.4 on an SSR1200 and initialize it as a standalone conductor |
+| 2 | [Configure the Conductor](deploy_conductor_config.mdx) | Set the authority name, conductor address, internet service, and corporate tenant |
+| 3 | [Configure the Router on the Conductor](deploy_router_config.mdx) | Pre-stage each SSR130 router's configuration on the conductor before onboarding |
+| 4 | [Onboard SSR130 Routers](deploy_router_onboard.mdx) | Connect and initialize each SSR130 router so it joins the conductor |
+| 5 | [Upgrade Routers to 7.1.4](deploy_router_upgrade.mdx) | Upgrade each onboarded router to SSR 7.1.4 from the conductor |
+| 6 | [Verify the Deployment](deploy_verify.md) | Confirm connectivity, management, and internet forwarding |
+| — | [Appendix A — Conductor Configuration](deploy_appendix_conductor.mdx) | Complete conductor PCLI configuration |
+| — | [Appendix B — Router Configuration](deploy_appendix_router.mdx) | Complete router PCLI configuration |
+
+## Network Topology
+
+The diagram below shows the logical network this guide builds.
+
+|"Internet"| ISP
+ ISP <-->|"DHCP"| Router
+ Router <-->|"Internet Breakout\n(service: internet)"| Internet
+ LAN <-->|"LAN"| Router
+ Router <-->|"Management over\nForwarding (WAN)"| Conductor
+`}/>
+
+## Roles
+
+| Device | Model | Role |
+|--------|-------|------|
+| `conductor1` | SSR1200 | Standalone SSR Conductor — centralized management and provisioning |
+| `branch1` | SSR130 | Conductor-managed branch router — internet breakout and LAN services |
+
+## Network Design Reference
+
+
+
+## Prerequisites
+
+Before beginning, ensure the following are available:
+
+- **SSR 7.1.4 ISO image** — downloaded from [software.128technology.com](https://software.128technology.com/artifactory/list/generic-128t-isos-release-local/) using your Juniper software access credentials.
+- **Bootable USB drive** — minimum 8 GB, prepared from the ISO. See [Creating a Bootable USB](../intro_creating_bootable_usb.md).
+- **Juniper software access credentials** — Artifactory username and password for software downloads.
+- **Console access** — RJ-45 rollover cable or VGA/keyboard access to the SSR1200 for the initial installation.
+- **Management network** — a network switch port providing DHCP or a known static IP for the SSR1200 MGMT port.
+- **Static IP assignment for the conductor** — the IP address assigned to the conductor must be reachable from branch WAN links.
+- **Mist portal account** — required for SSR130 Zero Touch Provisioning (ZTP). A free account suffices; WAN Assurance subscription is **not** required.
+- **ISP WAN links** — each SSR130 branch requires an Ethernet WAN link providing DHCP.
+
+## Software Version Requirements
+
+This guide targets **SSR 7.1.4** on both conductor and routers.
+
+:::note
+The router software version cannot be higher than the conductor software version. SSR130 routers that ship with an earlier software version are upgraded to 7.1.4 from the conductor after onboarding. See [Upgrading the Conductor](../intro_upgrading.md) for general upgrade information.
+:::
+
+## Related Documentation
+
+- [SSR Installation Overview](../intro_installation.md)
+- [Conductor Deployment Best Practices](../bcp_conductor_deployment.md)
+- [Service and Service Policy Design](../bcp_service_and_service_policy_design.md)
+- [Management Traffic over Forwarding Interfaces](../config_management_over_forwarding.md)
+- [Onboard an SSR Device to a Conductor](../onboard_ssr_to_conductor.md)
diff --git a/docs/deploy/deploy_router_config.mdx b/docs/deploy/deploy_router_config.mdx
new file mode 100644
index 0000000000..77fe647ac7
--- /dev/null
+++ b/docs/deploy/deploy_router_config.mdx
@@ -0,0 +1,189 @@
+---
+title: Configure the Router on the Conductor
+sidebar_label: Configure the Router
+---
+import NetworkDesign from '../_deploy_network_design.md';
+
+The conductor must have a complete router configuration staged **before** the physical router is powered on and connected to the network. When the SSR130 comes online and contacts the conductor, it downloads this configuration and applies it automatically.
