Automation & Programmability Intermediate

SD-WAN Concepts

Software-Defined WAN explained — separating control plane from data plane, overlay tunnels across any underlay (MPLS, internet, LTE), centralized policy via vManage/vSmart, and why the WAN is finally getting the SDN treatment.

TL;DR

SD-WAN replaces hand-built site-to-site VPN meshes with an overlay network controlled centrally by software — one policy, many transports.
The control plane (vSmart) is separated from the data plane (cEdge / vEdge routers). The orchestrator (vBond) does onboarding. The GUI (vManage) sets policy.
Result: site adds in minutes, application-aware path selection (MPLS for voice, internet for SaaS), and zero-touch provisioning.

Mental model

Traditional WAN: each branch has a router. Each router runs OSPF/BGP. Each router has hand-built IPsec tunnels to the DC. To add a new site, an engineer configures 20+ lines on every existing site, plus the new site. To change a routing policy, repeat across every device. Expensive, slow, error-prone.

SD-WAN’s pitch: treat the WAN as one logical fabric controlled by software. Each branch router (cEdge) only needs to know: “reach a controller, accept policy, build tunnels as instructed.” The controllers (vSmart) push routing and policy from one central GUI.

It’s SDN, applied to the WAN.

Same separation of planes as SDN Controllers, but tuned for branch WAN problems: cost, transport diversity, application-aware routing, central management.

The Cisco SD-WAN architecture (Viptela-based)

Four planes, four products:

Plane	Component	Role
Management	vManage	GUI + REST API. Where humans + automation configure everything.
Control	vSmart	Routing brain. Builds OMP (Overlay Management Protocol) routes. Pushes policy.
Orchestration	vBond	Onboarding. New devices reach vBond first; vBond points them at vSmart + vManage.
Data	cEdge / vEdge	Branch routers / DC routers. Build IPsec tunnels and forward packets.

            ┌─────────┐   ┌─────────┐   ┌─────────┐
            │ vManage │   │ vSmart  │   │  vBond  │   (controllers — VMs or SaaS)
            └────┬────┘   └────┬────┘   └────┬────┘
                 │             │              │
        ╔════════╧═════════════╧══════════════╧════════╗
        ║          DTLS/TLS control tunnels             ║
        ╚═══╤══════════════╤══════════════╤═════════════╝
            │              │              │
       ┌────┴────┐    ┌────┴────┐    ┌────┴────┐
       │ cEdge HQ│    │cEdge BR1│    │cEdge BR2│      (data plane)
       └────┬────┘    └────┬────┘    └────┬────┘
            └──IPsec────────┴───IPsec──────┘            (overlay tunnels between sites)
                  over MPLS, internet, LTE…             (underlay = any transport)

Underlay vs overlay — the key concept

Underlay = the physical/IP network you bought from carriers. MPLS from Provider A, internet broadband from Provider B, LTE backup from Provider C. Each branch may have multiple.

Overlay = the IPsec tunnels SD-WAN builds across the underlay. From the apps’ perspective, there’s one flat network. The underlay is invisible.

This decoupling means:

Branch can use any combination of transports.
SD-WAN picks the best path per application (voice → MPLS, web → internet, backup → LTE).
Adding a new MPLS provider doesn’t change app routing — just adds a path.

OMP — the SD-WAN routing protocol

Branch routers don’t run BGP/OSPF with each other across the WAN. They each peer with vSmart over a DTLS tunnel and exchange routes via OMP (Overlay Management Protocol).

vSmart acts like a route reflector. cEdge A says: “I can reach 10.10.0.0/16 via tunnel TLOC-A1.” vSmart redistributes that to all other cEdges that policy says should see it.

TLOC = Transport Locator. Tuple of (system-ip, transport-color, encapsulation). It identifies a specific transport endpoint on a specific router. Think “site router has 3 internet uplinks → 3 TLOCs.”

Application-aware routing

You define a policy like:

Application class: VOICE
  Preferred path: MPLS
  Fallback: Internet if MPLS jitter > 30ms or loss > 1%

Application class: BACKUP
  Preferred path: Internet
  Fallback: never use MPLS (cost)

Application class: SAAS (M365, Salesforce)
  Direct internet break-out at branch (DIA)

vSmart pushes this to every cEdge. Each cEdge measures per-path SLA continuously and switches actively if MPLS quality drops.

This is the killer feature: traditional WAN routes by destination prefix; SD-WAN routes by application and SLA.

Zero-touch provisioning (ZTP)

How a new branch site comes up:

Engineer ships an SD-WAN router to the branch with no config. Local IT just plugs in WAN + LAN.
Router boots, gets DHCP from the ISP.
Router calls home to vBond (a well-known cloud address — Cisco PnP Connect for SD-WAN).
vBond authenticates the router via certificate, gives it the address of vSmart and vManage.
Router establishes DTLS to vManage. vManage pushes the site’s config template (variables filled in from the device serial number).
Router establishes DTLS to vSmart. Routes flow. Overlay tunnels build.
Branch is online — typically in minutes, with no engineer on-site.

This is the major operational win over traditional WAN.

