Get CISSP Study Material for 100% Free!

Cisco SD-WAN Explained: From Setup to Security Guide

SDWAN Architecture

Enterprises constantly search for methods to improve their networks’ performance, security, and scalability. Cisco SD-WAN (Software-Defined Wide Area Networking) is a powerful solution that allows businesses to configure and manage networks easily. This article covers an overview of Cisco SD-WAN’s components and architecture, highlighting the functions and benefits of each.

Overview of Cisco SD-WAN

Cisco SD-WAN is a software-based approach to networking that separates the control plane from the data plane, abstracting network functionality into a centralized controller. By leveraging software-defined networking principles, Cisco SD-WAN Architecture allows organizations to easily deploy and manage wide area networks, offering improved performance, reduced costs, and enhanced security.

Cisco has two solutions on SD-WAN Solutions:

  1. Cisco Meraki
  2. Cisco Viptela
  • Meraki is for small and mid-sized companies that want simplicity and ease of use above everything else. Deploying the Meraki SD-WAN solution is easier than Viptela, and it would be the right choice if the organization has no specific niche requirements.
  • Viptela has more advanced features and requires a sophisticated network design and architecture. The product is for large-scale enterprise-level networks and has a high degree of customization.

In this article, we will focus on the Viptela solution, which is used more in enterprise networking. Let’s explore the key components and their functions within the Cisco SD-WAN architecture.

SD-WAN Components

Cisco Viptela SD-WAN solution comprises four segregated planes:

  1. Orchestration plane
  2. Management Plane
  3. Control Plane
  4. Data Plane.

Each plane has its functions and responsibilities and is abstract from the other aircraft.

  • vBond Orchestrator (Orchestration Plane)
  • vSmart Controllers (Control Plane)
  • vManage (Management Plane)
  • vEdge or cEdge (Data Plane)
SDWAN Overview
Cisco SD-WAN Architecture Overview

The first three components (controllers) can be cloud-based or premises on the customer or provider side. EMS (Element Management System) and NMS (Network Management System) are three components. The EMS components are VMs hosted on servers, for example, an ESXi server.

vBond Orchestrator

The vBond Orchestrator serves as the initial point of authentication for all other SD-WAN components. It authenticates both the EMS components and the vEdges, ensuring secure access to the fabric. Once established, the vBond Orchestrator provides the vEdges with the public IPs and ports of the EMS components, enabling them to authenticate and join the material. Redundancy is allowing for multiple vBond Orchestrators.

vSmart Controller

The vSmart Controllers are responsible for the control plane of the SD-WAN fabric. They handle routing updates, route filters, and security policies. Communication between vSmart Controllers and vEdges occurs through the Overlay Management Protocol (OMP), facilitating control plane configuration and updates. Redundancy and vEdges can connect to multiple vSmart Controllers for increased resilience

vManage controller

The vManage Controller is the central management and monitoring platform for Cisco SD-WAN. It provides a user-friendly GUI for configuration and monitoring tasks. Administrators define configuration policies on the vManage GUI, which are then transformed into the appropriate format for the vSmart Controllers to push to the vEdges through OMP. vManage also facilitates IOS upgrades and basic troubleshooting. Redundancy can be achieved by deploying multiple vManage Controllers in a cluster.

WAN Edges(vEdges and cEdges)

WAN Edges, including vEdges and cEdges, are crucial in Cisco SD-WAN deployments. They establish secure data plane connections with remote WAN Edge routers and ensure secure control plane communication with vSmart Controllers. Each site typically has one or more WAN Edges, acting as the gateway for the LAN at each location and facilitating connectivity between legacy routing and new SD-WAN OMP routing protocols.

Of these four components, the edge router can be a Cisco SD-WAN hardware device or software that runs as a virtual machine, and the remaining three are software-only components. The Cloud router, Cisco vManage, and Cisco vSmart Controller software run on servers and the Cisco vBond Orchestrator software runs as a process (daemon) on an edge router.