+
+This section walks through creating the router configuration for `branch1` from the Conductor GUI. Repeat these steps for each additional SSR130 router in your network, substituting the appropriate router name, node name, asset ID, and addressing values.
+
+:::important
+The router name entered here must exactly match the router name entered during the SSR130's initialization (Step 4). The asset ID must match the SSR130's serial number printed on the device label.
+:::
+
+All steps are performed from the **Conductor GUI** at `https://192.168.100.10`.
+
+## Network Design Reference
+
+
+
+## 1. Find the SSR130 Asset ID
+
+The asset ID is the serial number of the SSR130 device. It is printed on the label on the bottom of the device and on the shipping box. It takes the form `SSR130-XXXXXXXXXX`.
+
+You will enter this value when associating the router configuration with the physical device.
+
+## 2. Create the Router
+
+1. Log in to the Conductor GUI.
+2. Select **Configuration**.
+3. Under **Authority**, scroll to **Routers** and select **ADD**.
+4. Enter the router name `branch1` and select **SAVE**.
+5. Set the following fields on the Router screen:
+
+ | Field | Value | Notes |
+ |-------|-------|-------|
+ | Location | `+32.7767-096.7970/` | ISO 6709 coordinates; update for your site |
+ | Inter-node Security | `internal` | Required for SVR between nodes |
+
+6. Select **VALIDATE** and **COMMIT** to save.
+
+## 3. Create the Node
+
+1. Scroll down to **Nodes** and select **ADD**.
+2. Enter the node name `node1` and select **SAVE**.
+3. Set the following fields:
+
+ | Field | Value |
+ |-------|-------|
+ | Role | `combo` |
+ | Asset ID | _(SSR130 serial number, e.g., `SSR130-ABC1234567`)_ |
+
+4. Select **SAVE**.
+
+## 4. Configure the WAN Interface
+
+The WAN interface (`ge-0-0`, Port 0) connects to the ISP, obtains a DHCP address, and provides both internet forwarding and conductor management traffic via [Management over Forwarding](../config_management_over_forwarding.md).
+
+### 4a. Create the WAN Device Interface
+
+1. Under the Node, scroll to **Device Interfaces** and select **ADD**.
+2. Enter the name `wan-dev` and select **SAVE**.
+3. Set the following fields:
+
+ | Field | Value |
+ |-------|-------|
+ | Type | `ethernet` |
+ | PCI Address | `0000:04:00.3` |
+ | Forwarding | `true` |
+
+4. Select **SAVE**.
+
+### 4b. Create the WAN Network Interface
+
+1. Under the Device Interface, scroll to **Network Interfaces** and select **ADD**.
+2. Enter the name `wan1` and select **SAVE**.
+3. Set the following fields:
+
+ | Field | Value | Notes |
+ |-------|-------|-------|
+ | Type | `external` | |
+ | DHCP | `v4` | WAN IP is assigned by ISP DHCP |
+ | Conductor | `true` | Marks this interface for conductor connectivity |
+ | Default Route | `true` | Linux uses this interface as its default route |
+ | Source NAT | `true` | Required for management over forwarding |
+ | Management | `true` | Enables management over forwarding on this interface |
+
+4. Scroll down to **Management Vector** and select **ADD**.
+ - Enter name `mgmt-vec-wan` and priority `10`.
+ - Select **SAVE**.
+
+5. Scroll down to **Neighborhoods** and select **ADD**.
+ - Select `internet` as the neighborhood name.
+ - Verify **Topology** is set to `spoke`.
+ - Select **SAVE**.
+
+6. Select **VALIDATE** and **COMMIT**.
+
+:::important
+`Source NAT` and `Default Route` must both be set to `true` on the management interface. Management traffic originates from the `169.254.x.x` range and must be source-NAT'd to a routable address before leaving the interface. The default route ensures Linux sends non-SVR traffic through the SSR forwarding engine.
+:::
+
+## 5. Configure the LAN Interface
+
+The LAN interface (`ge-0-3`, Port 3) connects to the branch LAN and assigns the `corp` tenant to traffic arriving from that direction.