Where SD-WAN intersects with security

Direct Internet Access (DIA) at branch — SaaS traffic doesn’t backhaul to HQ. Faster for users but requires branch-side security: cloud-delivered firewall (Cisco Umbrella, Zscaler, Prisma), or on-router NGFW.
All overlay tunnels are IPsec — no need to manually build site-to-site VPNs.
Segmentation — cEdges support VRFs / service VPNs. Guest Wi-Fi, IoT, corporate traffic can be isolated end-to-end.

This is the SD-WAN → SASE evolution: pulling cloud-delivered security into the SD-WAN fabric.

Cisco SD-WAN variants

Viptela / vManage — the dedicated SD-WAN stack (cEdge or vEdge devices). Most enterprise deployments.
Meraki SD-WAN — Meraki MX appliances with cloud-managed SD-WAN. Simpler, more “SMB-friendly.”
Catalyst SD-WAN — Cisco’s 2024+ rebrand of Viptela. Same products, new name.

CCNA blueprint touches SD-WAN at a “describe” level — you need to know:

It exists, separates control from data.
It uses overlay tunnels over any underlay.
It enables centralized policy + zero-touch.
The vManage / vSmart / vBond / cEdge role split (Cisco-specific, but widely tested).

Traditional WAN vs SD-WAN — side-by-side

Aspect	Traditional WAN	SD-WAN
Config	Per-device CLI	Central GUI + templates
New site	Days / weeks	Minutes (ZTP)
Transport	MPLS only (typically)	MPLS + internet + LTE — any combo
Policy change	Touch every device	Click in vManage
App routing	By destination	By app + SLA
Cost	MPLS-heavy	Mix of cheap broadband + MPLS
Monitoring	SNMP, syslog, per-device	Centralized real-time dashboard
Security	Hub-spoke through HQ firewall	DIA + cloud security (SASE)

Common mistakes

Treating SD-WAN as “IPsec automation.” It does that, but the value is centralized policy + app-aware routing. Replacing manual IPsec with automated IPsec is the least important benefit.
Skimping on underlay diversity. SD-WAN’s resilience comes from having more than one underlay. If every branch is single-homed MPLS, you’ve gained zero failover capacity.
Forgetting WAN insertion of cloud security. DIA without a cloud firewall = branches with direct, unfiltered internet. Always pair DIA with Umbrella/Zscaler/equivalent.
Underestimating bandwidth needs for low-latency apps. App-aware routing helps, but if both paths are saturated, no amount of SD-WAN cleverness fixes a sized-too-small link.
Skipping the certificate/PKI step. Every controller and edge has its own cert. PKI breakage = whole overlay goes down. Plan cert rotation early.
Assuming vendor lock-in is free. SD-WAN appliances are tied to their controller stack. Switching from Cisco SD-WAN to VMware VeloCloud is a full forklift.

Lab to try (longer than tonight)

Cisco DevNet Sandbox has free reservable Cisco SD-WAN labs (Catalyst SD-WAN / Viptela). Spin one up.
Log into vManage. Find the topology view — see your simulated cEdges and the overlay between them.
Open one cEdge’s CLI. show sdwan control connections — observe the DTLS tunnels to vSmart, vBond, vManage.
Run show sdwan omp routes — OMP-learned routes, much like a BGP table but for the SD-WAN fabric.
Run show sdwan bfd sessions — bidirectional forwarding detection sessions per TLOC pair. This is what powers per-path SLA detection.
In vManage, define an application-aware routing policy: prefer MPLS for voice, internet for SaaS. Push it. Watch a cEdge’s per-app stats change.
Bonus: shutdown one transport on a cEdge. Watch traffic re-pin to the surviving path in seconds.

Cheat strip

Term	Plain English
Underlay	The physical IP transports (MPLS, internet, LTE)
Overlay	The IPsec tunnels SD-WAN builds across the underlay
vManage	GUI + REST API. Where you configure everything
vSmart	Control plane. Distributes routes and policy via OMP
vBond	Orchestrator. New devices call here first
cEdge / vEdge	The branch / DC router itself. Data plane
OMP	Overlay Management Protocol — SD-WAN’s routing protocol
TLOC	Transport Locator — identifies a specific transport endpoint
ZTP	Zero-Touch Provisioning — ship the box, plug it in, it auto-onboards
DIA	Direct Internet Access at the branch — SaaS doesn’t hairpin
App-aware routing	Per-application path selection based on live SLA
SASE	SD-WAN + cloud security — the natural next step
Where it fits in CCNA	”Describe” level — know the controllers, the planes, the value prop

← Previous topic

gRPC & gNMI — Streaming Telemetry

The modern alternative to SNMP polling. Devices stream structured data continuously to a collector over gRPC. Covers gNMI for config and monitoring, why streaming beats polling, and what's replacing SNMP in real networks.

Next topic →

MPLS Basics

Multi-Protocol Label Switching demystified — labels instead of IP lookups, label distribution (LDP), the P/PE/CE model, MPLS L3VPN, and why MPLS still dominates the WAN backbone.

Master this on a real network

Want this drilled into reflex?

1:1 weekly sessions, live feedback on your labs, and US interview prep — built around the CCNP® exam blueprint. Free first session. No card on file until you decide.

Claim my free session →

One topic per email, every fortnight

VLANs, OSPF, ACLs, subnetting, automation — written like this. Unsubscribe in one click.

We respect your inbox. One email per week, max. Unsubscribe any time.