Control connections

Control connections are vital in Cisco SD-WAN by facilitating communication between network infrastructure components. Each controller plays a different role in the solution and interacts with the Edge routers through various protocols. For example, vSmart uses the Cisco Overlay Management Protocol (OMP) to communicate routing, TLOC, and service information among vEdges. vManage uses NETCONF to push configurations to devices, SNMP to collect data, and ICMP echo/reply to detect liveliness. Any communication between EMS controllers and WAN edge routers is through the control connections.

Control connections
Control connections

How Do We Make Sure That Each Protocol Is Secured?

Every WAN edge router establishes one or more secured control tunnels for each SD-WAN controller. The tunnels use a standard transport security protocol (DTLS or TLS).  (DTLS or TLS) protocols are very similar, and from a high level, they both serve the same goal – to provide end-to-end transport security between a router and an SD-WAN controller. The main difference is that DTLS uses UDP, and TLS runs over TCP. By default, the Edge router configures itself to use DTLS with all EMS controllers, but you can set it to use TLS for connections, except with vBond, where it must use DTLS.


Control connections with vBond

Once we power on a vEdge router for the first time and configure it with the initial configuration, it tries to find the IP address of vBond. The vBond orchestrator is the controller that glues everything together. That’s why it is called the “orchestrator.” vBond validates the identity of vEdges, and tells them

  • Whether they sit behind NAT in the underlay
  • How many vSmart controllers oversee the domain
  • What are the IP addresses of vManage and vSmart

The Edge router tries to establish a DTLS control tunnel to the vBond IP address over each available transport interface (TLOC). Once authenticated from vBond, vBond will send back a list with the IP addresses and ports of all other SD-WAN controllers (vSmart and vManage). All DTLS control connections are for because the vEdge router does not need to keep permanent control connections to vBond once it receives all necessary information.


Control connections with vManage

Once a vEdge router receives the list with the IP addresses of all SD-WAN controllers from vBond, it initiates a single, persistent DTLS control connection to vManage over only one transport.

Control connections with vSmart

Following the successful DTLS tunnel to vManage, the vEdge router initiates a persistent control connection to the vSmart controller over each transport interface.

Here is a presentation of control connections from vEdge.

To summarize the control connections:

1. One transient DTLS control connection to the vBond orchestrator over each connected WAN transport only during onboarding.
2. One persistent DTLS control connection to vManage over a single WAN transport.
3. One persistent DTLS/TLS control connection to vSmart over each connected WAN.


Data Plan connections

By default, once the control connections are up with SD-WAN controllers. vSmarts advertise routes and encryption keys to WAN Edges in OMP updates. WAN Edge router will try to use that info to establish a tunnel with the other edge routers. Depending on the configuration, the encapsulation for this tunnel will be IPSEC or GRE.

Data Plan connections
Data Plan connections

BFD stands for Bidirectional Forwarding Detection. It is a network protocol used in various networking technologies, including SD-WAN, to detect and monitor the availability and quality of paths between network devices. BFD operates at the network layer and provides fast and efficient detection of link failures.

In the context of SD-WAN, BFD is commonly used in conjunction with IPsec tunnels. BFD neighborships are after the IPsec tunnels are established between SD-WAN devices. The purpose of these BFD neighborships is as follows:


BFD sessions act as keepalives between the SD-WAN devices. They exchange periodic control packets to verify the connectivity and availability of the IPsec tunnels and the underlying network paths. Suppose a BFD session detects a link failure or a tunnel disruption. In that case, it can quickly notify the SD-WAN controller, which can then initiate the necessary actions to reroute traffic and restore connectivity.

BFD also provides measurements of link quality parameters such as packet loss, delay, and jitter. By monitoring these metrics, the SD-WAN controller can assess the network paths’ performance and make intelligent traffic routing decisions. For example, suppose a BFD session detects excessive packet loss or high latency on a specific tunnel. In that case, the controller can choose an alternate path with better performance for the corresponding application traffic.