+
+### 5a. Create the LAN Device Interface
+
+1. Return to the **Node** level and scroll to **Device Interfaces**, then select **ADD**.
+2. Enter the name `lan-dev` and select **SAVE**.
+3. Set the following fields:
+
+ | Field | Value |
+ |-------|-------|
+ | Type | `ethernet` |
+ | PCI Address | `0000:04:00.0` |
+ | Forwarding | `true` |
+
+4. Select **SAVE**.
+
+### 5b. Create the LAN Network Interface
+
+1. Under the LAN Device Interface, scroll to **Network Interfaces** and select **ADD**.
+2. Enter the name `lan1` and select **SAVE**.
+3. Set the following fields:
+
+ | Field | Value | Notes |
+ |-------|-------|-------|
+ | Type | `external` | |
+ | Tenant | `corp` | Assigns all LAN traffic to the corp tenant |
+
+4. Scroll down to **Interface Addresses** and select **ADD**.
+ - IP Address: `192.168.1.1`
+ - Prefix Length: `24`
+ - Select **SAVE**.
+
+5. Select **VALIDATE** and **COMMIT**.
+
+## 6. Configure DNS
+
+To enable the router to resolve FQDNs (for conductor connectivity, NTP, and software downloads), configure DNS in automatic mode so that DNS servers are learned from the WAN DHCP lease.
+
+1. Return to the **Router** level.
+2. Scroll to **DNS Config** and select **ADD**.
+3. Set **Mode** to `automatic`.
+4. Select **SAVE**.
+5. Select **VALIDATE** and **COMMIT**.
+
+## 7. Create the Internet Service Route
+
+The service route tells the router how to forward traffic matched by the `internet` service. In this deployment, internet-bound traffic is forwarded as a **service agent** (direct internet breakout) through the WAN interface.
+
+1. Return to the **Router** level.
+2. Scroll to **Service Routes** and select **ADD**.
+3. Enter the name `internet-route` and select **SAVE**.
+4. Set the following fields:
+
+ | Field | Value |
+ |-------|-------|
+ | Service Name | `internet` |
+ | Service Route Type | `service-agent` |
+
+5. Scroll to **Next Hop** and select **ADD**.
+ - Node: `node1`
+ - Network Interface: `wan1`
+ - Select **SAVE**.
+
+6. Select **VALIDATE** and **COMMIT**.
+
+## Configuration Summary
+
+The following objects have been created for `branch1`:
+
+| Object | Name | Key Settings |
+|--------|------|-------------|
+| Router | `branch1` | combo node, asset ID linked |
+| WAN Device Interface | `wan-dev` | PCI `0000:04:00.3`, forwarding |
+| WAN Network Interface | `wan1` | DHCP, conductor, default-route, source-nat, management, neighborhood `internet` |
+| LAN Device Interface | `lan-dev` | PCI `0000:04:00.0`, forwarding |
+| LAN Network Interface | `lan1` | tenant `corp`, address `192.168.1.1/24` |
+| Service Route | `internet-route` | service `internet`, type `service-agent`, next-hop `node1/wan1` |
+
+:::tip
+To add additional SSR130 routers to this deployment, repeat this entire section with a new router name (e.g., `branch2`), a new LAN subnet (e.g., `192.168.2.1/24`), and the corresponding device asset ID.
+:::
+
+## Next Step
+
+Proceed to [Step 4 — Onboard SSR130 Routers](deploy_router_onboard.mdx).
diff --git a/docs/deploy/deploy_router_onboard.mdx b/docs/deploy/deploy_router_onboard.mdx
new file mode 100644
index 0000000000..a0cb5fcb5d
--- /dev/null
+++ b/docs/deploy/deploy_router_onboard.mdx
@@ -0,0 +1,177 @@
+---
+title: Onboard SSR130 Routers
+sidebar_label: Onboard SSR130 Routers
+---
+import SSR130Ports from '../_deploy_ssr130_port_map.md';
+
+This section covers the physical setup and initialization of each SSR130 branch router. Before beginning, confirm that the router configuration has been staged on the conductor as described in [Step 3 — Configure the Router on the Conductor](deploy_router_config.mdx).
+
+Repeat this section for each SSR130 in your deployment.
+
+:::important
+The conductor **must** have a valid configuration staged for this router — including a matching asset ID — before the router is powered on. Powering on the router before the configuration is ready will result in a failed onboarding attempt.
+:::
+
+## SSR130 Port Reference
+
+
+
+## Onboarding Methods
+
+SSR130 routers running SSR 6.3.0 or later support two onboarding methods. Choose the method appropriate for your deployment:
+
+| Method | Best For | Requirements |
+|--------|----------|-------------|
+| [Web Workflow (Recommended)](#method-1-web-workflow) | Direct physical access at the branch | Laptop with Ethernet port |
+| [Mist ZTP](#method-2-mist-ztp-zero-touch-provisioning) | Remote/zero-touch deployment | Mist portal account; conductor IP must be internet-reachable |
+
+---
+
+## Method 1: Web Workflow
+
+Use this method when you have physical access to the SSR130 at the branch site. The device's initialization web interface guides you through the conductor association.
+
+### Physical Setup
+
+1. Connect **Port 0** (`ge-0-0`) to the ISP WAN Ethernet link.
+2. Connect a laptop to **Port 3** (`ge-0-3`) using a standard Ethernet cable.
+
+ :::note
+ Assign the laptop a static IP address in the range `192.168.128.2`–`192.168.128.254` with a subnet mask of `255.255.255.0`.
+ :::
+
+3. **Power on the device**.
+
+### Initialize the Router
+
+1. Open a web browser and navigate to:
+
+ ```
+ https://192.168.128.1
+ ```
+
+ Accept the self-signed certificate warning.
+
+2. Under **SSR Managed**, select **SSR Router Managed via Conductor**.
+
+ 
+
+3. Enter the following information:
+
+ | Field | Value |
+ |-------|-------|
+ | Router Name | `branch1` _(must match the name configured on the conductor)_ |
+ | Conductor IP Address | `192.168.100.10` |
+ | Admin Password | _(the password set during conductor initialization)_ |
+
+ 
+
+4. Click **ASSOCIATE**.
+
+5. The SSR130 reboots, contacts the conductor at `192.168.100.10`, and downloads its configuration. This process takes approximately 5–10 minutes.
+
+6. Disconnect the laptop from Port 3 and connect your LAN switch to **Port 3** (`ge-0-3`).
+
+---
+
+## Method 2: Mist ZTP (Zero Touch Provisioning)
+
+Use this method for remote or zero-touch deployments where the device must self-onboard without any physical laptop connection.
+
+### Prerequisites
+
+- A Mist portal account is required (free). WAN Assurance subscription is **not** required.
+- The conductor IP address (`192.168.100.10`) must be reachable from the branch WAN link.
+
+### Step 1 — Create a Mist Account and Organization
+
+If you do not have a Mist account, create one at [https://manage.mist.com](https://manage.mist.com).
+
+Once logged in, create an Organization:
+
+1. Select **Organization** → **Settings** from the left menu.
+2. Enter an organization name and save.
+
+### Step 2 — Create a Site with the Conductor IP
+
+Each physical location where an SSR130 will be deployed needs a Mist site. The conductor IP address is added to the site so that SSR devices can receive their conductor address via ZTP.
+
+1. Select **Organization** → **Site Configuration** from the left menu.
+2. Click **Create Site**.
+3. Enter a site name (for example, `Branch-Dallas`).
+4. Scroll to the **Session Smart Conductor Address** field and enter `192.168.100.10`.
+
+ 
+
+5. Save the site.
+
+### Step 3 — Physical Setup
+
+1. Connect **Port 0** (`ge-0-0`) to the ISP WAN Ethernet link providing:
+ - DHCP address assignment
+ - Internet connectivity (required to reach Mist)
+
+2. Connect your LAN devices to **Port 3** (`ge-0-3`).
+
+3. **Power on the device**.
+
+### Step 4 — Claim the Device
+
+Add the SSR130 to your Mist organization using the claim code on the device label:
+
+1. Locate the QR code / claim code label on the SSR130.