Link Quality Measurements

Furthermore, BFD can be used for Path MTU Detection (PMTUD). Path MTU refers to the maximum size of an IP packet that can be transmitted without fragmentation over a particular path. BFD can assist in determining the appropriate path MTU by exchanging control packets with the IPsec tunnels. This helps make sure the IP packets are properly in size for transmission, avoiding fragmentation and potential performance issues.

SD-WAN Segmentation

Virtual private networks (VPNs) provide segmentation. Each VPN is equivalent to a VRF, isolating one another and having forwarding tables.

 There are two unmodifiable VPN numbers:

  • VPN 0, transport VPN used for the underlay traffic
  • VPN 512, used for the Out Of Band (OOB) management
SDWAN Segmentation
SD-WAN Segmentation
  • Transport VPN 0: or the underlay VPN, is to establish the tunnels between the vEdges and each other and between the vEdges and the EMS. Accordingly, VPN 0 can carry the control protocols (OMP and BFD) and tunnel negotiations of the fabric.
  • Service VPNs: Carry the data traffic, which will be encapsulated inside the IPSEC tunnel built over VPN 0. The service VPN number will be inside the fabric.

The default setting isolates and separates each service VPN number from every other service VPN number. This default behavior can change by configuring a route leaking policy to leak routes from one VPN to another. Interfaces of the WAN Edge router are for the VPN number. If traffic goes between two interfaces that are members of the same service VPN, they can reach normally, but if they are in different VPNs, they cannot contact each other.

SD-WAN General Concepts

Separating the vehicle from the service side of the network abstracts the wide-area network (WAN) away from the applications running on top. This approach has many benefits, such as:

  1. Network admins can control the routing decisions into the WAN independently of the communication between users or applications.
  2. The solution can insert labels into packets and assign attributes to WAN circuits for optimal policy-based routing, load balancing, and network segmentation/slicing.
  3. Security can apply to the transport side independently of the users’ traffic.
  4. Any mix of public and private WAN transports can be used in an active-active ECMP fashion.

Key Features of Cisco SD-WAN Solution

  • Separating control, data, and management planes: This allows centralized control of the whole fabric using centralized policies and Monitoring systems.
  • Secure the Data Plane Automatically: WAN Edges build IPSEC tunnels to secure customer traffic.
  • Managing the material through centralized policies: Having a separate control plane allows us to manage the solution centrally via Policies and Templates.
  • Secure zero-touch provisioning and onboarding of new devices: Cisco SD-WAN offers a fully automated process for onboarding new WAN edge devices. It allows network administrators to provision new sites with minimal effort and involvement. A new unconfigured vEdge automatically discovers the network using either one of the following processes – Zero Touch Provisioning (ZTP) if the device runs Viptela OS or Cisco Plug and Play (PNP) if the device runs IOS-XE.

Final Thoughts on Cisco SD-WAN

Cisco SD-WAN fundamentally changes how businesses create and manage their networks. Using software-defined principles provides better network performance, more security, and easier management. Therefore, understanding Cisco SD-WAN’s components and design is key to effectively leveraging this powerful network solution. Also, Cisco SD-WAN’s tools, including vBond Orchestrator, vSmart Controllers, vManage Controller, and WAN Edges, offer a comprehensive package for updating business networks. Furthermore, adopting SD-WAN technology enables businesses to keep pace with digital changes and maintain a competitive edge.

product image
Author Rating
Aggregate Rating
5 based on 1 votes
Brand Name
Product Name
Cisco SD-WAN Solutions | 300 - 415 Certification
USD 300
Product Availability
Available in Stock

Related Posts

Related Posts

Study material for 100% Free!

Your Gateway to Cybersecurity Excellence - No Cost Attached!