+
+ 
+
+2. From the Mist portal, navigate to **Organization** → **Inventory**.
+3. Click **Claim** and enter the claim code, or scan the QR code with the Mist mobile app.
+4. Assign the device to the site created in Step 2.
+
+### Step 5 — Automatic Onboarding
+
+Once claimed and assigned to the site, the SSR130:
+
+1. Connects to Mist via Port 0 using the DHCP-assigned address.
+2. Receives the conductor IP address from Mist.
+3. Contacts the conductor at `192.168.100.10`.
+4. Downloads and applies its staged configuration.
+
+No further interaction is required. Monitor onboarding progress from the Conductor GUI (see [Verify Onboarding](#verify-onboarding) below).
+
+---
+
+## Verify Onboarding
+
+After the SSR130 connects to the conductor, verify the onboarding was successful from the **Conductor GUI**:
+
+1. Navigate to the **Routers** page.
+2. The router (`branch1`) should appear with a status of **Running** or **Synchronizing**.
+3. Once fully synchronized, the status shows **Synchronized** and the router's asset ID appears under the router entry.
+
+From the conductor **PCLI**, verify using:
+
+```bash
+show assets
+```
+
+The output should show the router in a **Synchronized** or **Running** state:
+
+```
+admin@node1.conductor1# show assets
+===================== ============== ===========
+ Asset ID Router Status
+===================== ============== ===========
+ SSR130-ABC1234567 branch1 Synchronized
+```
+
+From the router, verify the SSR service is active:
+
+```bash
+sudo systemctl status 128T
+```
+
+The service should be listed as `Active (running)`.
+
+## Next Step
+
+Proceed to [Step 5 — Upgrade Routers to 7.1.4](deploy_router_upgrade.mdx).
diff --git a/docs/deploy/deploy_router_upgrade.mdx b/docs/deploy/deploy_router_upgrade.mdx
new file mode 100644
index 0000000000..518c08a409
--- /dev/null
+++ b/docs/deploy/deploy_router_upgrade.mdx
@@ -0,0 +1,132 @@
+---
+title: Upgrade Routers to SSR 7.1.4
+sidebar_label: Upgrade Routers
+---
+import UpgradeNote701 from '../_upgrade_701_conductor_note.md';
+
+Once an SSR130 router is onboarded and synchronized with the conductor, upgrade it to SSR 7.1.4. Upgrades are initiated from the conductor and executed without requiring physical access to the router.
+
+:::note
+The conductor must be running **SSR 7.1.4 or later** before upgrading any router to 7.1.4. The router software version cannot be higher than the conductor version. If you have not already upgraded the conductor to 7.1.4, do so first using the procedure in [Upgrading the Conductor](../upgrade_ibu_conductor.mdx).
+:::
+
+
+
+## Software Availability
+
+The conductor downloads the router software image from the Juniper software repository. The conductor must have:
+- Valid Artifactory credentials configured (see [Configure the Software Access Token](deploy_conductor_install.mdx#configure-the-software-access-token))
+- Internet connectivity on the management network
+
+## Upgrade Using the Conductor GUI
+
+This is the recommended method for upgrading one or more routers.
+
+### Download the Software
+
+1. In the Conductor GUI, navigate to the **Routers** page.
+2. Select **Software Lifecycle** at the top of the page.
+3. Select **Initiate Upgrade** → **Download**.
+4. Choose version `7.1.4` from the dropdown.
+5. Select the router(s) to download to from the router list (for example, `branch1`).
+6. Click **Start**.
+
+Monitor the download progress on the **Software Lifecycle** panel. Wait until the download status shows **Complete** before proceeding to the upgrade.
+
+### Run the Upgrade
+
+1. Return to **Software Lifecycle** and select **Upgrade**.
+2. Select version `7.1.4`.
+3. Select the router(s) to upgrade.
+4. Click **Start**.
+
+The upgrade runs to completion with no interaction required. The router restarts automatically at the end of the process.
+
+To view installation history, select **Lifecycle History** on the Software Lifecycle panel.
+
+## Upgrade Using the Conductor PCLI
+
+Use this method to upgrade routers from the command line.
+
+Log in to the conductor PCLI:
+
+```bash
+ssh admin@192.168.100.10
+```
+
+### Step 1 — View Assets
+
+Confirm the router is connected and show its current software version:
+
+```bash
+show assets
+```
+
+Example output:
+```
+===================== ============== ===========
+ Asset ID Router Status
+===================== ============== ===========
+ SSR130-ABC1234567 branch1 Synchronized
+```
+
+### Step 2 — Check Available Versions
+
+```bash
+show system software available router branch1 node node1
+```
+
+Confirm version `7.1.4` appears in the output.
+
+### Step 3 — Download the Software
+
+```bash
+request system software download router branch1 node node1 version 7.1.4
+```
+
+Monitor download progress:
+
+```bash
+show system software download router branch1 node node1
+```
+
+Wait until the status shows `completed`.
+
+### Step 4 — Upgrade the Router
+
+```bash
+request system software upgrade router branch1 node node1 version 7.1.4
+```
+
+Monitor upgrade progress:
+
+```bash
+show system software upgrade router branch1 node node1
+```
+
+The router restarts when the upgrade completes. Allow 5–10 minutes for the router to come back online and re-synchronize with the conductor.
+
+### Step 5 — Verify the Upgrade
+
+After the router restarts:
+
+```bash
+show assets
+```
+
+Confirm the router shows version `7.1.4` and a status of **Synchronized**.
+
+## Upgrading Multiple Routers
+
+To upgrade multiple routers efficiently:
+
+- From the GUI: select all target routers in the Software Lifecycle panel before clicking Start.
+- From the PCLI: run separate `request system software download` commands per router, then upgrade each router after its download completes.
+
+:::tip
+It is recommended to upgrade routers during a maintenance window. Internet traffic forwarding is briefly interrupted when the router restarts during the upgrade.
+:::
+
+## Next Step
+
+Proceed to [Step 6 — Verify the Deployment](deploy_verify.md).
diff --git a/docs/deploy/deploy_verify.md b/docs/deploy/deploy_verify.md
new file mode 100644
index 0000000000..cc9e195e65
--- /dev/null
+++ b/docs/deploy/deploy_verify.md
@@ -0,0 +1,156 @@
+---
+title: Verify the Deployment
+sidebar_label: Verify the Deployment
+---
+
+This section confirms that the deployment is fully operational. Run each check in sequence to validate every layer of the stack.
+
+## 1. Verify Router-to-Conductor Connectivity
+
+From the **Conductor PCLI**, confirm all routers are synchronized:
+
+```bash
+show assets
+```
+
+Expected output for a healthy deployment:
+
+```
+===================== ============== ===========
+ Asset ID Router Status
+===================== ============== ===========
+ SSR130-ABC1234567 branch1 Synchronized
+```
+
+If a router shows **Disconnected** or remains in **Synchronizing** for more than 15 minutes, see [Troubleshooting Conductor Connectivity](../ts_connecting_to_routers.md).
+
+## 2. Verify Router Software Version
+
+Confirm each router is running SSR 7.1.4:
+
+```bash
+show system version router branch1
+```
+
+Expected output:
+```
+Fri 2026-04-17 10:00:00 UTC
+=========== ============================== ============
+ Router Version Status
+=========== ============================== ============
+ branch1 7.1.4-1.el7.x86_64 Running
+```
+
+## 3. Verify WAN Interface
+
+From the Conductor PCLI, confirm the WAN interface has received a DHCP address:
+
+```bash
+show network-interface router branch1 node node1 name wan1
+```
+
+Verify that:
+- **Operational State** is `up`
+- **Address** shows a DHCP-assigned IP address from the ISP
+
+Alternatively, from the Conductor GUI:
+1. Navigate to **Routers** → `branch1`.
+2. Select the **Interfaces** tab.
+3. Verify `wan1` shows an IP address and is operationally `up`.
+
+## 4. Verify LAN Interface
+
+```bash
+show network-interface router branch1 node node1 name lan1
+```
+
+Verify that:
+- **Operational State** is `up`
+- **Address** shows `192.168.1.1/24`
+
+## 5. Verify Management over Forwarding
+
+Management over forwarding is active when the conductor and router maintain an uninterrupted management connection through the WAN interface. Since the conductor shows the router as **Synchronized** and the WAN interface is up, management over forwarding is working correctly.
+
+To confirm from the router's Linux shell:
+
+```bash
+ip route
+```
+
+Expected output — a default route pointing to `kni254` confirms that management traffic is flowing through the SSR forwarding engine:
+
+```
+default dev kni254 scope link metric 10
+```
+
+To SSH to the router through the conductor (using management over forwarding):
+
+```bash
+ssh admin@branch1.AcmeCorp
+```
+
+If the SSH session opens, management over forwarding is confirmed end-to-end.
+
+## 6. Verify Internet Service Forwarding
+
+From a LAN device in the `192.168.1.0/24` subnet, confirm internet connectivity:
+
+```bash
+ping 8.8.8.8
+```
+
+Or from the router's PCLI, trace a path for a LAN user to the internet:
+
+```bash
+admin@node1.branch1# show fib router branch1
+```
+
+Look for an entry matching `0.0.0.0/0` (the `internet` service) with a next-hop pointing to `wan1`.
+
+To confirm active session forwarding, from the Conductor PCLI:
+
+```bash
+show sessions router branch1
+```
+
+Traffic from LAN hosts (`192.168.1.0/24`, tenant `corp`) destined for the internet should appear as active sessions egressing `wan1`.
+
+## 7. Verify Internet Breakout with Source NAT
+
+From a LAN device, confirm that outbound traffic is source-NAT'd to the WAN IP:
+
+```bash
+curl -s https://api.ipify.org
+```
+
+The returned IP address should match the WAN DHCP address assigned to `wan1` — not the LAN address.
+
+Alternatively, verify source NAT is applied from the PCLI:
+
+```bash
+show nat entries router branch1
+```
+
+Entries for LAN source addresses (`192.168.1.x`) translated to the WAN IP confirm internet breakout with NAT is working.
+
+## Summary Checklist
+
+| Check | Expected Result |
+|-------|----------------|
+| Router asset status | `Synchronized` |
+| Router software version | `7.1.4` |
+| WAN interface (`wan1`) | Operationally `up`, DHCP IP assigned |
+| LAN interface (`lan1`) | Operationally `up`, address `192.168.1.1/24` |
+| Management over forwarding | Default route via `kni254`; conductor SSH accessible |
+| Internet service | FIB entry for `0.0.0.0/0` present, sessions forwarding |
+| Source NAT | LAN traffic egresses with WAN IP as source |
+
+## Congratulations
+
+Your conductor-managed SSR network is fully operational. The SSR1200 conductor is managing the SSR130 branch router, which is forwarding internet traffic for LAN users and maintaining its management connection to the conductor over the WAN interface.
+
+## Appendices
+
+- [Appendix A — Full Conductor Configuration](deploy_appendix_conductor.mdx)
+- [Appendix B — Full Router Configuration](deploy_appendix_router.mdx)
diff --git a/sidebars.js b/sidebars.js
index 3dabcb47aa..d6a20db14c 100644
--- a/sidebars.js
+++ b/sidebars.js
@@ -7,6 +7,29 @@ module.exports = {
"about_releases",
"about_support_policy",
],
+ "Deployment Guides": [
+ {
+ "type": "category",
+ "label": "Conductor-Managed Network: SSR1200 Conductor + SSR130 Routers",
+ "items": [
+ "deploy/deploy_overview",
+ "deploy/deploy_conductor_install",
+ "deploy/deploy_conductor_config",
+ "deploy/deploy_router_config",
+ "deploy/deploy_router_onboard",
+ "deploy/deploy_router_upgrade",
+ "deploy/deploy_verify",
+ {
+ "type": "category",
+ "label": "Appendices",
+ "items": [
+ "deploy/deploy_appendix_conductor",
+ "deploy/deploy_appendix_router",
+ ],
+ },
+ ],
+ },
+ ],
"Release Notes": [
{
"type": "category",